Project

General

Profile

Bug #2912

OpenSSL 1.1.1: renegotiation initiated by client, killing connection

Added by The-Compiler about 1 month ago. Updated about 1 month ago.

Status:
Fixed
Priority:
Normal
Assignee:
-
Category:
TLS
Target version:
Start date:
2018-10-05
Due date:
% Done:

100%

Estimated time:
Missing in 1.5.x:

Description

After upgrading to OpenSSL 1.1.1 with lighttpd 1.4.50 on Archlinux, all requests are aborted with "(mod_openssl.c.1419) SSL: renegotiation initiated by client, killing connection".
See the corresponding Archlinux ticket: https://bugs.archlinux.org/task/60294

In other bugs (linked there) in client software, this seems to happen because: "openssl 1.1.1 automatically adds support for TLS 1.3 which causes some servers, like Google's SMTP servers, to provide invalid self-signed certificates if the client does not send the SNI".

Associated revisions

Revision 7a7f4f98 (diff)
Added by gstrauss about 1 month ago

[mod_openssl] no renegotiation in TLS 1.3 (fixes #2912)

x-ref:
"OpenSSL 1.1.1: renegotiation initiated by client, killing connection"
https://redmine.lighttpd.net/issues/2912

History

#1

Updated by The-Compiler about 1 month ago

Rebuilding openssl and adding “no-tls1_3" to the Configure arguments seems to help.

#2

Updated by gstrauss about 1 month ago

I am unsure why you think an incompatible change in openssl is a bug in lighttpd. Your own problem report at https://bugs.archlinux.org/task/60294 notes "many programs depending on OPENSSL_1_1_1 fail now"

For lighttpd, Docs_SSL contains:

ssl.disable-client-renegotiation enable/disable mitigation of client triggered re-negotiation (see CVE-2009-3555). Important: This setting can only be set globally!

The reason ssl.disable-client-renegotiation = "enable" is the default (disabling client renegotiation) is CVE-2009-3555.

You may configure openssl with ssl.openssl.ssl-conf-cmd specify openssl config commands (e.g. ("Protocol" => "-ALL, TLSv1.2") restricts protocol to only TLS 1.2) (since 1.4.48) among other more generic configuration directives supported by numerous other SSL libraries with openssl compatibility configuration layers.

The short-term workaround for lighttpd on Arch with openssl 1.1.1 may be to disable TLSv1.3 protocol, even though once people add that to their configs, they might not take it out, and that would move people in the opposite direction from using new and improved security protocols.

#3

Updated by The-Compiler about 1 month ago

FWIW, the Archlinux report isn't mine, and "many programs depending on OPENSSL_1_1_1 fail now" is referring to downgrading to OpenSSL 1.1.0 while continuing to use packages built against 1.1.1.

Can you elaborate on what's going on there exactly? Why does openssl 1.1.1 make lighttpd think there's a re-negotiation going on? Does OpenSSL try to negotiate a TLSv1.3 connection, fails (why?), and then try to re-negotiate with TLSv1.2?

#4

Updated by gstrauss about 1 month ago

From a quick search, it appears that the renegotiation detection logic in lighttpd, apache, and likely others, is no longer valid for openssl 1.1.1. Renegotiations are not part of TLSv1.3. However, it appears that the behavior of openssl 1.1.1 may trigger the renegotiation detection logic in lighttpd. As I mentioned, for security reasons needed at least until TLSv1.2, renegotiation is disabled by default in lighttpd. This is all just an initial assessment. Please do not treat the above as authoritative. I plan to dig into this further this weekend.

#5

Updated by gstrauss about 1 month ago

  • Status changed from New to Patch Pending
  • Target version changed from 1.4.x to 1.4.51

This might address the issue introduced with OpenSSL 1.1.1 and TLS 1.3. Please help test and confirm.

diff --git a/src/mod_openssl.c b/src/mod_openssl.c
--- a/src/mod_openssl.c
+++ b/src/mod_openssl.c
@@ -81,7 +81,7 @@ static char *local_send_buffer;
 typedef struct {
     SSL *ssl;
     connection *con;
-    unsigned int renegotiations; /* count of SSL_CB_HANDSHAKE_START */
+    int renegotiations; /* count of SSL_CB_HANDSHAKE_START */
     int request_env_patched;
     plugin_config conf;
     server *srv;
@@ -198,8 +198,21 @@ ssl_info_callback (const SSL *ssl, int where, int ret)

     if (0 != (where & SSL_CB_HANDSHAKE_START)) {
         handler_ctx *hctx = (handler_ctx *) SSL_get_app_data(ssl);
-        ++hctx->renegotiations;
+        if (hctx->renegotiations >= 0) ++hctx->renegotiations;
     }
+  #ifdef TLS1_3_VERSION
+    /* https://github.com/openssl/openssl/issues/5721
+     * "TLSv1.3 unexpected InfoCallback after handshake completed" */
+    if (0 != (where & SSL_CB_HANDSHAKE_DONE)) {
+        /* SSL_version() is valid after initial handshake completed */
+        if (SSL_version(ssl) >= TLS1_3_VERSION) {
+            /* https://wiki.openssl.org/index.php/TLS1.3
+             * "Renegotiation is not possible in a TLSv1.3 connection" */
+            handler_ctx *hctx = (handler_ctx *) SSL_get_app_data(ssl);
+            hctx->renegotiations = -1;
+        }
+    }
+  #endif
 }

 /* https://wiki.openssl.org/index.php/Manual:SSL_CTX_set_verify(3)#EXAMPLES */
#6

Updated by The-Compiler about 1 month ago

Thanks for the patch! Applying it on top of 1.4.50 indeed seems to fix the issue.

#7

Updated by gstrauss about 1 month ago

  • Status changed from Patch Pending to Fixed
  • % Done changed from 0 to 100

Also available in: Atom