You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Build the library with X.509 enabled, but without any TLS cipher suite that uses certificates. The build fails.
Observed on mbedtls-3.6.1 and development from today. The problems must have been around for a while, possibly at least partly even before the TLS 1.3 work.
I discovered this when I tried building the library with a single key exchange type, for each TLS 1.2 key exchange type (with TLS 1.3 disabled). Some of the builds failed. Note that this is different from what depends.py pkalgs does: it keeps all TLS 1.3 key exchanges enabled.
Detailed steps to reproduce
Here's a configuration that reproduces the problem:
scripts/config.py full
scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
scripts/config.py set MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
scripts/config.py set MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
scripts/config.py set MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
scripts/config.py set MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
scripts/config.py unset MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
scripts/config.py unset MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
scripts/config.py set MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
This enables all TLS 1.2 and TLS 1.3 key exchanges that don't allow the use of a certificate. Note that RSA and RSA-PSK are not included because they allow a client certificate.
There are two problems, both related to inconsistencies in how we gate function definitions by key exchange types.
Spurious code gets included in libmbedtls, causing a link failure.
/usr/bin/ld: library/libmbedtls.a(ssl_tls12_server.o): in function `ssl_pick_cert':
build-notlssig-debug/source/library/ssl_tls12_server.c:758: undefined reference to `mbedtls_ssl_check_cert_usage'
collect2: error: ld returned 1 exit status
An unused function in the SSL test programs:
CC source/programs/ssl/ssl_server2.c
In file included from source/programs/ssl/ssl_server2.c:713:
source/programs/ssl/ssl_test_common_source.c:322:12: error: ‘x509_crt_verify_info’ defined but not used [-Werror=unused-function]
322 | static int x509_crt_verify_info(char *buf, size_t size, const char *prefix,
| ^~~~~~~~~~~~~~~~~~~~
Actions
Adapt depends.py so that it reproduces the problem. I think when enumerating TLS 1.2 key exchanges, it should disable TLS 1.3.
Fix the inconsistencies.
The text was updated successfully, but these errors were encountered:
Build the library with X.509 enabled, but without any TLS cipher suite that uses certificates. The build fails.
Observed on
mbedtls-3.6.1
anddevelopment
from today. The problems must have been around for a while, possibly at least partly even before the TLS 1.3 work.I discovered this when I tried building the library with a single key exchange type, for each TLS 1.2 key exchange type (with TLS 1.3 disabled). Some of the builds failed. Note that this is different from what
depends.py pkalgs
does: it keeps all TLS 1.3 key exchanges enabled.Detailed steps to reproduce
Here's a configuration that reproduces the problem:
(Or
mbedtls-prepare-build -d build-notlssig-debug -p full-debug --config-unset=MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED --config-unset=MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED --config-set=MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED --config-unset=MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED --config-unset=MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED --config-set=MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED --config-unset=MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED --config-unset=MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED --config-unset=MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED --config-set=MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED --config-set=MBEDTLS_KEY_EXCHANGE_PSK_ENABLED --config-unset=MBEDTLS_KEY_EXCHANGE_RSA_ENABLED --config-unset=MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED --config-set=MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
)This enables all TLS 1.2 and TLS 1.3 key exchanges that don't allow the use of a certificate. Note that RSA and RSA-PSK are not included because they allow a client certificate.
There are two problems, both related to inconsistencies in how we gate function definitions by key exchange types.
libmbedtls
, causing a link failure.Actions
depends.py
so that it reproduces the problem. I think when enumerating TLS 1.2 key exchanges, it should disable TLS 1.3.The text was updated successfully, but these errors were encountered: