nginx 1.19.4 feature "ssl_reject_handshake" does not work as intended with openssl

[i81b4u]

Nginx 1.19.4 introduced a new feature called "ssl_reject_handshake" which can be used to block unwanted SSL handshakes. I noticed that, when enabled, it effectively turns off TLSv1.3. I opened the following ticket: https://trac.nginx.org/nginx/ticket/2071

It seems like the problem arises due to the way openssl handles requests, because (and I quote): "since it checks for supported protocol versions before switching context, and nginx can't influence it".

Can you confirm the findings as stated by the nginx engineer and if so, would you please consider fixing it in a future openssl release?

[i81b4u]

In the mean time I recompiled nginx with boringssl and can confirm that "ssl_reject_handshake" now works as intended.

[mattcaswell]

"since it checks for supported protocol versions before switching context, and nginx can't influence it".

The server name callback occurs later on in the ClientHello processing after certain extensions and decisions have already been taken. Changing this is probably not feasible for backwards compatibility reasons (something boringssl does not worry too much about).

If very early context switching is required (i.e. before protocol negotiation) then a ClientHello callback can be used instead:

https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_client_hello_cb.html

This would give nginx to ability to have the desired influence.

[mdounin]

If very early context switching is required (i.e. before protocol negotiation) then a ClientHello callback can be used instead:

It cannot be used. Most notably, because server name requested is not known during ClientHello callback, and making it known depends on decisions made by the OpenSSL library after the callback is called. For example, if the only available protocol on the server side is SSLv3, server name from the ClientHello must not be used at all, yet this is generally not known to the application. Not to mention it is from hard to impossible to correctly extract server name in a portable way from a ClientHello, especially taking eSNI / ECH into account.

Rather, I would say it is simply a bug to assume TLSv1.3 cannot (or can) be used based on the certificates set in the SSL_CTX before the servername callback is called, which is specifically designed to configure servername-specific certificates.

[mattcaswell]

It cannot be used. Most notably, because server name requested is not known during ClientHello callback, and making it known depends on decisions made by the OpenSSL library after the callback is called.

Well this seems like a catch-22. You want the server name call back to be called later in the process after certain decisions have been made....but you also want it before those decisions are made in order to influence them :-)

For example, if the only available protocol on the server side is SSLv3, server name from the ClientHello must not be used at all, yet this is generally not known to the application. Not to mention it is from hard to impossible to correctly extract server name in a portable way from a ClientHello, especially taking eSNI / ECH into account.

Well eSNI/ECH is not yet supported anyway so that shouldn't currently be an issue (although could become one). I'd be interested in the thoughts of @tmshort and @kaduk on the above since the client hello cb was designed specifically with the server name extension in mind.

Rather, I would say it is simply a bug to assume TLSv1.3 cannot (or can) be used based on the certificates set in the SSL_CTX before the servername callback is called, which is specifically designed to configure servername-specific certificates.

I suppose is_tls13_capable could just return 1 if a servername cb has been set (it already does that if a PSK cb has been set).

[mdounin]

Well this seems like a catch-22. You want the server name call back to be called later in the process after certain decisions have been made....but you also want it before those decisions are made in order to influence them :-)

Not really. In this particular case I simply do not want some decisions to be made before the servername callback is called, as they are clearly made out of incorrect assumptions.

In more generic use case, as discussed as a part of servername-specific list of supported protocols[1], OpenSSL can maintain a set of available protocols, and only choose a specific protocol once the servername callback is called. It is understood that this implies a lot of burden for the library though.

Well eSNI/ECH is not yet supported anyway so that shouldn't currently be an issue (although could become one). I'd be interested in the thoughts of @tmshort and @kaduk on the above since the client hello cb was designed specifically with the server name extension in mind.

For the record, previous attempts to use ClientHello callback in nginx can be found here. The resulting code is overcomplicated even assuming OpenSSL-only implementation, and have obvious drawbacks of not being compatible with SSLv3 and eSNI/ECH.

I suppose is_tls13_capable could just return 1 if a servername cb has been set (it already does that if a PSK cb has been set).

Yes, this should fix the issue observed by the reporter.