GnuTLS servers are able to use tickets issued by each other without access to the secret key as generated by gnutls_session_ticket_key_generate()
. This allows a MITM server without valid credentials to resume sessions with a client that first established an initial connection with a server with valid credentials. The issue applies to TLS 1.3, when using TLS 1.2 resumption fails as expected.
Because the ticket can be used for resumption without knowledge of the master key I assume (but haven't tested yet) that it can also be used for passive decryption of early data.
I first noticed the issue with Ubuntu version 3.6.13-2ubuntu1, and reproduced it with a build from master
as of52e78f1e.
Steps to Reproduce
gnutls-serv --x509keyfile=authority/server/secret.key --x509certfile=authority/server/x509.pem openssl s_client -connect localhost:5556 -CAfile authority/x509.pem -verify_return_error -sess_out session.cache gnutls-serv --x509keyfile=rogueca/mitm/secret.key --x509certfile=rogueca/mitm/x509.pem openssl s_client -connect localhost:5556 -CAfile authority/x509.pem -verify_return_error -sess_in session.cache
I've used openssl s_client
to reproduce the problem because gnutls-cli
lacks a way to store resumption data across invocations, but the effect is also reproducible with applications using GnuTLS that cache session data long enough to change the server. I noticed the issue while implementing session resumption for proxy connections in mod_gnutls.
The certificates are just ones out of my test PKI, I can post them if it helps. What matters is that the server from step 1 has a certificate issued by a CA the client trusts, while the server from step 4 has one issued by a CA unknown to the client.
Actual results
The bogus server is able to resume the session, the client does not detect the attack.
Expected results
Session resumption should fail, leading to a full handshake, which must fail unless the second server has valid credentials. A successful full handshake would be the expected result if the server would be restarted with the same certificate instead of a bogus one.
GnuTLS servers are able to use tickets issued by each other without access to the secret key as generated by gnutls_session_ticket_key_generate()
. This allows a MITM server without valid credentials to resume sessions with a client that first established an initial connection with a server with valid credentials. The issue applies to TLS 1.3, when using TLS 1.2 resumption fails as expected.
Because the ticket can be used for resumption without knowledge of the master key I assume (but haven't tested yet) that it can also be used for passive decryption of early data.
I first noticed the issue with Ubuntu version 3.6.13-2ubuntu1, and reproduced it with a build from master
as of 52e78f1e3a95a6d9e4f1f9a72f6d77102e80f196.
Steps to Reproduce
gnutls-serv --x509keyfile=authority/server/secret.key --x509certfile=authority/server/x509.pem openssl s_client -connect localhost:5556 -CAfile authority/x509.pem -verify_return_error -sess_out session.cache gnutls-serv --x509keyfile=rogueca/mitm/secret.key --x509certfile=rogueca/mitm/x509.pem openssl s_client -connect localhost:5556 -CAfile authority/x509.pem -verify_return_error -sess_in session.cache
I've used openssl s_client
to reproduce the problem because gnutls-cli
lacks a way to store resumption data across invocations, but the effect is also reproducible with applications using GnuTLS that cache session data long enough to change the server. I noticed the issue while implementing session resumption for proxy connections in mod_gnutls.
The certificates are just ones out of my test PKI, I can post them if it helps. What matters is that the server from step 1 has a certificate issued by a CA the client trusts, while the server from step 4 has one issued by a CA unknown to the client.
Actual results
The bogus server is able to resume the session, the client does not detect the attack.
Expected results
Session resumption should fail, leading to a full handshake, which must fail unless the second server has valid credentials. A successful full handshake would be the expected result if the server would be restarted with the same certificate instead of a bogus one.
以上就是本文的全部内容,希望本文的内容对大家的学习或者工作能带来一定的帮助,也希望大家多多支持 码农网
猜你喜欢:
本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们。
新内容创业:我这样打造爆款IP
南立新、曲琳 / 机械工业出版社 / 2016-5-10 / 39.00
这是个内容创业爆棚的时代,在采访几十家内容创业公司,与一线最优秀的创业者独家对话之后,作者写作了这本书,其中包括对这个行业的真诚感触,以及希望沉淀下来的体系化思考。 本书共分三个部分讲述了爆红大号的内容创业模式和方法。其中第一部分,讲述了新的生产方式,即内容形态发展的现状--正在被塑造;第二部分,讲述了新的盈利探索,即从贩卖产品到贩卖内容的转变,该部分以多个案例进行佐证,内容翔实;第三部分,......一起来看看 《新内容创业:我这样打造爆款IP》 这本书的介绍吧!
