<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<html lang="en">
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
<title>
GitLab
</title>


<style>img {
max-width: 100%; height: auto;
}
</style>
</head>
<body>
<div class="content">
<div></div>
<h2 dir="auto">
<a id="user-content-description-of-problem" class="anchor" href="#description-of-problem" aria-hidden="true"></a>Description of problem:</h2>
<p dir="auto">GnuTLS appears to have logic to look at the key usage bits and filter the cipher suite in TLS 1.2, but it doesn't do the same in TLS 1.3, where the only operations are sign-only.</p>
<p dir="auto">The result is that callers who accidentally created an encryption-only RSA key silently (though not ideally since it uses a plain RSA cipher) worked at TLS 1.2, but, once upgrading to a newer GnuTLS, break at TLS 1.3.</p>
<p dir="auto">See also: <a href="https://github.com/apple/cups/issues/5506" rel="nofollow noreferrer noopener" target="_blank">https://github.com/apple/cups/issues/5506</a></p>
<h2 dir="auto">
<a id="user-content-version-of-gnutls-used" class="anchor" href="#version-of-gnutls-used" aria-hidden="true"></a>Version of gnutls used:</h2>
<p dir="auto">master branch</p>
<h2 dir="auto">
<a id="user-content-distributor-of-gnutls-eg-ubuntu-fedora-rhel" class="anchor" href="#distributor-of-gnutls-eg-ubuntu-fedora-rhel" aria-hidden="true"></a>Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)</h2>
<p dir="auto">built from source</p>
<h2 dir="auto">
<a id="user-content-how-reproducible" class="anchor" href="#how-reproducible" aria-hidden="true"></a>How reproducible:</h2>
<p dir="auto">Steps to Reproduce:</p>
<ul dir="auto">
<li>Save the following as <code>enc-only-cert.pem</code>:</li>
</ul>
<pre class="code highlight js-syntax-highlight plaintext" lang="plaintext" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">-----BEGIN CERTIFICATE-----</span>
<span id="LC2" class="line" lang="plaintext">MIICzzCCAbegAwIBAgIRALllB5+ixBXbLJKkHn9ofl4wDQYJKoZIhvcNAQELBQAw</span>
<span id="LC3" class="line" lang="plaintext">EjEQMA4GA1UEChMHQWNtZSBDbzAeFw0xOTAyMDEyMjAwMDNaFw0xOTAyMDEyMjAw</span>
<span id="LC4" class="line" lang="plaintext">MDNaMBIxEDAOBgNVBAoTB0FjbWUgQ28wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw</span>
<span id="LC5" class="line" lang="plaintext">ggEKAoIBAQC6C9qEGRIBQXV8Lj29vVu+U+tyXzSSinWIumK5ijPhCm3DLnv4Rayx</span>
<span id="LC6" class="line" lang="plaintext">kFwemtnkGRZ/o94ZnsXkBfU/IlsYdkuq8wK9WI/ql3gwWjH+KARIhIQcSLGiJcLN</span>
<span id="LC7" class="line" lang="plaintext">6kGuG2nlRBKMcPgPiEq2B0yBXFf4tG3CBbeae7+8G7uvOmv8NLyKj32neWpnUCTL</span>
<span id="LC8" class="line" lang="plaintext">5o2VwyPoxjLxT5gUR69v9XSVFj2irCZbsEedeKSb++LqyMhLfnRTzNv+ZHNh4izZ</span>
<span id="LC9" class="line" lang="plaintext">HrktR25MvnT5QyBq32hx7AjZ2/xo70OmH7w10a2DwsVjJNMdxTEmgyvU9M6CeYRP</span>
<span id="LC10" class="line" lang="plaintext">X1Ykfg+sXCTtkTVAlBDUviIqY95CKy25AgMBAAGjIDAeMA4GA1UdDwEB/wQEAwIF</span>
<span id="LC11" class="line" lang="plaintext">IDAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQBfCc01lNWc68F9qHzt</span>
<span id="LC12" class="line" lang="plaintext">OZFquAps5KXiZXeXhHcYi7Xwk7AUwmX1LhDGkrZih6fPbM7uNXHqNKTEQwj8SDoo</span>
<span id="LC13" class="line" lang="plaintext">PFZ1EN3nbgjE7gV451xOcCeS+kW7poCeU7JWmdKgt4iL1SMJMjXtBIKbsp91YKLs</span>
<span id="LC14" class="line" lang="plaintext">HOUE6jYtLDyZ/Qk+kZBW8YbLIly937oott7yr7nXMWPNpOgiECAmSHUvzB1fSSuJ</span>
<span id="LC15" class="line" lang="plaintext">Mw4lx3sgVwxjCaQExKocKokFKB6oooO8DMmc9VD6MNOMY1Pv9Mrutb3KsmymjLdW</span>
<span id="LC16" class="line" lang="plaintext">RjNl0DVpWZxgWoJMAXOkowlwlEh+CCEXeVXGs/tD5Amtacg9M/b3pIONmciojCrx</span>
<span id="LC17" class="line" lang="plaintext">DvYB</span>
<span id="LC18" class="line" lang="plaintext">-----END CERTIFICATE-----</span></code></pre>
<ul dir="auto">
<li>Save the following as <code>enc-only-key.pem</code>.</li>
</ul>
<pre class="code highlight js-syntax-highlight plaintext" lang="plaintext" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">-----BEGIN PRIVATE KEY-----</span>
<span id="LC2" class="line" lang="plaintext">MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQC6C9qEGRIBQXV8</span>
<span id="LC3" class="line" lang="plaintext">Lj29vVu+U+tyXzSSinWIumK5ijPhCm3DLnv4RayxkFwemtnkGRZ/o94ZnsXkBfU/</span>
<span id="LC4" class="line" lang="plaintext">IlsYdkuq8wK9WI/ql3gwWjH+KARIhIQcSLGiJcLN6kGuG2nlRBKMcPgPiEq2B0yB</span>
<span id="LC5" class="line" lang="plaintext">XFf4tG3CBbeae7+8G7uvOmv8NLyKj32neWpnUCTL5o2VwyPoxjLxT5gUR69v9XSV</span>
<span id="LC6" class="line" lang="plaintext">Fj2irCZbsEedeKSb++LqyMhLfnRTzNv+ZHNh4izZHrktR25MvnT5QyBq32hx7AjZ</span>
<span id="LC7" class="line" lang="plaintext">2/xo70OmH7w10a2DwsVjJNMdxTEmgyvU9M6CeYRPX1Ykfg+sXCTtkTVAlBDUviIq</span>
<span id="LC8" class="line" lang="plaintext">Y95CKy25AgMBAAECggEAHPvvxRiqx2tNRFVn5QF1I4erbJwMcrADc5OmAcXYIz0e</span>
<span id="LC9" class="line" lang="plaintext">sIOzaJBiQR9+Wn5BZ9nIuYXr+g3UQpvzAyz1CDCVxUIqsRj1AtUqMk4675+IW0vZ</span>
<span id="LC10" class="line" lang="plaintext">0RY6Jkq/uJjANsGqk78xLJQE8VaIXSdx8c1THznsx4dgfT6+Ni4T5U6yuA33OZaw</span>
<span id="LC11" class="line" lang="plaintext">4NdYZYtEkqNiqK6VYe4mAxxVh5qscihVVMGkBVqJNiiEotctm1lph8ow+7o8ggXO</span>
<span id="LC12" class="line" lang="plaintext">W9xm+RHHPcH7Epx7hjkb/helANcYOK950W5/R+2zWV9R6kxo6R+/hfGFFmCvl4k5</span>
<span id="LC13" class="line" lang="plaintext">+i8Y0IlEv3fze1E0Lwyf379i3C/cKcuaE5gwR54BAQKBgQDxlsNy9M37HgguglHt</span>
<span id="LC14" class="line" lang="plaintext">8W+cuPNtxNjFCWIjNR9dSvdr1Oi28Z1AY+BBPSv6UBKnT5PpOFjqxfMY/j/zoKdI</span>
<span id="LC15" class="line" lang="plaintext">aYX1phgeQHXcHrB1pS8yoaF/pTJSN2Yb8v9kl/Ch1yeYXaNVGmeBLkH9H6wIcUxD</span>
<span id="LC16" class="line" lang="plaintext">Mas1i8VUzshzhcluCNGoJj9wUQKBgQDFJOoWncssfWCrsuDWEoeU71Zh3+bD96GF</span>
<span id="LC17" class="line" lang="plaintext">s29CdIbHpcbxhWYjA9RM8yxbGPopexzoGcV1HX6j8E1s0xfYZJV23rxoM9Zj9l5D</span>
<span id="LC18" class="line" lang="plaintext">mZAJQPxYXIdu3h4PslhZLd3p+DEHjbsLC/avk3M4iZim1FMPBJMswKSL23ysqXoY</span>
<span id="LC19" class="line" lang="plaintext">/ynor+W06QKBgHYeu6M6NHgCYAe1ai+Hq4WaHFNgOohkJRqHv7USkVSkvb+s9LDl</span>
<span id="LC20" class="line" lang="plaintext">5GChcx4pBmXNj8ko5rirXkerEEOjGgdaqMfJlOM9qyKb0rVCtYfw5RCPCcKPGZqy</span>
<span id="LC21" class="line" lang="plaintext">vdJGQ74tf0uNBO34QgE0R8lmMevS0XHNGCPPGgV0MSfikvD82N15De1xAoGAbsZM</span>
