Bug 1393579

Summary: OpenSSL 1.1.0 client can send Certificate message on renegotiation although not requested
Product: [Fedora] Fedora Reporter: Sandro Mani <manisandro>
Component: opensslAssignee: Tomas Mraz <tmraz>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: rawhideCC: cheimes, itamar, kevin, mcepl, mcepl, nick, npmccallum, pahan, puiterwijk, terrycwk1994, tmraz
Target Milestone: ---Keywords: Regression
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openssl-1.1.0c-3.fc26 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-30 13:30:32 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Broken renegotiation none

Description Sandro Mani 2016-11-09 22:02:07 UTC 
Description of problem:
After upgrading to python2-cryptography-1.5.3-1, fedpkg build returns:

$ fedpkg build
/usr/lib/python2.7/site-packages/pyrpkg/__init__.py:314: DeprecationWarning: BaseException.message has been deprecated as of Python 2.6
  for (_, _, ssl_reason) in error.message:
You might want to run fedora-packager-setup to regenerate SSL certificate. For more info see https://fedoraproject.org/wiki/Using_the_Koji_build_system#Fedora_Account_System_.28FAS2.29_Setup
Could not execute build: Could not auth with koji. Login failed: [('SSL routines', 'SSL_shutdown', 'shutdown while in init')] 

Version-Release number of selected component (if applicable):
python2-cryptography-1.5.3-1

How reproducible:
Always
Comment 1 Nathaniel McCallum 2016-11-09 22:06:13 UTC 

*** This bug has been marked as a duplicate of bug 1392570 ***
Comment 2 Kevin Fenzi 2016-11-11 01:32:55 UTC 
I think this is actually still an issue and not a dupe of 1392570. 

evin@sheelba ~ % rpm -q python2-pyOpenSSL python2-cryptography
python2-pyOpenSSL-16.2.0-1.fc26.noarch
python2-cryptography-1.5.3-3.fc26.x86_64
kevin@sheelba ~ % stg-koji list-tasks --mine
Error: [('SSL routines', 'SSL_shutdown', 'shutdown while in init')]
Comment 3 Kevin Fenzi 2016-11-11 19:10:38 UTC 
Patrick debugged this down to a negotiation problem. 

Adding him to cc here for further comment...
Comment 4 Patrick Uiterwijk 2016-11-12 00:12:42 UTC 
This seems to be an issue in the renegotiation code of OpenSSL 1.1: the difference between the working and the broken python-cryptography is that the working one is linked against libssl.so.1.0, and the broken one with libssl.so.1.1.

When we disable renegotiation by accepting client certificates on the root path, client cert authentication is working.


With OpenSSL 1.1.0, after it receives the Finished message for the renegotiation, it gets another HelloRequest, restarts the negotiation, and then after it sends its ChangeCipherSpec/Finished message pair, it receives an unexpected message (10) alert from the server, which aborts the entire handshake.

I do not have this level of detail for the server-side yet.
Comment 5 Patrick Uiterwijk 2016-11-12 00:21:07 UTC 
The server is running:
openssl-1.0.1e-51.el7_2.7.x86_64
mod_ssl-2.4.6-40.el7_2.4.x86_64
httpd-2.4.6-40.el7_2.4.x86_64

The broken configuration had a "SSLVerifyClient require" only in a <Location /kojihub/ssllogin>, and no SSLVerifyClient in the root location, so that as soon as the HTTP GET for /kojihub/ssllogin is sent, a renegotiation is issued.
We temporarily fixed it by accepting client certificates on the root by adding "SSLVerifyClient optional" outside of any Location blocks, which prevents renegotiation.
Comment 6 Tomas Mraz 2016-11-14 09:43:19 UTC 
(In reply to Patrick Uiterwijk from comment #4)
> 
> With OpenSSL 1.1.0, after it receives the Finished message for the
> renegotiation, it gets another HelloRequest, restarts the negotiation, and
> then after it sends its ChangeCipherSpec/Finished message pair, it receives
> an unexpected message (10) alert from the server, which aborts the entire
> handshake.

So there are two HelloRequest - two renegotiation attemps from the server? That's strange. Does the client send the client certificate during the first renegotiation attempt?
Comment 7 Patrick Uiterwijk 2016-11-14 13:29:57 UTC 
Yes, there is a certificate. I will attach a dump of openssl s_client that shows the double renegotiation.
Comment 8 Patrick Uiterwijk 2016-11-14 13:30:06 UTC 
Created attachment 1220405 [details]
Broken renegotiation

As seen in openssl s_client.
Comment 9 Tomas Mraz 2016-11-14 14:54:39 UTC 
I tried to reproduce against a testing https RHEL-7 server which I configured to request a client certificate on some directory. However I was unable to - the server always sends only a single HelloRequest - I tried connecting to it with both openssl-1.0.2 from Fedora 23 and openssl-1.1.0 from Rawhide.

The koji.stg.fedoraproject.org is now reconfigured to always request a certificate? As I see it sends CertificateRequest on the initial negotiation now. The weird thing is that I still see three negotiations but the last one is not failing.
Comment 10 Patrick Uiterwijk 2016-11-14 15:04:38 UTC 
I have removed the workaround on staging koji.
You can test it with the exact command and input as specified in the dump:

openssl s_client -connect koji.stg.fedoraproject.org:443 -CAfile ~/.fedora-upload-ca.cert -cert ~/.fedora.cert -key ~/.fedora.cert -state -msg -tls1 -showcerts

When you get the shell after the first handshake, enter:
GET /kojihub/ssllogin HTTP/1.1
Host: koji.stg.fedoraproject.org

And then hit enter twice.
Comment 11 Tomas Mraz 2016-11-14 15:28:17 UTC 
Ah, it's clear now - the OpenSSL-1.1.0 client is sending Certificate without getting CertificateRequest from the server on the last renegotiation.
Comment 12 Tomas Mraz 2016-11-14 17:24:04 UTC 
https://github.com/openssl/openssl/issues/1920