[gnutls-devel] GnuTLS | clang ASAN fails on testcompat-tls13-openssl.sh (#920)

Development of GNU's TLS library gnutls-devel at lists.gnutls.org
Tue Jan 28 15:05:13 CET 2020




Tim Rühsen commented:


Running the test script with `bash -x` prints the actual command lines of the server and client.

No I started the server in one console and the client in a second console:
Server:
```
$ openssl s_server -accept 43445 -keyform pem -certform pem -key ./../../doc/credentials/x509/key-rsa.pem -cert ./../../doc/credentials/x509/cert-rsa.pem -CAfile ./../../doc/credentials/x509/ca.pem -early_data
Using default temp DH parameters
ACCEPT

```

Now starting client:
```
$ ../../src/gnutls-cli -p 43445 127.0.0.1 --priority NORMAL:-VERS-ALL:+VERS-TLS1.3:+GROUP-ALL --earlydata /tmp/tls13-openssl-resumption.qF8l0q/earlydata.txt --insecure --inline-commands
Processed 0 CA certificate(s).
Resolving '127.0.0.1:43445'...
Connecting to '127.0.0.1:43445'...
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:
 - subject `CN=GnuTLS Test Server (RSA certificate)', issuer `CN=GnuTLS Test CA', serial 0x4de0b4ca, RSA key 2432 bits, signed using RSA-SHA256, activated `2011-05-28 08:39:39 UTC', expires `2038-10-12 08:39:40 UTC', pin-sha256="ZCnc2x+EUztg6ShnEvwtcHxusyXqJ5RJLNCDLc+lVNE="
        Public Key ID:
                sha1:482334530a8931384a5aeacab6d2a6dece1d2b18
                sha256:6429dcdb1f84533b60e9286712fc2d707c6eb325ea2794492cd0832dcfa554d1
        Public Key PIN:
                pin-sha256:ZCnc2x+EUztg6ShnEvwtcHxusyXqJ5RJLNCDLc+lVNE=

- Certificate[1] info:
 - subject `CN=GnuTLS Test CA', issuer `CN=GnuTLS Test CA', serial 0x00, RSA key 2432 bits, signed using RSA-SHA256, activated `2011-05-28 08:36:30 UTC', expires `2038-10-12 08:36:33 UTC', pin-sha256="Q6gIwA8tsmcqv+Fmom0cnzs9jZGV+iyqEIx0AQtfCQE="
- Status: The certificate is NOT trusted. The certificate issuer is unknown. The name in the certificate does not match the expected. 
*** PKI verification of server certificate failed...
- Description: (TLS1.3-X.509)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
- Options:
- Handshake was completed

- Simple Client Mode:

```

The output in the server console is
```
No early data received
DONE
shutting down SSL
CONNECTION CLOSED
```

But the client is still waiting - I had to manually ctrl-d.
The server clearly says "No early data received".

*Without* ASAN, the server says
```
 openssl s_server -accept 43445 -keyform pem -certform pem -key ./../../doc/credentials/x509/key-rsa.pem -cert ./../../doc/credentials/x509/cert-rsa.pem -CAfile ./../../doc/credentials/x509/ca.pem -early_data
Using default temp DH parameters
ACCEPT
No early data received
-----BEGIN SSL SESSION PARAMETERS-----
MIGDAgEBAgIDBAQCEwIEILIL+Ng522T/+Y/32o1W59+8WwnnV6AkKIk+pNDsdSVl
BDAlRh28LW5ilioqwzOBltY/bphABnQnfAIlWcP72SJkmNNKQXXxSgZjY8/A24Jq
uFahBgIEXjA/QqIEAgIcIKQGBAQBAAAArgYCBBRRkzivBAICQAA=
-----END SSL SESSION PARAMETERS-----
Shared ciphers:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
Signature Algorithms: RSA+SHA256:RSA-PSS+SHA256:RSA-PSS+SHA256:ECDSA+SHA256:Ed25519:RSA+SHA384:RSA-PSS+SHA384:RSA-PSS+SHA384:ECDSA+SHA384:Ed448:RSA+SHA512:RSA-PSS+SHA512:RSA-PSS+SHA512:ECDSA+SHA512:RSA+SHA1:ECDSA+SHA1
Shared Signature Algorithms: RSA+SHA256:RSA-PSS+SHA256:RSA-PSS+SHA256:ECDSA+SHA256:Ed25519:RSA+SHA384:RSA-PSS+SHA384:RSA-PSS+SHA384:ECDSA+SHA384:Ed448:RSA+SHA512:RSA-PSS+SHA512:RSA-PSS+SHA512:ECDSA+SHA512
Supported Elliptic Groups: P-256:P-384:P-521:X25519:X448:0x0100:0x0101:0x0102:0x0103:0x0104
Shared Elliptic groups: P-256:P-384:P-521:X25519:X448
CIPHER is TLS_AES_256_GCM_SHA384
Secure Renegotiation IS NOT supported
```

And again we see "No early data received".

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/920#note_278092842
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20200128/6c8165e0/attachment-0001.html>


More information about the Gnutls-devel mailing list