<span id="LC22" class="line" lang="plaintext">RsMJfAlDPZc4oPEuf/BwMHTYPTsy5map2MSTSzGKdQHJH1myfD6TqOiDALXtyzlX</span>
<span id="LC23" class="line" lang="plaintext">63PUShfn2YNPvcbe+Tk00rR1/htcYk2yUpDSenAbpZ9ncth6rjmInURZgG4SMKXb</span>
<span id="LC24" class="line" lang="plaintext">SlLnBljCjtN1jFW8wQPKMc/14SslsVAHY3ka8KkCgYB58QNT1YfH3jS62+mT2pXq</span>
<span id="LC25" class="line" lang="plaintext">qLjLqvsD742VYnFoHR+HBOnN8ry0dda4lgwM106L5FgSg9DOZvASZ+QGFk+QVQv+</span>
<span id="LC26" class="line" lang="plaintext">c77ASWpuhmBmamZCrwZXrq9Xc92RDPkKFqnP9MVv06hYKNp0moSdM8dIaM6uSows</span>
<span id="LC27" class="line" lang="plaintext">/r/aDs4oudubz26o5GDKmA==</span>
<span id="LC28" class="line" lang="plaintext">-----END PRIVATE KEY-----</span></code></pre>
<ul dir="auto">
<li><code>gnutls-serv -p 4433 -a --x509certfile enc-only-cert.pem --x509keyfile enc-only-key.pem</code></li>
<li>Build BoringSSL from source. Then run the command-line testing tool:</li>
<li><code>bssl client -connect localhost:4433 -max-version tls1.3</code></li>
<li><code>bssl client -connect localhost:4433 -max-version tls1.2</code></li>
</ul>
<h2 dir="auto">
<a id="user-content-actual-results" class="anchor" href="#actual-results" aria-hidden="true"></a>Actual results:</h2>
<p dir="auto">The first <code>bssl</code> run fails with <code>KEY_USAGE_BIT_INCORRECT</code>.
The second <code>bssl</code> run succeeds but negotiates <code>TLS_RSA_WITH_AES_128_GCM_SHA256</code></p>
<h2 dir="auto">
<a id="user-content-expected-results" class="anchor" href="#expected-results" aria-hidden="true"></a>Expected results:</h2>
<p dir="auto">It's unclear how feasible this is or how well it fits with the rest of what GnuTLS does, but given that you all already filter the cipher list based on key usage (otherwise presumably <code>gnutls-serv</code> would have negotiated ECDHE_RSA), it seemed odd that you don't also take it into consideration for TLS 1.3. Then again, versions are usually negotiated fairly early, so you may consider it a WontFix. Anyway, I thought I would bring this up in case you wished to do anything about it.</p>
<p dir="auto">A footnote: BoringSSL doesn't currently enforce the key usage extension at TLS 1.2 yet, though we're <a href="https://crbug.com/795089" rel="nofollow noreferrer noopener" target="_blank">working on changing that</a>. We do enforce it at TLS 1.3 as there were no risks with antivirus and bad Enterprise deployments. Though that's moot here since GnuTLS's behavior at TLS 1.2 <em>does</em> satisfy the key usage extension.</p>

</div>
<div class="footer" style="margin-top: 10px;">
<p style="font-size: small; color: #777777;">

<br>
Reply to this email directly or <a href="https://gitlab.com/gnutls/gnutls/issues/690">view it on GitLab</a>.
<br>
You're receiving this email because of your account on gitlab.com.
If you'd like to receive fewer emails, you can
<a href="https://gitlab.com/sent_notifications/5ad62bfcdef5016992fc47722b9ff379/unsubscribe">unsubscribe</a>
from this thread or
adjust your notification settings.
<script type="application/ld+json">{"@context":"http://schema.org","@type":"EmailMessage","action":{"@type":"ViewAction","name":"View Issue","url":"https://gitlab.com/gnutls/gnutls/issues/690"}}</script>
</p>
</div>
</body>
</html>