test-bleichenbacher-timing-marvin: ServerHello: unexpected extension server_name when using DNS-based hostname
jayaddison opened this issue · comments
Bug Report
System Information
| Type | Version/Name |
|---|---|
| Operating System Name | Ubuntu Linux |
| Operating System Version | 23.10 |
| Python version | Python 3.11.6 |
| tlslite-ng version | 0.8.0-beta1 |
| tlsfuzzer revision | f876258 |
Problem description
During a run of scripts/test-bleichenbacher-timing-marvin.py with a DNS-based hostname, server certificate, and server certificate private key specified as arguments, running against a server that supports SNI, an expectation error occurs reporting that the server_name extension is unexpected.
Describe how to reproduce the problem
$ PYTHONPATH=. python scripts/test-bleichenbacher-timing-marvin.py -h www.example.org --srv-key ${SRV_KEY} --srv-cert ${SRV_CERT}Expected behaviour
The script appears designed to handle both servers that support SNI and those that do not, so the server_name extension should be acceptable when contacting a named server.
Include errors or backtraces
sanity ...
Error encountered while processing node ExpectServerHello() (child: <tlsfuzzer.expect.ExpectCertificate object at 0x............>) with last message being: <tlslite.messages.Message object at 0x............>
Error while processing
Traceback (most recent call last):
File ".../scripts/test-bleichenbacher-timing-marvin.py", line 365, in main
runner.run()
File ".../tlsfuzzer/runner.py", line 242, in run
node.process(self.state, msg)
File ".../tlsfuzzer/expect.py", line 801, in process
self._compare_extensions(srv_hello)
File ".../tlsfuzzer/expect.py", line 558, in _compare_extensions
raise AssertionError("Server sent unexpected extension(s):"
AssertionError: Server sent unexpected extension(s): server_name
Additional context
As a temporary local workaround, adding a srv_extensions[ExtensionType.server_name] expectation to complement the client expectations within this conditional block allowed the test script to continue.
tlsfuzzer/scripts/test-bleichenbacher-timing-marvin.py
Lines 240 to 242 in f876258
Right, because the test case is strict with the expected extensions, it fails when the server echoes back the server_name extension. Actually, better workaround is to use the --no-safe-renego option, as that will enable the automatic processing of extensions in ServerHello.
That being said, why you're running test-bleichenbacher-timing-marvin.py script? As it's documented, it's valid only for testing TLS servers that use Marvin workaround internally:
tlsfuzzer/scripts/test-bleichenbacher-timing-marvin.py
Lines 399 to 402 in f876258
AFAIK, at this time, it's just Mozilla NSS that does that. All the other servers should be tested with test-bleichenbacher-timing-pregenerate.py
should be fixed with #896
Thanks @tomato42.
Related to this:
That being said, why you're running test-bleichenbacher-timing-marvin.py script? As it's documented, it's valid only for testing TLS servers that use Marvin workaround internally:
Yep, this was operator error on my behalf; I hadn't double-checked the filename of the script to run, and incorrectly chose the one that had marvin in the name.
ah, ok. Well, I fixed it in both scripts, so feel free to use the ...-pregenerate.py that will handle server_name correctly :)
Thank you :) Yep, the pregenerate script works as expected!