[Bug 64781] New: mod_ssl_ct does not send SCT extension with TLS 1.3

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[Bug 64781] New: mod_ssl_ct does not send SCT extension with TLS 1.3

Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=64781

            Bug ID: 64781
           Summary: mod_ssl_ct does not send SCT extension with TLS 1.3
           Product: Apache httpd-2
           Version: 2.5-HEAD
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_ssl
          Assignee: [hidden email]
          Reporter: [hidden email]
  Target Milestone: ---

mod_ssl_ct can be configured to send Static SCTs within the
signed_certificate_timestamp extension of the ServerHello message.

This works well when a client connects via TLS 1.2, but when a client connects
via TLS 1.3, the module does not send the extension.

The module should send the extension during a TLS 1.3 ServerHello as well, when
the client indicates support for it in its ClientHello message.

I have set up a test server for this on https://ct.demo.pinterjann.is. You can
verify the problem using OpenSSL s_client:

$ openssl s_client -connect ct.demo.pinterjann.is:443 -ct -ctlogfile ctlogfile
-tls1_2

$ openssl s_client -connect ct.demo.pinterjann.is:443 -ct -ctlogfile ctlogfile
-tls1_3

When the client connects via TLS 1.2, the server sends an additional statically
configured SCT using the signed_certificate_timestamp extension (Cloudflare
Nimbus2020). When the client connects via TLS 1.3, the server does not send any
SCTs (OpenSSL will then only print the Precertificate SCTs embedded in the
server certificate).

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]