Conversation
|
CI failures look relevant. Is it possible to have a test for this? I assume our own QUIC stack is similarly affected by this, so perhaps something in quicapitest.c which sets up a QUIC connection with ECH and verifies that a connection is established. |
Looking at that now.
Will take a look at that. (In an hour-ish.) It should be possible given that this seems to work for |
|
This LGTM so far. |
| sess_id_len = sizeof(s->tmp_session_id); | ||
| if (SSL_IS_QUIC_HANDSHAKE(s)) | ||
| sess_id_len = 0; | ||
| else | ||
| sess_id_len = sizeof(s->tmp_session_id); |
There was a problem hiding this comment.
I am curious why this is needed. What is different between QUIC and regular TLS connection that needs this change?
There was a problem hiding this comment.
That was more or less done by observation;-) I didn't find where the QUIC code does it, but the session id in the ClientHello is 'legacy' for QUIC, which I guess uses QUIC connection ids instead. For TLS/TCP cases we want a standard 32 octet sized session id.
There was a problem hiding this comment.
Hmm. I actually think is more to do with whether the SSL_OP_ENABLE_MIDDLEBOX_COMPAT option is set. This is set by default, but if it's NOT set (which it isn't for QUIC), and we're TLSv1.3 only, then the sess_id_len is 0.
There was a problem hiding this comment.
Edited my note above to actually make sense and not say the opposite of what I actually meant!!
There was a problem hiding this comment.
so if compat mode is set, then use a 32 octet session id, but otherwise zero length? (that matches 8446 all right) - that seems to work ok with curl etc.
There was a problem hiding this comment.
just pushed a version that I think does that
|
The fixup above adds a test, which, surprisingly, just worked when I figured out the test code. There are a couple of |
|
After much faffing about to find the right way to make the CI happy, tests now pass - but there's still the couple of
Other than that, if it makes is easier, happy to squash the loads of fixups here, just tell me. But on the whole, it's a nice surprise that ECH seems to just work (almost if not quite correctly) for QUIC:-) |
|
fixup above have good changes suggested by @mattcaswell |
| if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0) | ||
| sess_id_len = sizeof(s->tmp_session_id); | ||
| else | ||
| sess_id_len = 0; |
There was a problem hiding this comment.
Is it possible to end up here and end up not negotiating TLSv1.3? The conditions at the moment for sending a zero length sess id are minimum protocol is TLSv1.3 AND middlebox mode is off.
There was a problem hiding this comment.
ECH is only defined for TSLv1.3 though, would have to look to check if there's a code path here before that's enforced
There was a problem hiding this comment.
could add a version check there too if you'd prefer
There was a problem hiding this comment.
adding a check for 1.3 if we're doing ECH (and bailing if not) just before here works fine - want me to push that up?
There was a problem hiding this comment.
it looks like this:
$ git diff
diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
index 819555f24a..36c698c163 100644
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@@ -1489,6 +1489,10 @@ __owur CON_FUNC_RETURN tls_construct_client_hello(SSL_CONNECTION *s, WPACKET *pk
#ifndef OPENSSL_NO_ECH
/* same session ID is used for inner/outer when doing ECH */
if (s->ext.ech.es != NULL) {
+ if (s->version != TLS1_3_VERSION) {
+ SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_UNSUPPORTED_SSL_VERSION);
+ return CON_FUNC_ERROR;
+ }
if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0)
sess_id_len = sizeof(s->tmp_session_id);
else
There was a problem hiding this comment.
As an FYI, with the code above our TLSv12 test case fails there, so I'd say it's good to add. I'll push that (and apologies for forcing a re-review)
|
This pull request is ready to merge |
Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Matt Caswell <matt@openssl.foundation> MergeDate: Sat Apr 11 18:29:37 2026 (Merged from #30727)
|
Thank you. Merged to |
Reviewed-by: Tomas Mraz <tomas@openssl.foundation> Reviewed-by: Matt Caswell <matt@openssl.foundation> MergeDate: Sat Apr 11 18:34:40 2026 (Merged from #30727)
This PR tweaks how custom extensions are handled by ECH and forces the session id length in the client hello to zero in order to enable use of ECH with QUIC for a curl build.
This PR is a fix for #30697