Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SSLlabs.com test fails #8995

Closed
Aethedor opened this issue Mar 29, 2024 · 14 comments
Closed

SSLlabs.com test fails #8995

Aethedor opened this issue Mar 29, 2024 · 14 comments

Comments

@Aethedor
Copy link

Aethedor commented Mar 29, 2024

Summary

I use mbed TLS in my Hiawatha webserver. I updated to version 3.6.0 and enabled TLS v1.3 support. (btw, congrats with this new milestone!) It seems to work fine, but SSLlabs.com shows a failure while testing my server. When I only support TLS v1.3 (disabling TLS v1.2) the test runs fine. Same with only supporting TLS v1.2 (not enabling TLS v1.3).

System information

Mbed TLS version (number or commit id): 3.6.0
Operating system and version: Ubuntu Linux (Jammy)
Configuration (if not default, please attach mbedtls_config.h):
I enabled the following settings:
MBEDTLS_THREADING_PTHREAD
MBEDTLS_THREADING_C
MBEDTLS_SSL_PROTO_TLS1_3
MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE

I disabled the following settings:
MBEDTLS_ECP_DP_SECP192R1_ENABLED
MBEDTLS_ECP_DP_SECP192K1_ENABLED

Compiler and options (if you used a pre-built binary, please indicate how you obtained it):
Additional environment information:

Expected behavior

I hoped SSLlabs.com would show the result of a server test.

Actual behavior

SSLlabs.com shows a failure while testing renegotation.

Steps to reproduce

Visit ssllabs.com, select Test your server and test www.hiawatha-webserver.org

Additional information

You can test Hiawatha v11.6 (not yet released) which has mbed TLS v3.6.0 by downloading it via https://www.leisink.net/hiawatha-11.6.tar.gz

@bensze01 bensze01 self-assigned this Apr 3, 2024
@bensze01
Copy link
Contributor

Hi! Thanks for reporting this issue.

Could you help us debug this by providing some more information about exactly which SSLLabs tests are failing?

As far as I can tell, SSLLabs is just reporting an "Unexpected Failure", which they claim is usually caused by having multiple "Multiple TLS servers behind the same IP address".

Also, it looks like the download link for the unreleased Hiawatha 11.6 is broken.

@bensze01 bensze01 added the needs-info An issue or PR which needs further info from the reporter / author label Apr 10, 2024
@Aethedor
Copy link
Author

The test fails after saying 'Testing renegotiation'. Does that help? I can share a tcpdump of the scan. I'm willing to help, let me know what you need.

The download link was a http:// link by mistake. Changed it to https://. Should work.

@bensze01
Copy link
Contributor

bensze01 commented Apr 10, 2024

Yeah, a tcpdump would be great! Ideally both of the failing TLS 1.2+1.3 and the working TLS 1.2 only and TLS 1.3 only test sessions.

Also, could you try running the test with MBEDTLS_SSL_RENEGOTIATION disabled in the 1.2+1.3 config? Just to quickly check if the issue is indeed in the renegotiation code, or if that just happens to be the last test that succeeded.

@Aethedor
Copy link
Author

Aethedor commented Apr 10, 2024

I use mbedtls_ssl_conf_renegotiation(&client_config, MBEDTLS_SSL_RENEGOTIATION_DISABLED) to disable it. Would that be the same?

To what e-mail address can I send the tcpdump?

@bensze01
Copy link
Contributor

In principle it should be equivalent. Please send the tcpdump to [email protected]

@bensze01
Copy link
Contributor

Could you also enable TLS debugging in MbedTLS and send me the logs?

@Aethedor
Copy link
Author

Aethedor commented Apr 10, 2024

TCPdumps for TLS1.2 only, TLS1.3 only and both TLS1.2 and TLS1.3 have been sent. I've added the corresponding ssllabs.com output. I've also send a Mbed TLS debug logfile of the failing both-TLS1.2-and-TLS1.3 test.

@Aethedor
Copy link
Author

Mail received? What's next?

@bensze01
Copy link
Contributor

Hi! Sorry for the late reply. I've received the emails - I was sidetracked a bit by unrelated tasks, but I'm looking into the issue.

@Aethedor
Copy link
Author

Anything yet?

@Aethedor
Copy link
Author

Any status update?

@Aethedor
Copy link
Author

Can I assume this bug has no priority? Then I'll ignore it from now on.

@waleed-elmelegy-arm
Copy link
Contributor

Hi @Aethedor ,
I think I found the reason to your problem, it is described in #9243 but I can't test with SSLlabs.com to double check, can you try the patch at #9244 and see if it works? Thanks.

@waleed-elmelegy-arm waleed-elmelegy-arm added bug component-tls13 and removed needs-info An issue or PR which needs further info from the reporter / author labels Jun 19, 2024
@waleed-elmelegy-arm
Copy link
Contributor

Fixed in #9244

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants