1632660 – TLSv1.3 - enable post-handshake auth

Bug 1632660 - TLSv1.3 - enable post-handshake auth

Summary: TLSv1.3 - enable post-handshake auth

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	perl-IO-Socket-SSL
Sub Component:
Version:	29
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Petr Pisar
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-09-25 10:35 UTC by Joe Orton
Modified:	2019-02-14 01:58 UTC (History)
CC List:	9 users (show)
Fixed In Version:	perl-IO-Socket-SSL-2.060-4.fc30 perl-IO-Socket-SSL-2.060-3.fc29
Clone Of:
Clones:	1633636 (view as bug list)
Environment:
Last Closed:	2019-02-14 01:58:04 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
PoC patch (384 bytes, patch) 2018-09-25 10:35 UTC, Joe Orton	no flags	Details \| Diff
View All

Description Joe Orton 2018-09-25 10:35:43 UTC

Created attachment 1486709 [details]
PoC patch

Description of problem:
Post-handshake auth is disabled by default with TLSv1.3.  IMO this is an error but upstream don't seem inclined to reverse it atm, see 
https://github.com/openssl/openssl/issues/6933

Version-Release number of selected component (if applicable):
perl-IO-Socket-SSL-2.059-2.fc29

How reproducible:
always

Steps to Reproduce:
1. try using TLSv1.3 post-handshake auth

Actual results:
fail

Expected results:
success

Additional info:
Can provide more detailed repro case if required.

Comment 1 Joe Orton 2018-09-25 10:37:18 UTC

Patch should be conditional on Net::SSLeay exposing Net::SSLeay::CTX_set_post_handshake_auth which is done in f29 per bug 1630391, not sure how best to do that.

Comment 2 Paul Howarth 2018-09-25 12:17:19 UTC

(In reply to Joe Orton from comment #1)
> Patch should be conditional on Net::SSLeay exposing
> Net::SSLeay::CTX_set_post_handshake_auth which is done in f29 per bug
> 1630391, not sure how best to do that.

Probably by using a $can_pha variable, like $can_npn, $can_alpn, $can_ocsp etc., which are set in the BEGIN block of lib/IO/Socket/SSL.pm.

Comment 3 Joe Orton 2019-01-26 10:26:34 UTC

https://github.com/noxxi/p5-io-socket-ssl/pull/80

Comment 4 Petr Pisar 2019-02-08 12:48:21 UTC

Paul, if you don't mind, I will apply that patch. I have an intermittent test for that that I will include. (It uses openssl tool, once IO-Socket-SSL obtains server-side support for PHA the test will be rewritten without the openssl tool.)

Comment 5 Paul Howarth 2019-02-08 14:22:38 UTC

Petr, go ahead. I was going to wait until upstream commented on the PR but that doesn't appear to be happening at the moment.

Comment 6 Fedora Update System 2019-02-11 07:55:36 UTC

perl-IO-Socket-SSL-2.060-3.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-8d92841c14

Comment 7 Fedora Update System 2019-02-12 02:50:00 UTC

perl-IO-Socket-SSL-2.060-3.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-8d92841c14

Comment 8 Fedora Update System 2019-02-14 01:58:04 UTC

perl-IO-Socket-SSL-2.060-3.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.