[gnutls-devel] GnuTLS | gnutls-cli sends TLS 1.3 protocol version in ClientHello.legacy_version field in HRR case (#535)

Development of GNU's TLS library gnutls-devel at lists.gnutls.org
Thu Aug 2 17:35:09 CEST 2018 

New Issue was created.

Issue 535: https://gitlab.com/gnutls/gnutls/issues/535
Author:    Hubert Kario
Assignee:  

## Description of problem:
When GnuTLS is forced to perform HRR, it will send a Client Hello with version set to 0x7f1c (TLS 1.3 draft 28), this breaks the connection as the first and second Client Hello must be identical with just few exceptions, it is also a protocol violation, as the new versions can show only in the `supported_versions` extension

## Version of gnutls used:
4e87865c0152a98b899272dbe7cf3a459e04b351

## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)
local compile, Fedora 27

## How reproducible:

Steps to Reproduce:

 * use tlslite-ng (master, 02852484e5ca), reconfigure it using the following patch to force sending HRR:
   ```patch
   diff --git a/tlslite/handshakesettings.py b/tlslite/handshakesettings.py
   index ccf08d6..821277f 100644
   --- a/tlslite/handshakesettings.py
   +++ b/tlslite/handshakesettings.py
   @@ -213,11 +213,11 @@ class HandshakeSettings(object):
            self.rsaSigHashes = list(RSA_SIGNATURE_HASHES)
            self.rsaSchemes = list(RSA_SCHEMES)
            # DH key settings
   -        self.eccCurves = list(CURVE_NAMES)
   +        self.eccCurves = ['secp384r1']#list(CURVE_NAMES)
            self.dhParams = None
            self.dhGroups = list(ALL_DH_GROUP_NAMES)
   -        self.defaultCurve = "secp256r1"
   -        self.keyShares = ["secp256r1", "x25519"]
   +        self.defaultCurve = "secp384r1"
   +        self.keyShares = []#["secp256r1", "x25519"]
            self.padding_cb = None
    
        def _init_misc_extensions(self):
   diff --git a/tlslite/tlsconnection.py b/tlslite/tlsconnection.py
   index 154bbcf..e71fdd5 100644
   --- a/tlslite/tlsconnection.py
   +++ b/tlslite/tlsconnection.py
   @@ -3060,6 +3060,8 @@ class TLSConnection(TLSRecordLayer):
                        clientHello1.extensions.remove(old_ext)
    
                    if clientHello1 != clientHello:
   +                    print("old hello: {0!r}".format(clientHello1))
   +                    print("new hello: {0!r}".format(clientHello))
                        for result in self._sendError(AlertDescription
                                                      .illegal_parameter,
                                                      "Old Client Hello does not "
   ```
 * start server: `PYTHONPATH=. python scripts/tls.py server -c tests/serverX509Cert.pem -k tests/serverX509Key.pem localhost:4433`
 * connect gnutls: `src/gnutls-cli --insecure --port 4433 --resume --priority NORMAL:+VERS-TLS1.3 localhost`

## Actual results:
```
Processed 0 CA certificate(s).
Resolving 'localhost:4433'...
Connecting to '::1:4433'...
Connecting to '127.0.0.1:4433'...
*** Fatal error: A TLS fatal alert has been received.
*** Received alert [47]: Illegal parameter
*** handshake has failed: A TLS fatal alert has been received.
```

on server side:
```
I am an HTTPS test server, I will listen on localhost:4433
Serving files from /home/hkario/dev/tlslite-1
Using certificate and private key...
About to handshake...
old hello: ClientHello(ssl2=False, client_version=(3.3), random=bytearray(b'K\xddly6\xf2\xcb\xb8\xc70H\xf3\xac\xdb\x19\x13\xfb\xd4\xb7\x07\xa0.\x0b\xb9\xbe\x98\x95\xfd+Df\xea'), session_id=bytearray(b''), cipher_suites=[4866, 4867, 4865, 4868, 49196, 52393, 49325, 49162, 49195, 49324, 49161, 49200, 52392, 49172, 49199, 49171, 157, 49309, 53, 156, 49308, 47, 159, 52394, 49311, 57, 158, 49310, 51], compression_methods=[0], extensions=[StatusRequestExtension(status_type=1, responder_id_list=[], request_extensions=bytearray(b'')), SupportedGroupsExtension(groups=[secp256r1, secp384r1, secp521r1, x25519, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe8192]), ECPointFormatsExtension(formats=[uncompressed]), SignatureAlgorithmsExtension(sigalgs=[rsa_pkcs1_sha256, rsa_pss_pss_sha256, rsa_pss_rsae_sha256, (sha256, ecdsa), (8, 7), rsa_pkcs1_sha384, rsa_pss_pss_sha384, rsa_pss_rsae_sha384, (sha384, ecdsa), rsa_pkcs1_sha512, rsa_pss_pss_sha512, rsa_pss_rsae_sha512, (sha512, ecdsa), rsa_pkcs1_sha1, (sha1, ecdsa)]), TLSExtension(extType=22, extData=bytearray(b''), serverType=False, encExtType=False), TLSExtension(extType=23, extData=bytearray(b''), serverType=False, encExtType=False), TLSExtension(extType=35, extData=bytearray(b''), serverType=False, encExtType=False), TLSExtension(extType=51, extData=bytearray(b'\x00e\x00\x18\x00a\x04\xfc\xfb\x1e\xc9\x8e\xbf\xa2 \x90|\xae\xbd\x05\x92\x18\r\xc5\xb8PuK?Nv\x15\x1f\xe2\x8dp\xf3\x1b\x9e\xac\xc1!\x8d\x9e\xbeW&\xfd\x12v\x18XbK\xf6\xfb\x1f\xc6\x93\xff\xe2A|/0re%\xe9C\xb1\xf3d\x93\xaf\xa9V\xe1{XZ\x18\xed\x10\x83\x1a\xbd\x1d\xa9a\xb1\xdb\xeb\xb0`\xeb\x01=\x865\xe7%\x8e'), serverType=False, encExtType=False), SupportedVersionsExtension(versions=[(3, 3), (3, 2), (3, 1), (127, 28)]), RenegotiationInfoExtension(len(renegotiated_connection)=0), SNIExtension(serverNames=[ServerName(name_type=0, name=bytearray(b'localhost'))]), CookieExtension(len(cookie)=32), PskKeyExchangeModesExtension(modes=[psk_dhe_ke, psk_ke])])
new hello: ClientHello(ssl2=False, client_version=(127.28), random=bytearray(b'K\xddly6\xf2\xcb\xb8\xc70H\xf3\xac\xdb\x19\x13\xfb\xd4\xb7\x07\xa0.\x0b\xb9\xbe\x98\x95\xfd+Df\xea'), session_id=bytearray(b''), cipher_suites=[4866, 4867, 4865, 4868, 49196, 52393, 49325, 49162, 49195, 49324, 49161, 49200, 52392, 49172, 49199, 49171, 157, 49309, 53, 156, 49308, 47, 159, 52394, 49311, 57, 158, 49310, 51], compression_methods=[0], extensions=[StatusRequestExtension(status_type=1, responder_id_list=[], request_extensions=bytearray(b'')), SupportedGroupsExtension(groups=[secp256r1, secp384r1, secp521r1, x25519, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe8192]), ECPointFormatsExtension(formats=[uncompressed]), SignatureAlgorithmsExtension(sigalgs=[rsa_pkcs1_sha256, rsa_pss_pss_sha256, rsa_pss_rsae_sha256, (sha256, ecdsa), (8, 7), rsa_pkcs1_sha384, rsa_pss_pss_sha384, rsa_pss_rsae_sha384, (sha384, ecdsa), rsa_pkcs1_sha512, rsa_pss_pss_sha512, rsa_pss_rsae_sha512, (sha512, ecdsa), rsa_pkcs1_sha1, (sha1, ecdsa)]), TLSExtension(extType=22, extData=bytearray(b''), serverType=False, encExtType=False), TLSExtension(extType=23, extData=bytearray(b''), serverType=False, encExtType=False), TLSExtension(extType=35, extData=bytearray(b''), serverType=False, encExtType=False), TLSExtension(extType=51, extData=bytearray(b'\x00e\x00\x18\x00a\x04\xfc\xfb\x1e\xc9\x8e\xbf\xa2 \x90|\xae\xbd\x05\x92\x18\r\xc5\xb8PuK?Nv\x15\x1f\xe2\x8dp\xf3\x1b\x9e\xac\xc1!\x8d\x9e\xbeW&\xfd\x12v\x18XbK\xf6\xfb\x1f\xc6\x93\xff\xe2A|/0re%\xe9C\xb1\xf3d\x93\xaf\xa9V\xe1{XZ\x18\xed\x10\x83\x1a\xbd\x1d\xa9a\xb1\xdb\xeb\xb0`\xeb\x01=\x865\xe7%\x8e'), serverType=False, encExtType=False), SupportedVersionsExtension(versions=[(3, 3), (3, 2), (3, 1), (127, 28)]), RenegotiationInfoExtension(len(renegotiated_connection)=0), SNIExtension(serverNames=[ServerName(name_type=0, name=bytearray(b'localhost'))]), CookieExtension(len(cookie)=32), PskKeyExchangeModesExtension(modes=[psk_dhe_ke, psk_ke])])
----------------------------------------
Exception happened during processing of request from ('127.0.0.1', 46552)
Traceback (most recent call last):
  File "/usr/lib64/python2.7/SocketServer.py", line 596, in process_request_thread
    self.finish_request(request, client_address)
  File "/home/hkario/dev/tlslite-1/tlslite/integration/tlssocketservermixin.py", line 55, in finish_request
    if self.handshake(tlsConnection) == True:
  File "scripts/tls.py", line 500, in handshake
    sni=sni)
  File "/home/hkario/dev/tlslite-1/tlslite/tlsconnection.py", line 1694, in handshakeServer
    nextProtos=nextProtos, anon=anon, alpn=alpn, sni=sni):
  File "/home/hkario/dev/tlslite-1/tlslite/tlsconnection.py", line 1723, in handshakeServerAsync
    for result in self._handshakeWrapperAsync(handshaker, checker):
  File "/home/hkario/dev/tlslite-1/tlslite/tlsconnection.py", line 3462, in _handshakeWrapperAsync
    for result in handshaker:
  File "/home/hkario/dev/tlslite-1/tlslite/tlsconnection.py", line 1767, in _handshakeServerAsyncHelper
    anon, alpn, sni):
  File "/home/hkario/dev/tlslite-1/tlslite/tlsconnection.py", line 3067, in _serverGetClientHello
    "Old Client Hello does not "
  File "/home/hkario/dev/tlslite-1/tlslite/tlsrecordlayer.py", line 581, in _sendError
    raise TLSLocalAlert(alert, errorStr)
TLSLocalAlert: illegal_parameter: Old Client Hello does not match the updated Client Hello
----------------------------------------
```

## Expected results:
Connection established

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/535
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20180802/795a7626/attachment-0001.html>

More information about the Gnutls-devel mailing list