Uploaded image for project: 'Erlang/OTP'
  1. Erlang/OTP
  2. ERL-1130

TLS 1.3 Fails in Chrome/Edge (tls_handshake_1_3#validate_client_key_share/2)

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: OTP 22.2
    • Fix Version/s: 22.2.3
    • Component/s: ssl
    • Labels:
      None

      Description

      Environment:

      OS: MacOS Catalina 10.15.2

      Erlang 22.2.1

      I am attempting to get tls 1.3 working in a phoenix application and am able to get things working in Firefox and Safari but am having issues with Chrome/Edge. The browser fails to load the page and my server returns the following error message.

      TLS :server: In state :start at tls_handshake_1_3.erl:612 generated SERVER ALERT: Fatal - Illegal Parameter

      So I ran the debugger to find exactly where we are failing in the handshake and it looks like there is a failure in the `validate_client_key_share` function.

      Here are the values that are being passed into that function.

      CHROME

      _Hello

      {client_hello,\{3,3}

      ,<<244,130,9,227,180,15,249,191,47,20,146,33,134,88,171,51,180,38,65,76,49,126,25,49,179,124,121,101,16,70,18,119>>,<<28,255,233,169,226,1,37,220,106,215,88,120,239,124,88,181,65,99,206,133,43,204,250,223,58,46,77,134,209,118,205,157>>,undefined,[<<"ªª">>,<<19,1>>,<<19,2>>,<<19,3>>,<<"À+">>,<<"À/">>,<<"À,">>,<<"À0">>,<<204,169>>,<<204,168>>,<<192,19>>,<<192,20>>,<<0,156>>,<<0,157>>,<<0,47>>,<<0,53>>,<<0,10>>],[0],#{alpn =>

      {alpn,<<2,104,50,8,104,116,116,112,47,49,46,49>>},client_hello_versions => {client_hello_versions,[{106,106},\{3,4},\{3,3},\{3,2},\{3,1}]},ec_point_formats => {ec_point_formats,[0]},elliptic_curves => {supported_groups,[x25519,secp256r1,secp384r1]},key_share => {key_share_client_hello,[{key_share_entry,undefined,<<0>>},\{key_share_entry,x25519,<<213,157,180,91,25,151,200,186,182,81,158,253,207,60,0,30,163,165,196,156,139,74,13,43,100,134,100,136,200,54,164,121>>}]},pre_shared_key => undefined,psk_key_exchange_modes => {psk_key_exchange_modes,[psk_dhe_ke]},renegotiation_info => {renegotiation_info,<<0>>},signature_algs => {signature_algorithms,[ecdsa_secp256r1_sha256,rsa_pss_rsae_sha256,rsa_pkcs1_sha256,ecdsa_secp384r1_sha384,rsa_pss_rsae_sha384,rsa_pkcs1_sha384,rsa_pss_rsae_sha512,rsa_pkcs1_sha512,rsa_pkcs1_sha1]},signature_algs_cert => undefined,sni => {sni,"www.scalpel.dev"}}}

      Extensions
      #{alpn => {alpn,<<2,104,50,8,104,116,116,112,47,49,46,49>>}

      ,client_hello_versions => {client_hello_versions,[

      {106,106}

      ,{3,4},{3,3},{3,2},{3,1}]},ec_point_formats => {ec_point_formats,[0]},elliptic_curves => {supported_groups,[x25519,secp256r1,secp384r1]},key_share => {key_share_client_hello,[

      {key_share_entry,undefined,<<0>>}

      ,{key_share_entry,x25519,<<213,157,180,91,25,151,200,186,182,81,158,253,207,60,0,30,163,165,196,156,139,74,13,43,100,134,100,136,200,54,164,121>>}]},pre_shared_key => undefined,psk_key_exchange_modes => {psk_key_exchange_modes,[psk_dhe_ke]},renegotiation_info => {renegotiation_info,<<0>>},signature_algs => {signature_algorithms,[ecdsa_secp256r1_sha256,rsa_pss_rsae_sha256,rsa_pkcs1_sha256,ecdsa_secp384r1_sha384,rsa_pss_rsae_sha384,rsa_pkcs1_sha384,rsa_pss_rsae_sha512,rsa_pkcs1_sha512,rsa_pkcs1_sha1]},signature_algs_cert => undefined,sni => {sni,"www.scalpel.dev"}}

      ClientShares0

      {key_share_client_hello,[\{key_share_entry,undefined,<<0>>}

      ,{key_share_entry,x25519,<<213,157,180,91,25,151,200,186,182,81,158,253,207,60,0,30,163,165,196,156,139,74,13,43,100,134,100,136,200,54,164,121>>}]}

      ClientShares
      [\{key_share_entry,undefined,<<0>>},\{key_share_entry,x25519,<<213,157,180,91,25,151,200,186,182,81,158,253,207,60,0,30,163,165,196,156,139,74,13,43,100,134,100,136,200,54,164,121>>}]

      ClientGroups
      [x25519,secp256r1,secp384r1]

      It looks like ClientShares has an undefined entry that is causing the illegal_parameter error to happen. I'm unsure if this is an issue with the erlang library or within the Chrome browser. Let me know if you need any additional information to resolve this bug. 

        Attachments

        1. 0001-ssl-Ignore-unknown-values-in-ClientHello-GREASE.patch
          4 kB
        2. chrome.pcapng
          1.12 MB
        3. firefox.pcapng
          5.17 MB
        4. ssl_handshake.beam
          124 kB
        5. ssl_handshake.erl
          142 kB

          Activity

            People

            Assignee:
            peterdmv Péter Dimitrov
            Reporter:
            tomciopp Thomas Cioppettini
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: