crypto/tls: implement TLS 1.3 middlebox compatibility mode

Looks like the introduction of CCS records in the client second flight gave time to s_server to send NewSessionTicket messages in between the client application data and close_notify. There seems to be no way of turning NewSessionTicket messages off, neither by not sending a psk_key_exchange_modes extension, nor by command line flag. Interleaving the client write like that tickled an issue akin to #18701: on Windows, the client reaches Close() before the last record is drained from the send buffer, the kernel notices and resets the connection, cutting short the last flow. There is no good way of synchronizing this, so we sleep for a RTT before calling close, like in CL 75210. Sigh. Updates #9671 Change-Id: I44dc1cca17b373695b5a18c2741f218af2990bd1 Reviewed-on: https://go-review.googlesource.com/c/147419 Run-TryBot: Filippo Valsorda <filippo@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Adam Langley <agl@golang.org>
2025-04-04 12:37:35 +03:00 · 2018-11-03 20:04:44 -04:00 · 2018-11-03 20:04:44 -04:00 · 5b79a7c982
commit 5b79a7c982
parent e04a8ac694
25 changed files with 1935 additions and 1594 deletions
--- a/handshake_server_tls13.go
+++ b/handshake_server_tls13.go
@ -20,6 +20,7 @@ type serverHandshakeStateTLS13 struct {
 	c               *Conn
 	clientHello     *clientHelloMsg
 	hello           *serverHelloMsg
+	sentDummyCCS    bool
 	suite           *cipherSuiteTLS13
 	cert            *Certificate
 	sigAlg          SignatureScheme
@ -205,6 +206,18 @@ GroupSelection:
 	return nil
 }

+// sendDummyChangeCipherSpec sends a ChangeCipherSpec record for compatibility
+// with middleboxes that didn't implement TLS correctly. See RFC 8446, Appendix D.4.
+func (hs *serverHandshakeStateTLS13) sendDummyChangeCipherSpec() error {
+	if hs.sentDummyCCS {
+		return nil
+	}
+	hs.sentDummyCCS = true
+
+	_, err := hs.c.writeRecord(recordTypeChangeCipherSpec, []byte{1})
+	return err
+}
+
 func (hs *serverHandshakeStateTLS13) doHelloRetryRequest(selectedGroup CurveID) error {
 	c := hs.c

@ -231,6 +244,10 @@ func (hs *serverHandshakeStateTLS13) doHelloRetryRequest(selectedGroup CurveID)
 		return err
 	}

+	if err := hs.sendDummyChangeCipherSpec(); err != nil {
+		return err
+	}
+
 	msg, err := c.readHandshake()
 	if err != nil {
 		return err
@ -329,6 +346,10 @@ func (hs *serverHandshakeStateTLS13) sendServerParameters() error {
 		return err
 	}

+	if err := hs.sendDummyChangeCipherSpec(); err != nil {
+		return err
+	}
+
 	clientSecret := hs.suite.deriveSecret(hs.handshakeSecret,
 		clientHandshakeTrafficLabel, hs.transcript)
 	c.in.setTrafficSecret(hs.suite, clientSecret)