Description of problem: I'm working on TLS 1.3 related patches for mod_nss. For testing I created a COPR with TLS 1.3 enabled NSS 3.28.1, patched mod_nss and patched python-nss https://copr.fedorainfracloud.org/coprs/cheimes/nss/ . I noticed that neither python-nss nor Firefox nightly are able to connect to mod_nss-powered Apache HTTPD when mod_nss is configured for TLSv1.3 only and the mod_nss option NSSRequireSafeNegotiation is enabled. The option sets SSL_REQUIRE_SAFE_NEGOTIATION. With NSSRequireSafeNegotiation on: python-nss fails with: (SSL_ERROR_NO_CYPHER_OVERLAP) Cannot communicate securely with peer: no common encryption algorithm(s). Firefox nightly fails with: SSL_ERROR_NO_CYPHER_OVERLAP Apache HTTP error_log: SSL Library Error: -12175 Safe negotiation required but not provided by client Wireshark shows a TLS 1.0 handshake (0x301) with renegotiation_info extension (0xff01) and a couple of unknown extensions (40 key share, 43 supported version, 45 psk kx). With NSSRequireSafeNegotiation off: python-nss: successful TLS 1.3 connection with TLS_AES_128_GCM_SHA256 Firefox nightly: successful TLS 1.3 connection with TLS_AES_128_GCM_SHA256 Version-Release number of selected component (if applicable): NSS 3.28.1 with TLS 1.3 enabled mod_nss 1.0.14+ with https://pagure.io/fork/cheimes/mod_nss/branch/tls13 How reproducible: Always SSL_REQUIRE_SAFE_NEGOTIATION on Steps to Reproduce: 1. Install NSS and mod_nss from my copr 2. change /etc/httpd/conf.d/nss.conf and supply a certificate for mod_nss. NSSRenegotiation on NSSRequireSafeNegotiation on NSSCipherSuite +aes_128_gcm_sha_256,+chacha20_poly1305_sha_256 NSSProtocol TLSv1.3 3. test with Firefox nightly Actual results: SSL_ERROR_NO_CYPHER_OVERLAP Expected results: TLS 1.3 connection Additional info:
If mod_nss independently configures allowed cipher suites, have you changed it to allow the new TLS 1.3 ciphersuites?
Could you run "ssltap -s" on your system, connect firefox through ssltap to your server, and attach the output from ssltap?
(In reply to Kai Engert (:kaie) from comment #1) > If mod_nss independently configures allowed cipher suites, have you changed > it to allow the new TLS 1.3 ciphersuites? Yes, see https://pagure.io/mod_nss/pull-request/35
Yes, see step 2 of reproducer. With "NSSRequireSafeNegotiation off", I'm able to successfully connect to mod_nss over TLS1.3. With "NSSRequireSafeNegotiation on" I get SSL_ERROR_NO_CYPHER_OVERLAP.
memo to me: provide ssltap data for Kai.
> Wireshark shows a TLS 1.0 handshake (0x301) with renegotiation_info extension (0xff01) and a couple of unknown extensions (40 key share, 43 supported version, 45 psk kx). I'm assuming you're talking about version in record layer, not the version in the Client Hello message?
Kai, I can't reproduce it using selfserv, the necessary option is missing from selfserv: https://bugzilla.mozilla.org/show_bug.cgi?id=1342019
I've also reproduced using Kai's copr build from https://copr.fedorainfracloud.org/coprs/kengert/nss-with-tls-1.3/ and Christian's mod_nss build from https://copr.fedorainfracloud.org/coprs/cheimes/nss/
My understanding is that renegotiation is forbidden with TLS 1.3 https://tlswg.github.io/tls13-spec/draft-ietf-tls-tls13.txt I don't know if the enabling of TLS 1.3 support on a server requires that the server side disables any support for renegotiation, or if the NSS server code should implement a compatibility behavior. I've reported this upstream at: https://bugzilla.mozilla.org/show_bug.cgi?id=1375837 (In the future, I'd like to encourage you to report such bugs directly to the upstream, because that's where the people are that actually implement the TLS 1.3 code. You didn't get anything by reporting this as a Fedora package bug, besides a 4 month delay until I was able to be the middleman here and forward.)
Thanks for proxying my request. Next time I'll directly open a request in upstream. According to the upstream tracker, the issue has been fixed in NSS 3.33. I don't have time to verify the fix with mod_nss. IMO it's ok to close this bug. After all TLS 1.3 is still in draft mode and mod_nss doesn't support TLS 1.3 yet.