Issue with DTLS 1.2 Session Resumption

[Smuul]

Title: Issue with DTLS 1.2 Session Resumption

Description:

I am encountering an issue when trying to resume a previous DTLS session. I attempt this by setting the Session ID of the initial session in the Client Hello of the subsequent handshake.

Scenario:

Analyzing the generated network traffic, I observe that the server (using OpenSSL) responds correctly to facilitate session resumption.

To handle the expected response on the Attacker side, I use the following TLS-Attacker action:
trace.addTlsAction(new ReceiveAction(new ServerHelloMessage(), new ChangeCipherSpecMessage(), new FinishedMessage()));

Observations:

However, upon reviewing the TLS-Attacker logs, it appears that the FinishedMessage is not properly read, as only the ServerHello and ChangeCipherSpec messages are detected.

I would greatly appreciate any guidance or recommendations on how to resolve this issue. If further details are needed, please let me know.

Thank you for your assistance!

[ic0ns]

The behavior you see is indicative of the TLS-Attacker not being able to decrypt the Finished message. Did you give TLS-Attacker the master secret so that it can correctly derive the keys?

[Smuul]

No, I am not currently providing the master secret to TLS-Attacker. Would it be necessary even if I am using a PSK (Pre-Shared Key) cipher suite, which is the case in my scenario? Additionally, I am using two separate workflows (one for each handshake). Could this setup potentially affect the session resumption process? If further details are needed, please let me know.

Thank you for your assistance!

[ic0ns]

Yes, a resumption handshake uses the previous master secret to avoid doing the key exchange again, even for PSK cipher suites. Doing two separate workflows is in general possible, but requires you to (at least) manually copy the master secret into the new connection (by adding the session parameters into the sessionList), such that TLS-Attacker can derive the keys for the connection. You can also do it in one workflow by using the ResetConnectionAction.

[Smuul]

Finally, it worked! I managed to resolve the issue using the ResetConnectionAction. Thank you so much for your quick responses and assistance. I will go ahead and close this issue now. :)

[Smuul]

I am reopening this issue because I am trying to achieve the same functionality on the server side. Specifically, I intended to use ResetConnectionAction after the server's initial workflow. However, I encountered the following error:

Could you clarify whether this option is unsupported for the server? If so, what would be the recommended approach to accomplish this?

[Smuul]

I was able to achieve it by retrieving the session parameters from the first session and applying them to the second one. I would like to know if there is an alternative approach or if this is the only way.

[ic0ns]

I am a bit confused. To do session resumption you somehow need to propagate the parameters from the one session to the other. This should be done automatically if you do it within one workflow. So I am unsure what you did/didn't do to make it work/not work. Can you provide a minimal example so that I can reproduce it?

[Smuul]

Not working case:

TLS-Attacker Server

Config config = Config.createConfig();
WorkflowTrace trace = new WorkflowTrace();
trace.addTlsAction(new ReceiveAction(new ClientHelloMessage()));
trace.addTlsAction(new SendAction(new HelloVerifyRequestMessage()));
trace.addTlsAction(new ReceiveAction(new ClientHelloMessage()));
trace.addTlsAction(new SendAction(new ServerHelloMessage()));
trace.addTlsAction(new SendAction(new PskServerKeyExchangeMessage()));
trace.addTlsAction(new SendAction(new ServerHelloDoneMessage()));
trace.addTlsAction(new ReceiveAction(new PskClientKeyExchangeMessage()));
trace.addTlsAction(new ReceiveAction(new ChangeCipherSpecMessage()));
trace.addTlsAction(new ReceiveAction(new FinishedMessage()));
trace.addTlsAction(new SendAction(new ChangeCipherSpecMessage()));
trace.addTlsAction(new SendAction(new FinishedMessage()));
trace.addTlsAction(new ReceiveAction(new AlertMessage()));
trace.addTlsAction(new ResetConnectionAction());

//Resumption Handshake
trace.addTlsAction(new ReceiveAction(new ClientHelloMessage()));
trace.addTlsAction(new SendAction(new HelloVerifyRequestMessage()));
trace.addTlsAction(new ReceiveAction(new ClientHelloMessage()));
trace.addTlsAction(new SendAction(new ServerHelloMessage()));
trace.addTlsAction(new SendAction(new ChangeCipherSpecMessage()));
trace.addTlsAction(new SendAction(new FinishedMessage()));
trace.addTlsAction(new ReceiveAction(new ChangeCipherSpecMessage()));
trace.addTlsAction(new ReceiveAction(new FinishedMessage()));

State state = new State(config, trace);
DefaultWorkflowExecutor executor = new DefaultWorkflowExecutor(state);
executor.executeWorkflow();

OpenSSL Client

openssl s_client -connect 127.0.0.1:4433 -dtls1_2 -psk 316132623363346435653666 -sess_out /tmp/session.pem
I press 'Q' to create an Alert message from Client
openssl s_client -connect 127.0.0.1:4433 -dtls1_2 -psk 316132623363346435653666 -sess_in /tmp/session.pem

Obtained trace

Working case

Config config = Config.createConfig();
WorkflowTrace trace = new WorkflowTrace();
trace.addTlsAction(new ReceiveAction(new ClientHelloMessage()));
trace.addTlsAction(new SendAction(new HelloVerifyRequestMessage()));
trace.addTlsAction(new ReceiveAction(new ClientHelloMessage()));
trace.addTlsAction(new SendAction(new ServerHelloMessage()));
trace.addTlsAction(new SendAction(new PskServerKeyExchangeMessage()));
trace.addTlsAction(new SendAction(new ServerHelloDoneMessage()));
trace.addTlsAction(new ReceiveAction(new PskClientKeyExchangeMessage()));
trace.addTlsAction(new ReceiveAction(new ChangeCipherSpecMessage()));
trace.addTlsAction(new ReceiveAction(new FinishedMessage()));
trace.addTlsAction(new SendAction(new ChangeCipherSpecMessage()));
trace.addTlsAction(new SendAction(new FinishedMessage()));
trace.addTlsAction(new ReceiveAction(new AlertMessage()));
trace.addTlsAction(new ResetConnectionAction());
State state = new State(config, trace);
DefaultWorkflowExecutor executor = new DefaultWorkflowExecutor(state);
executor.executeWorkflow();

//I get the sessions list
TlsContext context = state.getTlsContext();
List<Session> sessionList = context.getSessionList();

//Resumption Handshake
Config config = Config.createConfig();
WorkflowTrace trace = new WorkflowTrace();
trace.addTlsAction(new ReceiveAction(new ClientHelloMessage()));
trace.addTlsAction(new SendAction(new HelloVerifyRequestMessage()));
trace.addTlsAction(new ReceiveAction(new ClientHelloMessage()));
trace.addTlsAction(new SendAction(new ServerHelloMessage()));
trace.addTlsAction(new SendAction(new ChangeCipherSpecMessage()));
trace.addTlsAction(new SendAction(new FinishedMessage()));
trace.addTlsAction(new ReceiveAction(new ChangeCipherSpecMessage()));
trace.addTlsAction(new ReceiveAction(new FinishedMessage()));

//I set the sessions list
State state = new State(config, trace);
TlsContext context = state.getTlsContext();
context.setSessionList(sessionList);
DefaultWorkflowExecutor executor = new DefaultWorkflowExecutor(state);
executor.executeWorkflow();

OpenSSL Client

openssl s_client -connect 127.0.0.1:4433 -dtls1_2 -psk 316132623363346435653666 -sess_out /tmp/session.pem
openssl s_client -connect 127.0.0.1:4433 -dtls1_2 -psk 316132623363346435653666 -sess_in /tmp/session.pem

Obtained trace