⚠️ 🧪 This post is work-in-progress. Changes are expected.

Inspect Secure Renegotiation using OpenSSL

While trying to reproduce the implementation bug CVE-2021-3449, I had to implement secure renegotiation as specified in RFC 5746. Often it is unclear which RFC is responsible for specific protocol behavior. With the abundance of extensions, messages and protocol versions it is not trivial to find and also verify whether you found the correct specification.

Therefore, it can be helpful to use a tool like OpenSSL to experiment with Secure Renegotiation or Session Resumption in TLS 1.2 and check whether the found RFC is the correct one.

If you start an OpenSSL TLS client or server on the command line you have the possibility to pass the flat -msg. This will print the binary of the plaintext TLS messages. So you can even take a look at a usually encrypted renegotiation ClientHello, without intercepting network traffic with tcpdump or Wireshark.

The following two examples both start a client and a server which dump the internal TLS messages. To start a server we first need some dummy certificates which we can generate using the following command:

1openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes

Secure Renegotiation in TLS 1.2

Renegotiation is only available in TLS 1.2 and was removed from the 1.3 spec. Therefore, we start a TLS 1.2 server.

1openssl s_server -key key.pem -cert cert.pem -accept 44330 -www -tls1_2 -msg

And start the client:

1openssl s_client -msg -connect localhost:44330 -tls1_2

It is now possible to input a capital R and press <Enter>. By decoding it using Wireshark as described in a previous post, we can now inspect the extensions like renegotiation_info.

 1TLSv1.2 Record Layer: Handshake Protocol: Client Hello
 2    Content Type: Handshake (22)
 3    Version: TLS 1.2 (0x0303)
 4    Length: 204
 5    Handshake Protocol: Client Hello
 6        Handshake Type: Client Hello (1)
 7        Length: 200
 8        Version: TLS 1.2 (0x0303)
 9        Random: 05c2bf8abe4aa85d3b9d3127e1c805289c3a71556f93bd269adff1b5d82f04bc
10            GMT Unix Time: Jan 23, 1973 15:58:18.000000000 CET
11            Random Bytes: be4aa85d3b9d3127e1c805289c3a71556f93bd269adff1b5d82f04bc
12        Session ID Length: 0
13        Cipher Suites Length: 54
14        Cipher Suites (27 suites)
15            Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
16            ...
17        Compression Methods Length: 1
18        Compression Methods (1 method)
19            Compression Method: null (0)
20        Extensions Length: 105
21        Extension: renegotiation_info (len=13)
22            Type: renegotiation_info (65281)
23            Length: 13
24            Renegotiation Info extension
25                Renegotiation info extension length: 12
26                Renegotiation info: b5a38b5e23f4bca242b07119
27        Extension: ec_point_formats (len=4)
28            Type: ec_point_formats (11)
29            Length: 4
30            EC point formats Length: 3
31            Elliptic curves point formats (3)
32                EC point format: uncompressed (0)
33                EC point format: ansiX962_compressed_prime (1)
34                EC point format: ansiX962_compressed_char2 (2)
35        Extension: supported_groups (len=12)
36            Type: supported_groups (10)
37            Length: 12
38            Supported Groups List Length: 10
39            Supported Groups (5 groups)
40                Supported Group: x25519 (0x001d)
41                Supported Group: secp256r1 (0x0017)
42                Supported Group: x448 (0x001e)
43                Supported Group: secp521r1 (0x0019)
44                Supported Group: secp384r1 (0x0018)
45        Extension: session_ticket (len=0)
46            Type: session_ticket (35)
47            Length: 0
48            Data (0 bytes)
49        Extension: encrypt_then_mac (len=0)
50            Type: encrypt_then_mac (22)
51            Length: 0
52        Extension: extended_master_secret (len=0)
53            Type: extended_master_secret (23)
54            Length: 0
55        Extension: signature_algorithms (len=48)
56            Type: signature_algorithms (13)
57            Length: 48
58            Signature Hash Algorithms Length: 46
59            Signature Hash Algorithms (23 algorithms)
60                Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403)
61                    Signature Hash Algorithm Hash: SHA256 (4)
62                    Signature Hash Algorithm Signature: ECDSA (3)
63                ...

Session Resumption in TLS 1.2

Similarly, we can trigger a session resumption by passing the -reconnect flag to the OpenSSL client.

1openssl s_client -msg -connect localhost:44330 -tls1_2 --reconnect

OpenSSL will do a full handshake, then close the connection and reconnect using an abbreviated handshake.

Do you have questions? Send an email to max@maxammann.org