Bug #3080
closedLighttpd 1.4.58 SSL connections stop working if system time of lighttpd server is changed to future one (+12h or even days)
Description
Hello,
we see at the moment many issue using SSL at lighttp 1.4.58 (worked flawless at 1.4.54) (self signed cert) in combination with date/time changes.
What we observed:
1. Use a SSL connection to open some page (php index)
2. Change date time to a date/time in the future + >= 12h
3. reload page => ERC_SSL_ERROR reported in chrome and strace -p for lighttpd reports only:
gettimeofday({1936613395, 543116}, NULL) = 0
wait4(2090, 0x7edeabbc, WNOHANG, NULL) = 0
wait4(2089, 0x7edeabbc, WNOHANG, NULL) = 0
wait4(2088, 0x7edeabbc, WNOHANG, NULL) = 0
wait4(2103, 0x7edeabbc, WNOHANG, NULL) = 0
wait4(2100, 0x7edeabbc, WNOHANG, NULL) = 0
wait4(2095, 0x7edeabbc, WNOHANG, NULL) = 0
We did not see such issues with previous releases.
Is there a new bug in? Since a date/time can always be changed, so running the lighttpd in UTC will not solve this if date/time is changed in addition to timezone only.
Please fix it or propose a workaround until it is fixed.
Many Thanks
Updated by Anonymous over 3 years ago
is the only way to disable the tickets:
ssl.openssl.ssl-conf-cmd = ("Options" => "-SessionTicket") ?
Updated by gstrauss over 3 years ago
- Status changed from New to Duplicate
- Target version changed from 1.4.x to 1.4.60
See #3075
commit d50d4dc0
commit d8f8548f
Please test with lighttpd git master. https://git.lighttpd.net/lighttpd/lighttpd1.4.git/
Your history on this site suggests that you spend time posting before taking a moment to use the Search box on the site, or to look at recently closed issues (which are closed automatically with commits to master)
(https://redmine.lighttpd.net/boards/2/topics/8345)
In the future, please take a few moments to search for related issues before posting duplicates.
Updated by Anonymous over 3 years ago
Hi,
the commit with == 0 start does not solve these issues.
I did some debugging and it seems that the time is changed to past or future the tokens become invalid and no new token will be generated if the time of last geneation is not expired.
This leads to the problems I have seen. Since no new ticket is generated until the time is expired or ticket becomes valid again.
Regarding RFC 5077 https://datatracker.ietf.org/doc/html/rfc5077
Section 3.2
https://datatracker.ietf.org/doc/html/rfc5077#section-3.2
"If the server fails to verify the ticket, then it falls back to
performing a full handshake. If the ticket is accepted by the server
but the handshake fails, the client SHOULD delete the ticket."
But lighttpd does not fall back to default behaviour (handshaking).
Am I totally wrong or is this really a bug?
Updated by gstrauss over 3 years ago
If you only tested with one cherry-picked commit, then you did not do as I asked, which was to test with lighttpd git master.
I repeat what I posted above:
Please test with lighttpd git master. https://git.lighttpd.net/lighttpd/lighttpd1.4.git/
The TLS library should fall back to perform a full handshake if the server fails to verify the ticket. Note well that I wrote "TLS library" and I did not write "lighttpd". lighttpd registers a callback and provides an appropriate return value to openssl, depending on whether or not lighttpd has a valid session ticket encryption key to decode the ticket provided by the client. lighttpd might be configured with session ticket encryption keys synchronized across servers, and so must use "real-time" instead of monotonic clock for session ticket encryption key expiry.
Does disabling session tickets "fix" the issue for you?
Updated by gstrauss over 3 years ago
lighttpd supports multiple TLS modules (lighttpd TLS docs). You should test using lighttpd git master and one of mod_gnutls or mod_mbedtls, in addition to mod_openssl.
Updated by gstrauss over 3 years ago
lighttpd TLS modules periodically check every 64 seconds (0x3f) to see if session tickets have expired or stapling files need to be refreshed.
If your clock jumps a large amount (e.g. > 1 day), then session ticket encryption keys generated by lighttpd may be expired for up to 64 seconds until lighttpd will notice and will generate new session ticket encryption keys. In the meantime (up to 64 seconds), the TLS library should fall back to a full handshake.
.
Aside: Note that if your clock jumps a large amount, that is a you problem, not a lighttpd problem. lighttpd does attempt to recover, but it would be better if you restarted appropriate system services when you trigger a large clock jump. See also the discussion in #3075. Embedded devices are systems, and the words "embedded device" does not constitute a valid excuse for suggesting that time keeping is someone else's problem. Time-keeping on your system is your problem, not lighttpd's problem. lighttpd uses the system time, as do other system services/daemons.
Updated by Anonymous over 3 years ago
Thanks for the response.
Does disabling session tickets "fix" the issue for you?
Yes without Session Tickets it works also with time changes without any issue.
I also observed what you describe so if time is set to future it takes 64 seconds until the communication is working again.
If the time is tuned into the past the conenction is "lost" until the ticket becomes valid again or a new one is generated (<8h).
We will continue to use lighttpd without Session Tickets for now, but we will look into it deeper with the upcoming releases.
Thanks for Support
Updated by gstrauss over 3 years ago
What version of openssl libraries are you using? As of 1 Jan 2020, only openssl 1.1.1 and later continue to receive security patches from openssl.org
Updated by gstrauss over 3 years ago
If the time is tuned into the past
I think the correct phrasing is "If time is corrupted and moves backwards by a large amount".
Perhaps you should consider keeping the system time to UTC, and allowing the user to set TZ for display to the user. Those are different things.
.
As I posted above, you should test with lighttpd mod_gnutls or mod_mbedtls in addition to mod_openssl. I have not reproduced your corrupt system. My system works with Firefox client, lighttpd (git master), and openssl 1.1.1k when I force there to be no valid session ticket encryption keys. Even when there are no valid session ticket encryption keys, openssl libraries should fallback to full handshake. Your client might be stuck. After you change the time, open a new Chrome browser on a different machine, and try connecting.
In the future, I might include detection for broken systems which jump time backwards by large amounts. The following (untested) patch should trigger session ticket encryption key regeneration when time moves backwards > 28800 seconds, detected during lighttpd periodic checks (once every 64 seconds)
--- a/src/mod_openssl.c +++ b/src/mod_openssl.c @@ -440,6 +440,11 @@ mod_openssl_session_ticket_key_file (const char *fn) static void mod_openssl_session_ticket_key_check (const plugin_data *p, const time_t cur_ts) { + static time_t detect_retrograde_ts; + if (detect_retrograde_ts > cur_ts && detect_retrograde_ts - cur_ts > 28800) + stek_rotate_ts = 0; + detect_retrograde_ts = cur_ts; + int rotate = 0; if (p->ssl_stek_file) { struct stat st;
Updated by gstrauss about 3 years ago
- Related to Bug #3075: TLS 1.3 with SessionTicket fail for the first 8 hours of 1970 added
Updated by gstrauss about 3 years ago
- Related to deleted (Bug #3075: TLS 1.3 with SessionTicket fail for the first 8 hours of 1970)
Updated by gstrauss about 3 years ago
- Is duplicate of Bug #3075: TLS 1.3 with SessionTicket fail for the first 8 hours of 1970 added
Also available in: Atom