From 195c0bc24edd7a6feeb2951d2d255f4482c8d323 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Thu, 8 Feb 2024 08:51:20 +0100 Subject: [PATCH 1/4] tls: Reset TLS maximum negotiable version When reseting an SSL context with mbedtls_ssl_session_reset() reset the TLS maximum negotiable version as configured. Signed-off-by: Ronald Cron --- library/ssl_tls.c | 1 + 1 file changed, 1 insertion(+) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 0bc18f1261..0071b06aa7 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -1540,6 +1540,7 @@ int mbedtls_ssl_session_reset_int(mbedtls_ssl_context *ssl, int partial) int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; ssl->state = MBEDTLS_SSL_HELLO_REQUEST; + ssl->tls_version = ssl->conf->max_tls_version; mbedtls_ssl_session_reset_msg_layer(ssl, partial); From 587cfe65ca3c82f65f60fd855c1f163652c4a4ba Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Thu, 8 Feb 2024 08:56:09 +0100 Subject: [PATCH 2/4] ssl-opt.sh: Establish TLS 1.2 then TLS 1.3 connection Add a test where first we establish a TLS 1.2 session, then a TLS 1.3 one with the same server. Signed-off-by: Ronald Cron --- tests/ssl-opt.sh | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 26c5a796fb..be4c6f70a7 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -11700,6 +11700,18 @@ run_test "TLS 1.3: Default" \ -s "ECDH/FFDH group: " \ -s "selected signature algorithm ecdsa_secp256r1_sha256" +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT +run_test "Establish TLS 1.2 then TLS 1.3 session" \ + "$P_SRV" \ + "( $P_CLI force_version=tls12; \ + $P_CLI force_version=tls13 )" \ + 0 \ + -s "Protocol is TLSv1.2" \ + -s "Protocol is TLSv1.3" \ + requires_openssl_tls1_3_with_compatible_ephemeral requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C From 90abb224f7f38a061813a81dc98d5de202d69808 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Thu, 8 Feb 2024 09:02:49 +0100 Subject: [PATCH 3/4] ssl-opt.sh: Establish TLS 1.3 then TLS 1.2 session Add a test where first we establish a TLS 1.3 session, then a TLS 1.2 one with the same server. Signed-off-by: Ronald Cron --- tests/ssl-opt.sh | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index be4c6f70a7..028a0f4617 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -11712,6 +11712,18 @@ run_test "Establish TLS 1.2 then TLS 1.3 session" \ -s "Protocol is TLSv1.2" \ -s "Protocol is TLSv1.3" \ +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT +run_test "Establish TLS 1.3 then TLS 1.2 session" \ + "$P_SRV" \ + "( $P_CLI force_version=tls13; \ + $P_CLI force_version=tls12 )" \ + 0 \ + -s "Protocol is TLSv1.3" \ + -s "Protocol is TLSv1.2" \ + requires_openssl_tls1_3_with_compatible_ephemeral requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C From c522255e33e378a5fe8d92d931ee3eada4a989e1 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Thu, 8 Feb 2024 10:26:07 +0100 Subject: [PATCH 4/4] Add change log Signed-off-by: Ronald Cron --- ChangeLog.d/tls-max-version-reset.txt | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 ChangeLog.d/tls-max-version-reset.txt diff --git a/ChangeLog.d/tls-max-version-reset.txt b/ChangeLog.d/tls-max-version-reset.txt new file mode 100644 index 0000000000..2fa58168c2 --- /dev/null +++ b/ChangeLog.d/tls-max-version-reset.txt @@ -0,0 +1,6 @@ +Security + * Restore the maximum TLS version to be negotiated to the configured one + when an SSL context is reset with the mbedtls_ssl_session_reset() API. + An attacker was able to prevent an Mbed TLS server from establishing any + TLS 1.3 connection potentially resulting in a Denial of Service or forced + version downgrade from TLS 1.3 to TLS 1.2. Fixes #8654 reported by hey3e.