TLS13 not working for DNS over TLS


#1

Hi,
a couple of days ago you changed something regarding port 853.
Before I have always connected with an TLS1.2 Cipher.
No I can’t connect anymore with the latest beta from openssl-1.1.1
It seems like you only support the draft versions of TLS1.3 and not the final RFC8446 which is now active in OpenSSL.

openssl s_client -connect 1.1.1.1:853
CONNECTED(00000005)
140296983617984:error:1425F175:SSL routines:ssl_choose_client_version:inappropriate fallback:ssl/statem/statem_lib.c:1926:

no peer certificate available

No client certificate CA names sent

SSL handshake has read 100 bytes and written 340 bytes
Verification: OK

New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)


#2

Seems to work for me. Are you sure you’re connected to Cloudflare?


#3

I am pretty sure, that I am requesting a Cloudflare server.
Details below:

dig example.com @1.1.1.1

; <<>> DiG 9.11.4-4-Debian <<>> example.com @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14610
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1452
;; QUESTION SECTION:
;example.com. IN A

;; ANSWER SECTION:
example.com. 2246 IN A 93.184.216.34

;; Query time: 9 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Mi Aug 29 13:18:34 CEST 2018
;; MSG SIZE rcvd: 56

dig example.com @1.0.0.1

; <<>> DiG 9.11.4-4-Debian <<>> example.com @1.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14614
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1452
;; QUESTION SECTION:
;example.com. IN A

;; ANSWER SECTION:
example.com. 2246 IN A 93.184.216.34

;; Query time: 9 msec
;; SERVER: 1.0.0.1#53(1.0.0.1)
;; WHEN: Mi Aug 29 13:18:34 CEST 2018
;; MSG SIZE rcvd: 56

dig example.com @8.8.8.8

; <<>> DiG 9.11.4-4-Debian <<>> example.com @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15829
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;example.com. IN A

;; ANSWER SECTION:
example.com. 11953 IN A 93.184.216.34

;; Query time: 11 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mi Aug 29 13:18:34 CEST 2018
;; MSG SIZE rcvd: 56

dig +short CHAOS TXT id.server @1.1.1.1
“FRA”
dig +short CHAOS TXT id.server @1.0.0.1
“FRA”
dig @ns3.cloudflare.com whoami.cloudflare.com txt +short
“2a00:dca0:100:5:c0de:ba5e:dead:c0de”
echo QUIT|openssl s_client -connect 1.1.1.1:853
CONNECTED(00000005)
139801154064832:error:1425F175:SSL routines:ssl_choose_client_version:inappropriate fallback:ssl/statem/statem_lib.c:1926:

no peer certificate available

No client certificate CA names sent

SSL handshake has read 100 bytes and written 340 bytes
Verification: OK

New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)

echo QUIT|openssl s_client -connect 1.0.0.1:853
CONNECTED(00000005)
139845477179840:error:1425F175:SSL routines:ssl_choose_client_version:inappropriate fallback:ssl/statem/statem_lib.c:1926:

no peer certificate available

No client certificate CA names sent

SSL handshake has read 100 bytes and written 340 bytes
Verification: OK

New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)


#4

If you want a repro environment, debian:unstable-slim with:

OpenSSL 1.1.1-pre9 (beta) 21 Aug 2018

[email protected]:/# openssl s_client -connect 1.1.1.1:853 -msg
CONNECTED(00000005)
>>> ??? [length 0005]
    16 03 01 01 26
>>> TLS 1.3, Handshake [length 0126], ClientHello
    01 00 01 22 03 03 dc 13 f9 fa b1 97 f3 36 8d 8f
    5b 7e 13 13 06 72 0e b2 7d 67 d4 b0 34 90 44 d8
    f0 b5 98 32 e3 ad 20 f4 5b e6 8a ef 15 17 ef 8a
    ef a8 a3 66 d9 ef 22 61 46 83 26 55 81 e7 aa 67
    95 2e eb ae 26 47 f6 00 3e 13 02 13 03 13 01 c0
    2c c0 30 00 9f cc a9 cc a8 cc aa c0 2b c0 2f 00
    9e c0 24 c0 28 00 6b c0 23 c0 27 00 67 c0 0a c0
    14 00 39 c0 09 c0 13 00 33 00 9d 00 9c 00 3d 00
    3c 00 35 00 2f 00 ff 01 00 00 9b 00 00 00 0c 00
    0a 00 00 07 31 2e 31 2e 31 2e 31 00 0b 00 04 03
    00 01 02 00 0a 00 0c 00 0a 00 1d 00 17 00 1e 00
    19 00 18 00 23 00 00 00 16 00 00 00 17 00 00 00
    0d 00 2a 00 28 04 03 05 03 06 03 08 07 08 08 08
    09 08 0a 08 0b 08 04 08 05 08 06 04 01 05 01 06
    01 03 03 03 01 03 02 04 02 05 02 06 02 00 2b 00
    05 04 03 04 03 03 00 2d 00 02 01 01 00 33 00 26
    00 24 00 1d 00 20 4b be b4 e9 83 7b 0f f8 57 f6
    d0 86 ce 4e 9d 66 40 fe a8 e6 45 0b a8 ff 65 84
    d2 db 1c 67 8e 5e
<<< ??? [length 0005]
    16 03 03 00 5f
<<< TLS 1.3, Handshake [length 005f], ServerHello
    02 00 00 5b 03 03 d3 81 94 d0 c9 de a7 db b2 4a
    5e e2 ba 0a 11 93 11 48 e9 be 72 fa 13 e2 44 4f
    57 4e 47 52 44 01 20 ba 00 0b 05 91 19 62 2b 8c
    15 13 60 69 e1 c9 a4 f4 26 ca c8 a0 23 fb 74 35
    60 4d ca aa c6 22 07 c0 2c 00 00 13 00 0b 00 02
    01 00 00 17 00 00 00 23 00 00 ff 01 00 01 00
>>> ??? [length 0005]
    15 03 03 00 02
>>> TLS 1.3, Alert [length 0002], fatal illegal_parameter
    02 2f
140017285124544:error:1425F175:SSL routines:ssl_choose_client_version:inappropriate fallback:../ssl/statem/statem_lib.c:1926:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 100 bytes and written 306 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

#5

I see the same error in your sample:

I am not getting a Cipher or Protocol information like your sample too.
I expect something like that in the output:

SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-ECDSA-AES256-GCM-SHA384

Of course should be the output with TLSv1.3 and not like the above sample with a working old TLS implemantation


#6

A simple check to verify:
TLS1.3 works with your https implementation but not with DNS over TLS:

echo QUIT|openssl s_client -connect 1.0.0.1:443 2>/dev/null|tail

New, TLSv1.3, Cipher is TLS_CHACHA20_POLY1305_SHA256
Server public key is 256 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)

echo QUIT|openssl s_client -connect 1.0.0.1:853 2>/dev/null|tail
Verification: OK

New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)


#7

I believe this problem is related to the version of TLS 1.3 that’s deployed on 1.1.1.1.

One of the best tools I’ve found to diagnose these problems is testssl.sh. For 1.1.1.1 it currently reports:

 SSLv2      not offered (OK)
 SSLv3      not offered (OK)
 TLS 1      not offered
 TLS 1.1    not offered
 TLS 1.2    offered (OK)
 TLS 1.3    offered (OK): draft 28

In comparison, a typical CloudFlare website shows up as:

 SSLv2      not offered (OK)
 SSLv3      not offered (OK)
 TLS 1      offered
 TLS 1.1    offered
 TLS 1.2    offered (OK)
 TLS 1.3    offered (OK): draft 28, draft 23, final

As an aside, as of OpenSSL v1.1.1-pre9, it no longer supports any TLSv1.3 version other than “final”. As such, it will not connect to any services unless they advertise “final”.


#8

Thanks! I’ve passed along your finding to the resolver team.


#9

@Tributh what software do you use as a client? It should fall back to TLS1.2 if it can’t agree on implemented version.


#10

Beta 7 of OpenSSL 1.1.1 (pre release 9)
RFC8446 forbids to fallback to TLS1.2 if negotiation fails.

You may follow this threat for details:
https://www.ietf.org/mail-archive/web/tls/current/msg26795.html


#11

Okay, it seems like this will be fixed in the next GnuTLS version, which hopefully comes out before OpenSSL 1.1.1 gets out of beta https://gitlab.com/gnutls/gnutls/issues/542


#12

OpenSSL 1.1.1 has released and I build a unbound instance with it. But it cannot connect 1.1.1.1:853 upstream as the same error.