crypto/tls: Large session tickets in Go 1.21 can cause Windows Schannel clients to be unable to connect #63763
Labels
NeedsInvestigation
Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
OS-Windows
Security
Comments
dr2chase
added
the
NeedsInvestigation
|
@golang/security |
|
Same issue encountered on Apache HTTP Server when used as a mTLS reverse proxy with old versions of OpenSSL ( |
|
I did a bit more testing on this and found that a custom For example:package main
import (
"crypto/rand"
"crypto/rsa"
"crypto/tls"
"crypto/x509"
"fmt"
"math/big"
"net"
"net/http"
"time"
)
func generateCert() ([]tls.Certificate, error) {
rootKey, err := rsa.GenerateKey(rand.Reader, 4096)
if err != nil {
return nil, fmt.Errorf("failed to generate rsa key: %v", err)
}
serial, err := rand.Int(rand.Reader, big.NewInt(1<<62))
if err != nil {
return nil, fmt.Errorf("failed to generate serial: %v", err)
}
rootTemplate := &x509.Certificate{
SerialNumber: serial,
NotBefore: time.Now().Add(-time.Hour),
NotAfter: time.Now().Add(time.Hour * 24 * 365 * 10),
KeyUsage: x509.KeyUsageContentCommitment | x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment,
ExtKeyUsage: []x509.ExtKeyUsage{
x509.ExtKeyUsageClientAuth,
x509.ExtKeyUsageServerAuth,
},
BasicConstraintsValid: true,
IPAddresses: []net.IP{net.IPv4(127, 0, 0, 1)},
}
rootDER, err := x509.CreateCertificate(rand.Reader, rootTemplate, rootTemplate, &rootKey.PublicKey, rootKey)
if err != nil {
return nil, fmt.Errorf("failed to create certificate: %v", err)
}
return []tls.Certificate{
{
Certificate: [][]byte{rootDER},
PrivateKey: rootKey,
},
}, nil
}
func main() {
tlsCertificates, err := generateCert()
if err != nil {
panic(err)
}
server := http.Server{
Addr: "127.0.0.1:8081",
TLSConfig: &tls.Config{
Certificates: tlsCertificates,
},
Handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.Write([]byte("success"))
}),
}
server.TLSConfig.WrapSession = func(cs tls.ConnectionState, ss *tls.SessionState) ([]byte, error) {
// it works for <=16371 bytes
return make([]byte, 16372), nil
}
server.TLSConfig.UnwrapSession = func(identity []byte, cs tls.ConnectionState) (*tls.SessionState, error) {
return nil, fmt.Errorf("UnwrapSession not implemented")
}
fmt.Printf("listening...\n")
server.ListenAndServeTLS("", "")
}Run this program, then open Microsoft Edge and try loading https://127.0.0.1:8081/. To fix this issue in Golang, the standard library would need to ensure that session tickets never exceed 16371 bytes. |
|
cc @golang/windows |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What version of Go are you using (
go version)?Does this issue reproduce with the latest release?
Yes.
What operating system and processor architecture are you using (
go env)?go envOutputWhat did you do?
See https://github.com/printfn/golang-tls-session-ticket-bug for a minimal example and reproduction steps.
In Go 1.21, client TLS certificates are included in session tickets by default. When the client cert chain is very long (or the certificate is otherwise very large), the session ticket grows as well, eventually preventing Windows Schannel clients from being able to connect.
Changing the
WrapTicketimplementation to return a shorter session ticket (e.g.return []byte{0}, nil) works around the issue.This bug happens on the current latest version of Windows 11 (22H2, build 22621.2428). It worked fine on Go 1.20 and earlier, but is broken as of Go 1.21.0. It's worth noting that the Golang TLS client is still able to connect.
The text was updated successfully, but these errors were encountered: