OpenSSL servers can send a non-empty status_request in a CertificateRequest
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openssl (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
Bionic |
Fix Released
|
Medium
|
Bruce Elrick |
Bug Description
[Impact]
openssl does not conform to RFC8446, Sec. 4.4.2.1., by sending a
CertificateRequest message to the client with a non-empty
status_request extension.
This issue was fixed in openssl-1.1.1d and is included in Focal
onward.
Upstream issue is tracked at https:/
Upstream patch review at https:/
The issue leads to various client failures with TLS 1.3 as described in, e.g.
https:/
https:/
[Test Plan]
The issue can be reproduced by building with `enable-ssl-trace`
and then running `s_server` like this:
```
openssl s_server -key key.pem -cert cert.pem -status_file test/recipes/
```
And running `s_client` like this:
```
openssl s_client -status -trace -cert cert.pem -key key.pem
```
The output shows a `status_request` extension in the
`CertificateReq
Received Record
Header:
Version = TLS 1.2 (0x303)
Content Type = ApplicationData (23)
Length = 1591
Inner Content Type = Handshake (22)
Certificate
request_
extensions, length = 1567
0000 - 01 00 05 ed 30 82 05 e9-0a 01 00 a0 82 05 e2 ....0..........
000f - 30 82 05 de 06 09 2b 06-01 05 05 07 30 01 01 0.....+.....0..
001e - 04 82 05 cf 30 82 05 cb-30 82 01 1a a1 81 86 ....0...0......
002d - 30 81 83 31 0b 30 09 06-03 55 04 06 13 02 47 0..1.0...U....G
...more lines omitted...
If the `status_request` extension is present in a
`CertificateReq
Sec. 4.4.2.1.
[Where problems could occur]
The patch disables the `status_request` extension inside a
`CertificateReq
non-empty reply for the `status_request` extension will break
with this patch.
Changed in openssl (Ubuntu): | |
importance: | Undecided → Medium |
Changed in openssl (Ubuntu Bionic): | |
importance: | Undecided → Medium |
Changed in openssl (Ubuntu): | |
status: | New → Fix Released |
description: | updated |
description: | updated |
Changed in openssl (Ubuntu Bionic): | |
milestone: | none → bionic-updates |
milestone: | bionic-updates → none |
Changed in openssl (Ubuntu): | |
assignee: | Nicolas Bock (nicolasbock) → nobody |
Changed in openssl (Ubuntu Bionic): | |
assignee: | Nicolas Bock (nicolasbock) → Bruce Elrick (virtuous-sloth) |
status: | Fix Committed → In Progress |
tags: | removed: verification-needed verification-needed-bionic |
Test package at https:/ /launchpad. net/~nicolasboc k/+archive/ ubuntu/ sf00317240