<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">

<html lang="en">

<head>

<meta content="text/html; charset=utf-8" http-equiv="Content-Type">

<title>

GitLab

</title>

<style>img {

max-width: 100%; height: auto;

}

</style>

</head>

<body>

<div class="content">

<div></div>

<h2 dir="auto">

<a id="user-content-description-of-problem" class="anchor" href="#description-of-problem" aria-hidden="true"></a>Description of problem:</h2>

<p dir="auto">When TLS 1.3 support is disabled, the downgrade sentinels for TLS 1.1 and TLS 1.0 connections are not set by the server</p>

<h2 dir="auto">

<a id="user-content-version-of-gnutls-used" class="anchor" href="#version-of-gnutls-used" aria-hidden="true"></a>Version of gnutls used:</h2>

<p dir="auto">gnutls-3.6.5-2.el8.x86_64</p>

<h2 dir="auto">

<a id="user-content-distributor-of-gnutls-eg-ubuntu-fedora-rhel" class="anchor" href="#distributor-of-gnutls-eg-ubuntu-fedora-rhel" aria-hidden="true"></a>Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)</h2>

<p dir="auto">RHEL</p>

<h2 dir="auto">

<a id="user-content-how-reproducible" class="anchor" href="#how-reproducible" aria-hidden="true"></a>How reproducible:</h2>

<p dir="auto">Steps to Reproduce:</p>

<ul dir="auto">

<li><code>gnutls-serv --priority @SYSTEM:-VERS-TLS1.3 ...</code></li>

<li><code>tlsfuzzer/scripts/test-downgrade-protection.py --server-max-protocol=TLSv1.2</code></li>

</ul>

<h2 dir="auto">

<a id="user-content-actual-results" class="anchor" href="#actual-results" aria-hidden="true"></a>Actual results:</h2>

<pre class="code highlight js-syntax-highlight plaintext" lang="plaintext" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">TLS 1.3 downgrade check for Protocol (3, 1) ...</span>

<span id="LC2" class="line" lang="plaintext">Error encountered while processing node <tlsfuzzer.expect.ExpectServerHello object at 0x7fc20a72c1d0> (child: <tlsfuzzer.expect.ExpectCertificate object at 0x7fc20a72c208>) with last message being: <tlslite.messages.Message object at 0x7fc20a731748></span>

<span id="LC3" class="line" lang="plaintext">Error while processing</span>

<span id="LC4" class="line" lang="plaintext">Traceback (most recent call last):</span>

<span id="LC5" class="line" lang="plaintext">  File "tlsfuzzer/scripts/test-downgrade-protection.py", line 204, in main</span>

<span id="LC6" class="line" lang="plaintext">    runner.run()</span>

<span id="LC7" class="line" lang="plaintext">  File "/tmp/tmp.EFXzDIvMDn/tlsfuzzer/tlsfuzzer/runner.py", line 227, in run</span>

<span id="LC8" class="line" lang="plaintext">    node.process(self.state, msg)</span>

<span id="LC9" class="line" lang="plaintext">  File "/tmp/tmp.EFXzDIvMDn/tlsfuzzer/tlsfuzzer/expect.py", line 586, in process</span>

<span id="LC10" class="line" lang="plaintext">    self._check_downgrade_protection(srv_hello)</span>

<span id="LC11" class="line" lang="plaintext">  File "/tmp/tmp.EFXzDIvMDn/tlsfuzzer/tlsfuzzer/expect.py", line 692, in _check_downgrade_protection</span>

<span id="LC12" class="line" lang="plaintext">    "Server failed to set downgrade protection sentinel in "</span>

<span id="LC13" class="line" lang="plaintext">AssertionError: Server failed to set downgrade protection sentinel in ServerHello.random value</span>

<span id="LC14" class="line" lang="plaintext"></span>

<span id="LC15" class="line" lang="plaintext">TLS 1.3 downgrade check for Protocol (3, 2) ...</span>

<span id="LC16" class="line" lang="plaintext">Error encountered while processing node <tlsfuzzer.expect.ExpectServerHello object at 0x7fc20a72c5f8> (child: <tlsfuzzer.expect.ExpectCertificate object at 0x7fc20a72c630>) with last message being: <tlslite.messages.Message object at 0x7fc20a731940></span>

<span id="LC17" class="line" lang="plaintext">Error while processing</span>

<span id="LC18" class="line" lang="plaintext">Traceback (most recent call last):</span>

<span id="LC19" class="line" lang="plaintext">  File "tlsfuzzer/scripts/test-downgrade-protection.py", line 204, in main</span>

<span id="LC20" class="line" lang="plaintext">    runner.run()</span>

<span id="LC21" class="line" lang="plaintext">  File "/tmp/tmp.EFXzDIvMDn/tlsfuzzer/tlsfuzzer/runner.py", line 227, in run</span>

<span id="LC22" class="line" lang="plaintext">    node.process(self.state, msg)</span>

<span id="LC23" class="line" lang="plaintext">  File "/tmp/tmp.EFXzDIvMDn/tlsfuzzer/tlsfuzzer/expect.py", line 586, in process</span>

<span id="LC24" class="line" lang="plaintext">    self._check_downgrade_protection(srv_hello)</span>

<span id="LC25" class="line" lang="plaintext">  File "/tmp/tmp.EFXzDIvMDn/tlsfuzzer/tlsfuzzer/expect.py", line 692, in _check_downgrade_protection</span>

<span id="LC26" class="line" lang="plaintext">    "Server failed to set downgrade protection sentinel in "</span>

<span id="LC27" class="line" lang="plaintext">AssertionError: Server failed to set downgrade protection sentinel in ServerHello.random value</span></code></pre>

<h2 dir="auto">

<a id="user-content-expected-results" class="anchor" href="#expected-results" aria-hidden="true"></a>Expected results:</h2>

<pre class="code highlight js-syntax-highlight plaintext" lang="plaintext" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">TLS 1.3 downgrade check for Protocol (3, 1) ...</span>

<span id="LC2" class="line" lang="plaintext">OK</span>

<span id="LC3" class="line" lang="plaintext"></span>

<span id="LC4" class="line" lang="plaintext">TLS 1.3 downgrade check for Protocol (3, 2) ...</span>

<span id="LC5" class="line" lang="plaintext">OK</span></code></pre>

<h2 dir="auto">

<a id="user-content-additional-info" class="anchor" href="#additional-info" aria-hidden="true"></a>Additional info:</h2>

<p dir="auto">While setting the downgrade sentinels is not mandatory when the TLS 1.2 is the highest supported version, it is recommended. And the main reason it is optional, is that not all TLS 1.2 implementations needs to be updated, but GnuTLS is implementing TLS 1.3...</p>

</div>

<div class="footer" style="margin-top: 10px;">

<p style="font-size: small; color: #777;">

—

<br>

Reply to this email directly or <a href="https://gitlab.com/gnutls/gnutls/issues/734">view it on GitLab</a>.

<br>

You're receiving this email because of your account on gitlab.com.

If you'd like to receive fewer emails, you can

<a href="https://gitlab.com/sent_notifications/2d4e5ef3df5f8258e409b41aaa2a9695/unsubscribe">unsubscribe</a>

from this thread or

adjust your notification settings.

<script type="application/ld+json">{"@context":"http://schema.org","@type":"EmailMessage","action":{"@type":"ViewAction","name":"View Issue","url":"https://gitlab.com/gnutls/gnutls/issues/734"}}</script>

</p>

</div>

</body>

</html>