programs/ssl/ssl_server2 bug

[hey3e]

Summary

programs/ssl/ssl_server2 refuses following tls1.3 connections from a peer if that peer used to establish tls1.2 connections with the server previously.

System information

Mbed TLS version (number or commit id): 3.4.0 f1c032a
Operating system and version: Ubuntu 22.04.2 LTS
Configuration (if not default, please attach mbedtls_config.h): #define MBEDTLS_SSL_PROTO_TLS1_3
Compiler and options (if you used a pre-built binary, please indicate how you obtained it): default
Additional environment information: no

Expected behavior

programs/ssl/ssl_server2 allows following tls1.3 connections from a peer if that peer used to establish tls1.2 connections with the server previously.

Actual behavior

programs/ssl/ssl_server2 refuses following tls1.3 connections from a peer if that peer used to establish tls1.2 connections with the server previously.

Steps to reproduce

server: ./programs/ssl/ssl_server2
client: ./programs/ssl/ssl_client2 force_version=tls12
server shows Successful connection

Then, ctrl+c to close client, keep server running, restart client with ./programs/ssl/ssl_client2 force_version=tls13
server shows Last error was: -0x7780 - SSL - A fatal alert message was received from our peer

Additional information

Did not see this behavior in other tls implementations.

[yanesca]

Form include/mbedtls/mbedtls_config.h:

* \def MBEDTLS_SSL_PROTO_TLS1_3
*
* Enable support for TLS 1.3.
*
* \note The support for TLS 1.3 is not comprehensive yet, in particular
*       pre-shared keys are not supported.
*       See docs/architecture/tls13-support.md for a description of the TLS
*       1.3 support that this option enables.

From docs/architecture/tls13-support.md:

• Supported versions:
  - TLS 1.2 and TLS 1.3 with version negotiation on the client side, not server
  side.

In summary, the server side doesn't have version negotiation yet. This is a documented limitation of TLS 1.3 in the library, which is a feature still in development.

[ronald-cron-arm]

Thanks for the report. I have checked and this is still relevant in 3.5 where we support version negotiation on server side. When a connection is closed, ssl_server2 uses mbedtls_ssl_session_reset() to reset the SSL context to prepare for the following connection. In mbedtls_ssl_session_reset() the TLS maximum negotiable version is not reset properly: if the last connection negotiated TLS 1.2 that's the new maximum.

[tom-cosgrove-arm]

Fixed released in Mbed TLS v3.6 by

commit ad736991bb59211118a29fe115367c24495300c2
Merge: 2f387e98a c522255e3
Author: Janos Follath <janos.follath@arm.com>
Date:   Fri Feb 9 16:04:59 2024 +0000

    Merge pull request #1177 from ronald-cron-arm/tls-max-version-reset

    Reset properly the TLS maximum negotiable version