New session ticket breaks bidirectional shutdown of TLS 1.3 connection

[tiran]

CPython test suite is currently broken when run with OpenSSL 1.1.1. After some debugging and assistance from @alex and @reaperhulk I found the culprit. The code flow boils down to:

1. establish TLS connection
2. SSL_write(client, "data", 4) optional
3. SSL_read(server, out, 4) optional
4. SSL_shutdown(client)
5. SSL_shutdown(client)

In TLS 1.2, the second SSL_shutdown() call blocks and waits for a TLS shutdown alert from the server side. This is the expected behavior. For two-way shutdown, the calls must be interleaved.

In TLS 1.3 the second shutdown does not block. There is still pending data on the socket. The pending data turns out to be the session ticket from the server. This behavior breaks CPython's test suite and probably other programs, too. It looks like OpenSSL only consumes the session ticket when the client performs a SSL_read() operation. In case the client only writes or does not perform any application data IO, the ticket is stuck on the wire and breaks SSL_shutdown.

Reproducer

Thanks to Alex and Paul, I was able to come up with a simple reproducer in pure C, see https://github.com/tiran/testssl

TLS 1.3 broken case

$ ./testssl
Server version: TLSv1.3
Client version: TLSv1.3
Writing client...
Reading server...
Calling client shutdown once!
Calling client shutdown twice!
result: -1
SSL error: 5
errno: 0
ERR: 0
OpenSSL error

TLS 1.3 working case

$ ./testssl
Server version: TLSv1.3
Client version: TLSv1.3
Writing client...
Reading server...
Writing server...
Reading client...
Calling client shutdown once!
Calling client shutdown twice!
^Cmake: *** [Makefile:10: all] Interrupt

TLS 1.2

$ ./testssl
Server version: TLSv1.2
Client version: TLSv1.2
Writing client...
Reading server...
Calling client shutdown once!
Calling client shutdown twice!
^Cmake: *** [Makefile:10: all] Interrupt

[davidben]

The BoringSSL test suite should have some tests which exercise these scenarios. I haven't seen the 1.1.0 or 1.1.1 version of the code, but the 1.0.x shutdown logic was a little weird. We ended up rewriting it to run something closer to the usual pipeline. KeyUpdate is particularly fun because the peer may have decided to rekey at the same time that you decided to shutdown, so the shutdown logic must still rekey to have a hope of seeing close_notify.

At the same time, if you actually call new session callbacks on NewSessionTicket, that may confuse the caller (a lot of OpenSSL consumers blindly call SSL_shutdown just before SSL_free), so you want to suppress processing there.

[tiran]

Unidirectional shutdown (calling SSL_shutdown once) is not a problem. The scenario only breaks for bidirectinal shutdown. CPython' ssl module uses bidirectional shutdown to turn a TLS-wrapped socket back into a regular socket.

(For the rest of the audience, the first SSL_shutdown sends a TLS shutdown alert to the peer. The second SSL_shutdown blocks and waits until the peer sends TLS shutdown alert back.)

I don't see any sane way to work around the issue in application code. SSL_get0_session doesn't perform a read. SSL_peek blocks for blocking sockets. I really don't want to fcntl(O_NONBLOCK) the socket around SSL_peek...

[kroeckx]

Have you read the SSL_shutdown manpage recently?

[kroeckx]

Is there actually normal communication supported on that socket after the shutdown? I wanted to enable read ahead by default (see #6233), but it seems that it's then likely to break cpython.

[davidben]

Unidirectional shutdown (calling SSL_shutdown once) is not a problem. The scenario only breaks for bidirectinal shutdown.

Yes, the BoringSSL tests I'm referring to test it for bidirectional shutdown. And, yes, I've seen OpenSSL consumers that blindly do bidi shutdown before SSL_free too, so the cited NewSessionTicket and KeyUpdate edge cases both apply. Folks use OpenSSL in the strangest ways. I suspect it's all due to the unexpected interaction with session resumption that results in everyone trying random things until it works. (Actually CPython gets this wrong too, unless you've since fixed this. See #1550 (comment))

[tiran]

@davidben No, I haven't fixed it yet. CPython still gets it totally wrong. :( We still kill the underlying socket without properly shutting down the SSL connection. I like to fix it but I'm worried I'll break tons of applications. Maybe in Python 3.8.

@kroeckx CPython disables read-ahead as part of dual shutdown.

[davidben]

Bidi shutdown is also still meaningful with read-ahead/without "STOPTLS". You will wait for when the other side sent a close_notify, which is a coherent thing to ask for. It's just kind of pointless. :-)

[kroeckx]

So if you read the manpage, after SSL_shutdown() you should call SSL_read() until it says the connection is closed.

[davidben]

Interesting. I suspect that is not a backwards-compatible requirement, but it's been a while since I've wrestled with SSL_shutdown callers, so I may be wrong. Historically, SSL_shutdown would skip over data, though it was quite buggy in how it worked.

Though, yeah, the approach we took is indeed to make the reading half of SSL_shutdown look like an SSL_read that discards data.

[tiran]

@kroeckx Please enlighten me. I unable to spot the requirement in https://www.openssl.org/docs/man1.1.0/ssl/SSL_shutdown.html . The only reference to SSL_read is:

If the peer already sent the "close notify" alert and it was already processed implicitly inside another function (SSL_read), the SSL_RECEIVED_SHUTDOWN flag is set.

@davidben SGTM, I was about to suggest the same.

Kurt, what's the status of TLS 1.3 in OpenSSL 1.1.1? A while ago you raised the question whether 1.1.1 should have TLS 1.3 enabled by default. The problem breaks CPython's ssl module. If OpenSSL decided to ship 1.1.1 with max protocol TLSv1_3, I may have to disable TLS 1.3 in Python 3.7 by default.

[davidben]

NB: You probably don't want it to run the read path completely unmodified, to avoid callbacks running at weird times. BoringSSL assembles handshake messages, processes TLS 1.3 KeyUpdates, discards TLS 1.3 tickets, and rejects renegotiation attempts.

[kroeckx]

The manpage is master (which I linked to) was updated to say:

The peer is still allowed to send data after receiving the "close notify" event. If the peer did send data it need to be processed by calling SSL_read() before calling SSL_shutdown() a second time. SSL_read() will indicate the end of the peer data by returning <= 0 and SSL_get_error() returning SSL_ERROR_ZERO_RETURN. It is recommended to call SSL_read() between SSL_shutdown() calls.

I'm not sure why I didn't apply #5823 in other branches, because it's valid for all branches, except the part about SSL 2, which I guess is still supported in 1.0.2.

[kroeckx]

Nobody has reported any new issues, so I'm assuming everything works perfectly, and that we'll enable TLS 1.3 by default.