While trying to reproduce the implementation bug CVE-2021-3449, I had to implement secure renegotiation as specified in RFC 5746. Often it is unclear which RFC is responsible for specific protocol behavior. With the abundance of extensions, messages and protocol versions it is not trivial to find and also verify whether you found the correct specification.
Therefore, it can be helpful to use a tool like OpenSSL to experiment with Secure Renegotiation or Session Resumption in TLS 1.2 and check whether the found RFC is the correct one.
If you start an OpenSSL TLS client or server on the command line you have the possibility to pass the flat
-msg. This will print the binary of the plaintext TLS messages. So you can even take a look at a usually encrypted renegotiation
ClientHello, without intercepting network traffic with
tcpdump or Wireshark.
The following two examples both start a client and a server which dump the internal TLS messages. To start a server we first need some dummy certificates which we can generate using the following command:
1openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes
Renegotiation is only available in TLS 1.2 and was removed from the 1.3 spec. Therefore, we start a TLS 1.2 server.
1openssl s_server -key key.pem -cert cert.pem -accept 44330 -www -tls1_2 -msg
And start the client:
1openssl s_client -msg -connect localhost:44330 -tls1_2
It is now possible to input a capital
R and press
<Enter>. By decoding it using Wireshark as described in a previous post, we can now inspect the extensions like
1TLSv1.2 Record Layer: Handshake Protocol: Client Hello 2 Content Type: Handshake (22) 3 Version: TLS 1.2 (0x0303) 4 Length: 204 5 Handshake Protocol: Client Hello 6 Handshake Type: Client Hello (1) 7 Length: 200 8 Version: TLS 1.2 (0x0303) 9 Random: 05c2bf8abe4aa85d3b9d3127e1c805289c3a71556f93bd269adff1b5d82f04bc 10 GMT Unix Time: Jan 23, 1973 15:58:18.000000000 CET 11 Random Bytes: be4aa85d3b9d3127e1c805289c3a71556f93bd269adff1b5d82f04bc 12 Session ID Length: 0 13 Cipher Suites Length: 54 14 Cipher Suites (27 suites) 15 Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c) 16 ... 17 Compression Methods Length: 1 18 Compression Methods (1 method) 19 Compression Method: null (0) 20 Extensions Length: 105 21 Extension: renegotiation_info (len=13) 22 Type: renegotiation_info (65281) 23 Length: 13 24 Renegotiation Info extension 25 Renegotiation info extension length: 12 26 Renegotiation info: b5a38b5e23f4bca242b07119 27 Extension: ec_point_formats (len=4) 28 Type: ec_point_formats (11) 29 Length: 4 30 EC point formats Length: 3 31 Elliptic curves point formats (3) 32 EC point format: uncompressed (0) 33 EC point format: ansiX962_compressed_prime (1) 34 EC point format: ansiX962_compressed_char2 (2) 35 Extension: supported_groups (len=12) 36 Type: supported_groups (10) 37 Length: 12 38 Supported Groups List Length: 10 39 Supported Groups (5 groups) 40 Supported Group: x25519 (0x001d) 41 Supported Group: secp256r1 (0x0017) 42 Supported Group: x448 (0x001e) 43 Supported Group: secp521r1 (0x0019) 44 Supported Group: secp384r1 (0x0018) 45 Extension: session_ticket (len=0) 46 Type: session_ticket (35) 47 Length: 0 48 Data (0 bytes) 49 Extension: encrypt_then_mac (len=0) 50 Type: encrypt_then_mac (22) 51 Length: 0 52 Extension: extended_master_secret (len=0) 53 Type: extended_master_secret (23) 54 Length: 0 55 Extension: signature_algorithms (len=48) 56 Type: signature_algorithms (13) 57 Length: 48 58 Signature Hash Algorithms Length: 46 59 Signature Hash Algorithms (23 algorithms) 60 Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403) 61 Signature Hash Algorithm Hash: SHA256 (4) 62 Signature Hash Algorithm Signature: ECDSA (3) 63 ...
Similarly, we can trigger a session resumption by passing the
-reconnect flag to the OpenSSL client.
1openssl s_client -msg -connect localhost:44330 -tls1_2 --reconnect
OpenSSL will do a full handshake, then close the connection and reconnect using an abbreviated handshake.