Opened 6 years ago

Closed 6 years ago

#3463 enhancement closed fixed (fixed)

TLSv1 SSL handshake doesn't work with gtalk

Reported by: sjoerd Owned by:
Priority: normal Milestone: Twisted-8.2
Component: words Keywords:
Cc: Branch: branches/jabber-tls-handshake-3463
(diff, github, buildbot, log)
Author: ralphm Launchpad Bug:

Description

When connecting to gtalk using starttls and doing a TLSv1 SSL handshake, the gtalk server will stop responding and drop your connection :(

Using the SSLv23 method instead works fine, both for gtalk and various other jabber servers.

Attachments (2)

twisted-ssl-handshake.patch (748 bytes) - added by sjoerd 6 years ago.
tls-no-ticket.patch (539 bytes) - added by ralphm 6 years ago.
Patch to disable the Session Ticket extension

Download all attachments as: .zip

Change History (15)

Changed 6 years ago by sjoerd

comment:1 Changed 6 years ago by ralphm

  • Owner changed from exarkun to ralphm

XMPP Core (RFC 3920) uses TLS for securing the transport, and only references SSL once to refer to older methods that did not use STARTTLS. Therefore, I believe this bug is at Google Talk but I will verify this within the Jabber community.

That said, if I am not mistaking, SSLv2 has several nasty vulnerabilities, so we don't want to use that. It seems that SSLv3_METHOD also works with Google Talk. However, I don't think TLS is used in this case, which would be a bad default.

That leaves your suggestion of using SSLv23_METHOD. The client would send SSLv2 hello messages, and advertise supporting SSLv2, SSLv3 and TLSv1. Those can then be limited to only TLSv1 by using set_options on the context (OP_NO_SSLv2, OP_NO_SSLv3). However, that doesn't seem to work with Google Talk. Disabling TLSv1 support and leaving SSLv3 support on, does work. That would suggest that Google Talk only supports SSLv3, and only if TLS is disabled, or none are disabled. Yuck. I'll look further into this.

comment:2 Changed 6 years ago by ralphm

Oh, by the way, this is the first time I noticed this. It has worked before, I'm quite sure.

comment:3 Changed 6 years ago by exarkun

Other people have mentioned this problem before, but I've also been able to successfully connect to gtalk previously.

comment:4 Changed 6 years ago by sjoerd

Some other people here that hit this issue noticed that old-style ssl works fine. But the <starttls /> method doesn't

comment:5 Changed 6 years ago by ralphm

As mentioned on the Twisted Jabber mailinglist, the problem appears to be not in Google Talk per se. Apparently Java does not handle the empty Session Ticket extension in the hello, that signals support for the extension, correctly.

A workaround is to disable this extension by setting the OP_NO_TICKET option on the SSL context. I've verified that this allows the Twisted based clients to connect again. I attached a patch for a quick fix, but we need to do this better. First of all, my PyOpenSSL doesn't expose the option value (0x4000) with a module attribute, so I had to hard code it.

exarkun: do you have a suggestion how to do this properly within Twisted?

Changed 6 years ago by ralphm

Patch to disable the Session Ticket extension

comment:6 Changed 6 years ago by WizKid

I first reported the bug to Sun the 22 July.

When Sun make the bug public, info about it will be here: http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6728126 . But when that happen I have no idea. First Sun thought that there could be some security problem with the bug but when they understood that it couldn't they made it public for a short time but then they removed it again.

comment:7 Changed 6 years ago by ralphm

  • Author set to ralphm
  • Branch set to branches/jabber-tls-handshake-3463

(In [25410]) Branching to 'jabber-tls-handshake-3463'

comment:8 Changed 6 years ago by ralphm

  • Keywords review added
  • Milestone set to Twisted-8.2
  • Owner ralphm deleted

This change disables the Session Tickets extension by default, which makes connections to Google Talk and other buggy implementations work again.

Please review.

comment:10 follow-up: Changed 6 years ago by exarkun

  • Keywords review removed
  • Owner set to ralphm
  1. Please open a ticket in the pyOpenSSL tracker for exposing OP_NO_TICKET
  2. How can I test this? I tried doc/words/examples/xmpp_client.py but it apparently managed to start TLS with and without the changes in this branch. I suppose the OpenSSL version is important here. Do you know which version introduces the problem? I have 0.9.8g-4ubuntu3.

comment:11 in reply to: ↑ 10 Changed 6 years ago by ralphm

  • Keywords review added
  • Owner ralphm deleted

Replying to exarkun:

  1. Please open a ticket in the pyOpenSSL tracker for exposing OP_NO_TICKET

https://bugs.launchpad.net/pyopenssl/+bug/300220 Done].

  1. How can I test this? I tried doc/words/examples/xmpp_client.py but it apparently managed to start TLS with and without the changes in this branch. I suppose the OpenSSL version is important here. Do you know which version introduces the problem? I have 0.9.8g-4ubuntu3.

The addition of Session Tickets has been introduced in one of the versions that ship with Ubuntu Intrepid (8.10). This is somewhere after the version you mentioned, which is for Hardy (8.4). I haven't been able to track down exactly which version, though. Looking at the upstream changelog, this functionality should only appear in version 0.9.9, but Ubuntu has applied a large patch against 0.9.8g for its packages.

Although the Twisted 8.2 milestone has been deleted (why not just closed?), it would be very nice if this could ship in that release.

comment:12 Changed 6 years ago by exarkun

  • Keywords review removed
  • Milestone changed from Twisted-8.2+1 to Twisted-8.2
  • Owner set to ralphm

Great. Please merge.

Talk to radix about how to get this into 8.2.

comment:12 Changed 6 years ago by ralphm

  • Resolution set to fixed
  • Status changed from new to closed

(In [25471]) Add an option to select if TLS Session Ticket extension is used.

Author: ralphm.
Reviewer: exarkun.
Fixes #3463.

The option is off by default to work around faulty server implementations that
become unresponsive when sending an empty TLS Session Ticket extension in the
TLS hello. This should solve connection issues with Google Talk, if using
an OpenSSL implementation that enables session tickets by default.

comment:13 Changed 3 years ago by <automation>

  • Owner ralphm deleted
Note: See TracTickets for help on using tickets.