boringssl early data is rejected by gnutls server because of the client ticket age > the server ticket age
Description of problem:
I often observed that boringssl early data got rejected by gnutls server due to ticket age:
gnutls[3]: ASSERT: tls13/anti_replay.c[_gnutls_anti_replay_check]:152 gnutls[4]: EXT[0x...]: replay detected; rejecting early data
/* It shouldn't be possible that the server's view of ticket
* age is smaller than the client's view.
*/Why does this happen? Because boringssl drops sub-second when calculating obfuscated_ticket_age:
https://boringssl.googlesource.com/boringssl/+/refs/heads/master/ssl/extensions.cc#1982
It looks like RFC 8446 only says that "a server MUST validate that the ticket age for the selected PSK identity ... is within a small tolerance of the time since the ticket was issued". This particular check done by gnutls might be too strict.
Version of gnutls used:
master branch
Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)
How reproducible:
Send early data from boringssl client to gnutls server. Do this several times and see the early data rejection by gnutls server.
Actual results:
Early data from boringssl client is often rejected.
Expected results:
Early data from boringssl client should be accepted if the ticket age is within the acceptable range.