Impossible to test post handshake authentication with tlsfuzzer
I was testing a new tlsfuzzer script for PHA and it doesn't look to me like it is possible to test PHA with a single script against one instance of GnuTLS.
https://github.com/tomato42/tlsfuzzer/pull/551
I executed the script with
--query '**REAUTH**
' --pha-as-reply
options set, and started gnutls-serv
with --echo
.
While executing the 'post-handshake authentication' script works as expected, even multiple times, any other conversation, including 'post-handshake authentication with no client cert' results in an abort from server:
|<3>| ASSERT: buffers.c[_gnutls_io_read_buffered]:589
|<3>| ASSERT: tls13/certificate.c[_gnutls13_recv_certificate]:59
|<3>| ASSERT: buffers.c[get_last_packet]:1168
|<3>| ASSERT: buffers.c[_gnutls_io_read_buffered]:589
|<3>| ASSERT: tls13/certificate.c[_gnutls13_recv_certificate]:59
|<3>| ASSERT: buffers.c[get_last_packet]:1168
|<5>| REC[0xcad710]: SSL 3.3 Application Data packet received. Epoch 2, length: 37
|<5>| REC[0xcad710]: Expected Packet Handshake(22)
|<5>| REC[0xcad710]: Received Packet Application Data(23) with length: 37
|<5>| REC[0xcad710]: Decrypted Packet[1] Handshake(22) with length: 20
|<4>| HSK[0xcad710]: CERTIFICATE (11) was received. Length 16[16], frag offset 0, frag length: 16, sequence: 0
|<4>| HSK[0xcad710]: parsing certificate message
|<3>| ASSERT: tls13/certificate.c[parse_cert_list]:407
|<3>| ASSERT: tls13/certificate.c[_gnutls13_recv_certificate]:110
|<3>| ASSERT: tls13/post_handshake.c[_gnutls13_reauth_server]:175
reauth: Certificate is required.
$
and no Alert sent to client:
Error encountered while processing node ExpectNewSessionTicket(note='second set') (child: ExpectNewSessionTicket(note='second set')) with last message being: None
Error while processing
Traceback (most recent call last):
File "scripts/test-tls13-post-handshake-auth.py", line 446, in main
runner.run()
File "/home/hkario/dev/tlsfuzzer/tlsfuzzer/runner.py", line 221, in run
"Unexpected closure from peer")
AssertionError: Unexpected closure from peer