Safe renegotiation breaks on session resumption with OpenSSL client
Description of problem:
This is https://bugs.debian.org/873055 reported by Thomas Klute thomas2.klute@uni-dortmund.de:
Package: libgnutls30
Version: 3.5.14-3
If the %SAFE_RENEGOTIATION flag is enabled in the priorities string of a GnuTLS server, Client Hellos from OpenSSL clients attempting session resumption are rejected with a "safe renegotiation failed" error, even though the client does support safe renegotiation. Note that the handshake works as expected if the session cache entry or ticket has expired (without resumption, of course), so the bug only affects otherwise successful resumption.
I have initially observed this bug using mod_gnutls (package libapache2-mod-gnutls), but it is fully reproducible using only the GnuTLS and OpenSSL command line tools. The logs below have been produced by running a gnutls-serv server and connecting using openssl s_client and gnutls-cli (separated by three pings for clarity in client logs and packet capture), both set to immediately disconnect and resume after the initial handshake. The GnuTLS client can resume the TLS session as expected, while the OpenSSL client is rejected.
Commands to reproduce: (server)$ gnutls-serv --priority="NORMAL:%SAFE_RENEGOTIATION" --x509keyfile=server/secret.key --x509certfile=server/x509-chain.pem -p 4433 (OpenSSL client)$ openssl s_client -connect localhost:4433 -reconnect (GnuTLS client)$ gnutls-cli -p 4433 --x509cafile=authority/x509.pem --resume localhost
A packet capture taken during this process shows a difference in how GnuTLS and OpenSSL signal safe renegotiation support in the Client Hello: GnuTLS sends the renegotiation_info extension, OpenSSL includes the TLS_EMPTY_RENEGOTIATION_INFO_SCSV in the list of cipher suites. According to RFC 5746 both are equally valid for both full and session-resumption handshakes, but the GnuTLS server appears to ignore the SCSV during session resumption.
[verbose logs in the Debian bug report]
Version of gnutls used:
3.5.14, also reproduced with 3.6.0, using doc/credentials/x509/key-rsa.pem, doc/credentials/x509/cert-rsa.pem and doc/credentials/x509/ca.pem as example certificates.
Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)
Debian.