Bug 1686579

Summary: GnuTLS server sends downgrade sentinel when negotiating TLS 1.3
Product: Red Hat Enterprise Linux 8 Reporter: Hubert Kario <hkario>
Component: gnutlsAssignee: Anderson Sasaki <ansasaki>
Status: CLOSED ERRATA QA Contact: Tomas Mraz <tmraz>
Severity: high Docs Contact:
Priority: high    
Version: 8.0CC: dueno, pasik, tmraz
Target Milestone: rcKeywords: TestBlocker, Triaged
Target Release: 8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: gnutls-3.6.8-1.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-11-05 22:26:14 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1682477, 1689967    
Bug Blocks:    

Description Hubert Kario 2019-03-07 18:17:45 UTC 
Description of problem:
ServerHello message sent by gnutls server includes the sentinel value in server_random that should be used when the server has TLS 1.3 enabled but negotiated TLS 1.2, despite the connection using TLS 1.3.

Version-Release number of selected component (if applicable):
gnutls-3.6.5-2.el8.x86_64

How reproducible:
always

Steps to Reproduce:
1. run any tlsfuzzer test that negotiates TLS 1.3, e.g. test-tls13-keyupdate.py

Actual results:
sanity ...
Error encountered while processing node <tlsfuzzer.expect.ExpectServerHello object at 0x7f6103b1eef0> (child: <tlsfuzzer.expect.ExpectChangeCipherSpec object at 0x7f6103b1ef28>) with last message being: <tlslite.messages.Message object at 0x7f6103b62668>
Error while processing
Traceback (most recent call last):
  File "tlsfuzzer/scripts/test-tls13-keyupdate.py", line 585, in main
    runner.run()
  File "/tmp/tmp.bVoGaKAI5j/tlsfuzzer/tlsfuzzer/runner.py", line 227, in run
    node.process(self.state, msg)
  File "/tmp/tmp.bVoGaKAI5j/tlsfuzzer/tlsfuzzer/expect.py", line 586, in process
    self._check_downgrade_protection(srv_hello)
  File "/tmp/tmp.bVoGaKAI5j/tlsfuzzer/tlsfuzzer/expect.py", line 666, in _check_downgrade_protection
    "Server set downgrade protection sentinel but shouldn't "
AssertionError: Server set downgrade protection sentinel but shouldn't have done that

Expected results:
connection established, error not printed, random not including the sentinel value

Additional info:
Comment 2 Anderson Sasaki 2019-03-13 16:00:54 UTC 
Upstream fix:
https://gitlab.com/gnutls/gnutls/merge_requests/918
Comment 3 Hubert Kario 2019-03-20 20:10:30 UTC 
One more problem: the server is not setting the downgrade sentinel when the TLS 1.3 support is disabled and TLS 1.1 or TLS 1.0 is negotiated.
Comment 6 Hubert Kario 2019-06-03 15:49:39 UTC 
see also: bug 1716563
Comment 10 errata-xmlrpc 2019-11-05 22:26:14 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:3600