-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] Secure Client-Initiated Renegotiation Testing Yields False Vulnerability #2590
Comments
Hi, thanks for reporting! Unfortunately I can't reproduce it. I tried 50x from North America and 50x from Europe to generate a response VULNERABLE but I wasn't able to. Independent on that: While suggestions are always appreciated but with Actually I don´t know where CONNECTED should come from. Is that a kafka thing? |
You are in the specific case $SERVICE != HTTP. |
Other though: |
@Tazmaniac : Thanks a lot for taking care! Love that 👍 I would suggest though that we need to reproduce the problem before patching. If we try to handle all not-really-possible or not-possible cases it's not good for the code base. There's enough legacy stuff already |
@prabhakaran-motorq : you really have a problem on your server/LB side
Correct behavior:
|
Hi @Tazmaniac, thanks for taking the time to go over this. Could you share the paranoid version of testssl.sh to me, please?
Also, during your testing were you able to do multiple renegotiations initiated by the client in a single connection? Also, are you able to reproduce this renegotiation when you manually run the openssl (vulnerable version) s_client and typing out 'R' via stdin? |
No, but it give me insight, we have another not handled openssl s_client corner case:
pattern. But with In the general http case, we stay in interactive mode, STDIN being closed at the end of the test or by the server. So we could not hit this race/bug. Adding SSL_RENEG_WAIT (0.25s by default) seems to be sufficient to close the race window in your case, but as a quick safe fix I will put a 1s delay if @drwetter is ok. The proper fix is to do a big cleanup, merging the second test with the http one (with ssl_reneg_attempts=2) as the big http loop is properly taking care of all possible case, waiting for the server result without closing prematurely STDIN. But for this fix, I will need time to do it carefully with proper testing. |
Proper fix need another refactoring/cleanup of the renego test.
Proper fix need another refactoring/cleanup of the renego test.
Proper fix need another refactoring/cleanup of the renego test.
Proper fix need another refactoring/cleanup of the renego test.
@prabhakaran-motorq you can test https://github.com/Tazmaniac/testssl.sh/tree/client-renego-refactoring which contain the proper fix / cleanup and fix a bad interaction between --openssl-timeout and the renego loop. |
@Tazmaniac thanks for the working on this. When I initially found this issue, I tried sleep 1, but even in that case, I still got "DONE" very rarely. Especially in my MacBook M1 Pro (15.0.1 (24A348)) but that worked fine in my Linux machine, that is why I resorted to expect. I tried this fix (https://github.com/Tazmaniac/testssl.sh/tree/client-renego-refactoring) in my MacBook Our customer partners generally test using testssl.sh on their local system before sending it to their security team. So even with this fix, sometimes it may classify it as vulnerable. |
You did not use the correct branch. You shoud see
as the version (latest commit). |
Thanks for pointing it out, |
Please do a git pull to test the latest version (git tag 7625422 2024-11-04 21:02:03). Today I will do more testing and submit a PR if all is OK. |
@Tazmaniac : thanks for the PR! Your suggestion to do a git pull and to test was for @prabhakaran-motorq or for me? |
It was for @prabhakaran-motorq. |
@drwetter @Tazmaniac what the timeline that we are looking to merge this? Thanks for all the support on this. Appreciate this. |
@prabhakaran-motorq Which of the two PRs do you mean? |
|
next week |
I merged the quick fix first from @Tazmaniac (thanks!), hoping it'll hel For #2598 I need more time |
Secure Client-Initiated Renegotiation Testing Yields False Vulnerability
While testing client-initiated renegotiation, piping the character 'R' into OpenSSL's
s_client
command can lead to a false vulnerability detection. The issue arises because the client can close the connection before the server has a chance to respond with "closed." As a result, the "closed" status may not be logged when the status code is 0, causingtestssl.sh
to incorrectly classify the connection as vulnerable.Details:
We operate our own Kafka servers and ran tests using
testssl.sh
. During some of these tests, client-initiated renegotiation was incorrectly flagged as vulnerable. Upon further investigation, we discovered that sending the 'R' character through stdin even with a delay was inconsistent and unreliable.To address this, we devised a more reliable testing method using the
expect
command. This approach ensures the connection is fully established before sending the renegotiation request ('R').Commands to Test:
Original Flaky Command
The following command sometimes fails to give reliable results:
To observe the flakiness, the command can be run multiple times:
Reliable Testing Using
expect
The
expect
command waits for a "CONNECTED" message before sending the 'R' character, ensuring the connection is stable:expect -c 'spawn openssl s_client -tls1_2 -connect ashu-kafka-broker-0.motorq.com:9094; expect "CONNECTED"; send "R\r"; interact'
Running this command multiple times produces consistent results:
Issue in
testssl.sh
Here is a screenshot of the issue within
testssl.sh
:I'm using version 3.2, commit ID: 6452ec9. Similar issues have been reported in these discussions:
Expected Behavior:
As
testssl.sh
is widely used in the industry, it should yield reliable results. In cases where results are inconclusive, the script should indicate this rather than erroneously reporting a vulnerability. The followingexpect
command can be used to test multiple renegotiations within a single session:To further validate, a dummy server can be spun up without disabling renegotiation:
System Information:
PS:
This is my first time raising an issue here. If there's any additional information that would be helpful, please let me know, and I'd be happy to provide it. Our partner company relies heavily on
testssl.sh
and is currently blocked due to this issue, so resolving it is critical. I am more than willing to assist in testing, debugging, or providing any further details to expedite a solution. Additionally, feel free to useashu-kafka-broker-0.motorq.com:9094
for your testing and confirmation. Your support is greatly appreciated.The text was updated successfully, but these errors were encountered: