Skip to content

Disabling MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE reduces interoperability #9551

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
gilles-peskine-arm opened this issue Sep 9, 2024 · 0 comments · Fixed by #9628
Closed

Disabling MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE reduces interoperability #9551

gilles-peskine-arm opened this issue Sep 9, 2024 · 0 comments · Fixed by #9628
Assignees
@gilles-peskine-arm
Labels
component-tls13 enhancement size-s Estimated task size: small (~2d)

Comments

@gilles-peskine-arm
Copy link
Contributor

gilles-peskine-arm commented Sep 9, 2024
edited
Loading

As of Mbed TLS 3.6.1, the documentation of suggests that disabling it breaks TLS 1.3 when an incompatible middlebox is disabled. But it actually breaks interoperability with any TLS 1.3 client or server that has middlebox compatibility active, such as OpenSSL or GnuTLS with default settings.

I will fix the documentation in #9546 (+ forward port). Thanks to Ronald's advice, the fix is very easy, all it takes is to adapt the tests. Done in #9563.

The definition of done for this issue is that disabling MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE only breaks interoperability when a middlebox is involved, and that it has no effect on interoperability with a peer that has middlebox compatibility enabled. This is how GnuTLS and OpenSSL behave. In particular, even when MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE is disabled, ssl_client1 and ssl_server should interoperate with GnuTLS and OpenSSL with their default settings (without requiring -no_middlebox or %DISABLE_TLS13_COMPAT_MODE).
gilles-peskine-arm added a commit to gilles-peskine-arm/mbedtls that referenced this issue Sep 9, 2024
@gilles-peskine-arm
MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE: document limitation when disabled
dfa32c6 
The documentation of MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE suggested that
disabling it breaks TLS 1.3 when an incompatible middlebox is disabled. But
it actually breaks interoperability with any TLS 1.3 client or server that
has middlebox compatibility active, such as OpenSSL or GnuTLS with default
settings. Document this.

Mbed-TLS#9551

Signed-off-by: Gilles Peskine <[email protected]>
gilles-peskine-arm added a commit to gilles-peskine-arm/mbedtls that referenced this issue Sep 11, 2024
@gilles-peskine-arm
MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE: document limitation when disabled
b6cf567 
The documentation of MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE suggested that
disabling it breaks TLS 1.3 when an incompatible middlebox is disabled. But
it actually breaks interoperability with any TLS 1.3 client or server that
has middlebox compatibility active, such as OpenSSL or GnuTLS with default
settings. Document this.

Mbed-TLS#9551

Signed-off-by: Gilles Peskine <[email protected]>
gilles-peskine-arm added a commit to gilles-peskine-arm/mbedtls that referenced this issue Sep 12, 2024
@gilles-peskine-arm
MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE: document limitation when disabled
1b80aad 
The documentation of MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE suggested that
disabling it breaks TLS 1.3 when an incompatible middlebox is disabled. But
it actually breaks interoperability with any TLS 1.3 client or server that
has middlebox compatibility active, such as OpenSSL or GnuTLS with default
settings. Document this.

Mbed-TLS#9551

Signed-off-by: Gilles Peskine <[email protected]>
gilles-peskine-arm added a commit to gilles-peskine-arm/mbedtls that referenced this issue Sep 13, 2024
@gilles-peskine-arm
Changelog entry: fix Mbed-TLS#9551
0e475a6 
Signed-off-by: Gilles Peskine <[email protected]>
gilles-peskine-arm added a commit to gilles-peskine-arm/mbedtls that referenced this issue Sep 13, 2024
@gilles-peskine-arm
Changelog entry: fix Mbed-TLS#9551
f5b0c95 
Signed-off-by: Gilles Peskine <[email protected]>
@gilles-peskine-arm gilles-peskine-arm added the size-s Estimated task size: small (~2d) label Sep 13, 2024
gilles-peskine-arm added a commit to gilles-peskine-arm/mbedtls that referenced this issue Sep 13, 2024
@gilles-peskine-arm
Changelog entry: fix Mbed-TLS#9551
79e3e29 
Signed-off-by: Gilles Peskine <[email protected]>
gilles-peskine-arm added a commit to gilles-peskine-arm/mbedtls that referenced this issue Sep 13, 2024
@gilles-peskine-arm
Changelog entry: fix Mbed-TLS#9551
88b965e 
Signed-off-by: Gilles Peskine <[email protected]>
gilles-peskine-arm added a commit to gilles-peskine-arm/mbedtls that referenced this issue Sep 13, 2024
@gilles-peskine-arm
Changelog entry: fix Mbed-TLS#9551
4ab3d55 
Signed-off-by: Gilles Peskine <[email protected]>
@gilles-peskine-arm gilles-peskine-arm self-assigned this Sep 13, 2024
@mpg mpg mentioned this issue Sep 17, 2024
Merged
5 tasks
gilles-peskine-arm added a commit to gilles-peskine-arm/mbedtls that referenced this issue Sep 20, 2024
@gilles-peskine-arm
Changelog entry: fix Mbed-TLS#9551
2aecb13 
Signed-off-by: Gilles Peskine <[email protected]>
gilles-peskine-arm added a commit to gilles-peskine-arm/mbedtls that referenced this issue Sep 24, 2024
@gilles-peskine-arm
Changelog entry: fix Mbed-TLS#9551
6f03eb8 
Signed-off-by: Gilles Peskine <[email protected]>
@gilles-peskine-arm gilles-peskine-arm mentioned this issue Sep 24, 2024
Merged
5 tasks
@github-project-automation github-project-automation bot moved this to Done in Barriers Sep 25, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@gilles-peskine-arm gilles-peskine-arm

Labels
component-tls13 enhancement size-s Estimated task size: small (~2d)
Projects
Barriers
Archived in project
Milestone
No milestone
1 participant
@gilles-peskine-arm