| Summary: | malformed ALPN extension is rejected with incorrect alert messages | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Hubert Kario <hkario> | |
| Component: | nss | Assignee: | nss-nspr-maint <nss-nspr-maint> | |
| Status: | CLOSED WONTFIX | QA Contact: | BaseOS QE Security Team <qe-baseos-security> | |
| Severity: | low | Docs Contact: | ||
| Priority: | low | |||
| Version: | 6.8 | CC: | kengert | |
| Target Milestone: | pre-dev-freeze | |||
| Target Release: | --- | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | ||
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1511460 (view as bug list) | Environment: | ||
| Last Closed: | 2017-11-08 16:15:38 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Bug Depends On: | ||||
| Bug Blocks: | 1511460 | |||
If you find deficiencies in NSS that aren't specific to our packaging, please always report an upstream bug. EKR / Upstream has argued this isn't an issue with TLS 1.2, only with TLS 1.3 which we won't enable yet. the decode_error wording comes from RFC 5246, not from TLS1.3 draft... I understood his comment as "while in TLS1.2 we might have been able to weasel out, TLS 1.3 is too precise in that regard so it should be fixed everywhere" Upstream hasn't made progress in 7 months. It seems this is considered low priority. Unlikely to get fixed for 6.10 imprecise error message doesn't meet the criteria for priority items for 6.10, I'm marking it as wontfix, to indicate we won't track it for 6.10 it's good that you have reported this upstream, to get this fixed eventually. |
Description of problem: The extension is defined as follows: The "extension_data" field of the ("application_layer_protocol_negotiation(16)") extension SHALL contain a "ProtocolNameList" value. opaque ProtocolName<1..2^8-1>; struct { ProtocolName protocol_name_list<2..2^16-1> } ProtocolNameList; When the ProtocolName length is 0 or the protocol_name_list length is 0, NSS doesn't send the expected decode_error alert: decode_error A message could not be decoded because some field was out of the specified range or the length of the message was incorrect. This message is always fatal and should never be observed in communication between proper implementations (except when messages were corrupted in the network). Instead it sends illegal_parameter and no_application_protocol alerts. Version-Release number of selected component (if applicable): nss-3.27.1-12.el6.x86_64 How reproducible: always Steps to Reproduce: git clone https://github.com/tomato42/tlsfuzzer.git pushd tlsfuzzer git checkout alpn-test # won't be necessary in future git clone https://github.com/warner/python-ecdsa .python-ecdsa ln -s .python-ecdsa/ecdsa ecdsa git clone https://github.com/tomato42/tlslite-ng.git .tlslite-ng ln -s .tlslite-ng/tlslite tlslite popd openssl req -x509 -newkey rsa -keyout localhost.key -out localhost.crt -nodes -batch -subj /CN=localhost openssl pkcs12 -export -passout pass: -out localhost.p12 -inkey localhost.key -in localhost.crt mkdir nssdb certutil -N -d sql:nssdb --empty-password pk12util -i localhost.p12 -d sql:nssdb -W '' ./selfserv -d sql:./nssdb -p 4433 -V tls1.0: -H 1 -n localhost -Q # in another terminal, same directory PYTHONPATH=tlsfuzzer python tlsfuzzer/scripts/test-alpn-negotiation.py 'empty extension' 'empty list' Actual results: empty extension ... Error encountered while processing node <tlsfuzzer.expect.ExpectAlert object at 0x2dd9790> (child: <tlsfuzzer.expect.ExpectClose object at 0x2dd97d0>) with last message being: <tlslite.messages.Message object at 0x2dd9f90> Error while processing Traceback (most recent call last): File "test-alpn-negotiation.py", line 218, in main runner.run() File "/tmp/tmp.pejrU9l8lU/tlsfuzzer/tlsfuzzer/runner.py", line 168, in run node.process(self.state, msg) File "/tmp/tmp.pejrU9l8lU/tlsfuzzer/tlsfuzzer/expect.py", line 542, in process raise AssertionError(problem_desc) AssertionError: Alert description 47 != 50 empty list ... Error encountered while processing node <tlsfuzzer.expect.ExpectAlert object at 0x2dd9650> (child: <tlsfuzzer.expect.ExpectClose object at 0x2dd9690>) with last message being: <tlslite.messages.Message object at 0x2ddaf10> Error while processing Traceback (most recent call last): File "test-alpn-negotiation.py", line 218, in main runner.run() File "/tmp/tmp.pejrU9l8lU/tlsfuzzer/tlsfuzzer/runner.py", line 168, in run node.process(self.state, msg) File "/tmp/tmp.pejrU9l8lU/tlsfuzzer/tlsfuzzer/expect.py", line 542, in process raise AssertionError(problem_desc) AssertionError: Alert description 120 != 50 Expected results: empty extension ... OK empty list ... OK Additional info: