Commit e8f4a800 authored by Petr Špaček's avatar Petr Špaček

daemon/tls: disable session resumption with shared secret for now

There is no GnuTLS version which would make this safe.
See https://gitlab.com/gnutls/gnutls/issues/477
parent 836db05b
Pipeline #37016 passed with stages
in 8 minutes and 41 seconds
......@@ -515,7 +515,8 @@ TLS server configuration
.. warning:: **Setting the secret is probably too risky with TLS <= 1.2**.
At this moment no GnuTLS stable release even supports TLS 1.3.
Therefore setting the secrets should be considered experimental for now.
Therefore setting the secrets should be considered experimental for now
and might not be available on your system.
.. function:: net.tls_sticket_secret_file([string with path to a file containing pre-shared secret])
......
......@@ -37,10 +37,12 @@
#define SESSION_KEY_SIZE 64
/** Compile-time support for setting the secret. */
/* This is not secure with TLS <= 1.2 but TLS 1.3 and secure configuration
* is not available in GnuTLS yet. See https://gitlab.com/gnutls/gnutls/issues/477
#ifndef TLS_SESSION_RESUMPTION_SYNC
/* Probably not much sense having it with gnutls < 3.6. */
#define TLS_SESSION_RESUMPTION_SYNC (GNUTLS_VERSION_NUMBER >= 0x030600)
#define TLS_SESSION_RESUMPTION_SYNC (GNUTLS_VERSION_NUMBER >= 0x030603)
#endif
*/
#if GNUTLS_VERSION_NUMBER < 0x030400
/* It's of little use anyway. We may get the secret through lua,
......@@ -48,7 +50,7 @@
#define gnutls_memset memset
#endif
#if GNUTLS_VERSION_NUMBER >= 0x030407
#ifdef GNUTLS_DIG_SHA3_512
#define TST_HASH GNUTLS_DIG_SHA3_512
#else
#define TST_HASH abort()
......@@ -99,7 +101,7 @@ static tst_ctx_t * tst_key_create(const char *secret, size_t secret_len, uv_loop
}
#if !TLS_SESSION_RESUMPTION_SYNC
if (secret_len) {
kr_log_error("[tls] session ticket: secrets not enabled (compile-time)\n");
kr_log_error("[tls] session ticket: secrets were not enabled at compile-time (your GnuTLS version is not supported)\n");
return NULL; /* ENOTSUP */
}
#endif
......
local function test_session_config()
ok(net.tls_sticket_secret(),
'net.tls_sticket_secret() to trigger key regeneration')
ok(net.tls_sticket_secret('0123456789ABCDEF0123456789ABCDEF'),
'net.tls_sticket_secret with valid key')
-- There is no sufficiently new stable release of GnuTLS.
-- ok(net.tls_sticket_secret('0123456789ABCDEF0123456789ABCDEF'),
-- 'net.tls_sticket_secret with valid key')
boom(net.tls_sticket_secret, {{}},
'net.tls_sticket_secret({}) is invalid')
boom(net.tls_sticket_secret, {'0123456789ABCDEF0123456789ABCDE'},
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment