[gnutls-devel] GnuTLS | For 2nd ClientHello in 0-RTT(TLS1.3), it should not be encrypted and early data extension should not exist. (#1429)
Read-only notification of GnuTLS library development activities
gnutls-devel at lists.gnutls.org
Wed Nov 23 14:41:12 CET 2022
Hao Yu created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1429
## Description of problem:
When GnuTLS client negotiate with TLS 1.3, sent early data(0-RTT) and received HRR, 2nd ClientHello does not match RFC 8446.
- 2nd ClientHello MUST not be encrypted, it MUST be plaintext.
- 2nd ClientHello MUST not include early data extension (RFC8446 section 4.2.10)
https://github.com/Mbed-TLS/mbedtls/pull/6485#issuecomment-1319707786 shows the detail information.
## Version of gnutls used:
3.7.2
3.7.3
## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)
Ubuntu
## How reproducible:
https://github.com/Mbed-TLS/mbedtls/pull/6485#issuecomment-1319707786 shows the server and client command.
And the mbedtls test code is https://github.com/yuhaoth/mbedtls1.3/tree/pr/tls13-gnutls-2nd-ClientHello-bug.
1. Put gnutls-cli in your PATH
2. Get mbedtls from above link
3. in mbedtls root run `scripts/config.py full && make clean && make -j20 CLFAGS="-g -Werror" && ./tests/ssl-opt.sh -f "TLS 1.3 G->m: EarlyData: HRR check, enabled. good"`
tests/o-srv-1.log is mbedtls server
tests/o-cli-1.log is gnutls-cli output.
--
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1429
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20221123/ae1bddac/attachment.html>
More information about the Gnutls-devel
mailing list