oqs-provider: Too many advertised sig algs cause TLS server hang-up

Describe the bug Provider built from the main branch pulled after Fri Apr 12, 2024, somehow causes OpenSSL to hang and then time-out on requests over corporate firewall (to https://index.crates.io, in case it matters).

When I comment out oqs provider in openssl.cnf the problem disappears.

I must add that before Apr 12th everything worked just fine. So, it’s OpenSSL, or liboqs, or oqs-provider.

@levitte could you please take a look as well? I don’t know whether it’s the provider’s fault, or that of the OpenSSL itself.

To Reproduce A little complicated, but here’s what I have.

Steps to reproduce the behavior:

Install Rust toolchain.
Install cargo-update via cargo install cargo-update
Have OpenSSL-3.2.1 installed.
Install current master of liboqs.
Clone and install oqs-provider (main branch).
Edit openssl.cnf to add oqs provider (some add it as oqsprovider, for me naming it oqs suffices).
Try cargo install-update -l
See error

Expected behavior

Something like

$ cargo install-update -l
    Polling registry 'https://index.crates.io/'.......................................

Package          Installed             Latest                               Needs update
asn1rs           v0.3.1                v0.3.1                               No
b3sum            v1.5.1                v1.5.1                               No
.  .  .

Actual behavior

$ cargo install-update -l
    Polling registry 'https://index.crates.io/'
Failed to update index repository crates-io: package asn1rs: [35] SSL connect error (OpenSSL SSL_connect: SSL_ERROR_ZERO_RETURN in connection to index.crates.io:443 ).
$ 
$ OQSPROV=1 cargo install-update -l
OQS PROV: successfully registered dilithium2 with NID 1320
OQS PROV: successfully registered p256_dilithium2 with NID 1321
OQS PROV: successfully registered rsa3072_dilithium2 with NID 1322
OQS PROV: successfully registered dilithium3 with NID 1323
OQS PROV: successfully registered p384_dilithium3 with NID 1324
OQS PROV: successfully registered dilithium5 with NID 1325
OQS PROV: successfully registered p521_dilithium5 with NID 1326
OQS PROV: successfully registered mldsa44 with NID 1327
OQS PROV: successfully registered p256_mldsa44 with NID 1328
OQS PROV: successfully registered rsa3072_mldsa44 with NID 1329
OQS PROV: successfully registered mldsa44_pss2048 with NID 1330
OQS PROV: successfully registered mldsa44_rsa2048 with NID 1331
OQS PROV: successfully registered mldsa44_ed25519 with NID 1332
OQS PROV: successfully registered mldsa44_p256 with NID 1333
OQS PROV: successfully registered mldsa44_bp256 with NID 1334
OQS PROV: successfully registered mldsa65 with NID 1335
OQS PROV: successfully registered p384_mldsa65 with NID 1336
OQS PROV: successfully registered mldsa65_pss3072 with NID 1337
OQS PROV: successfully registered mldsa65_rsa3072 with NID 1338
OQS PROV: successfully registered mldsa65_p256 with NID 1339
OQS PROV: successfully registered mldsa65_bp256 with NID 1340
OQS PROV: successfully registered mldsa65_ed25519 with NID 1341
OQS PROV: successfully registered mldsa87 with NID 1342
OQS PROV: successfully registered p521_mldsa87 with NID 1343
OQS PROV: successfully registered mldsa87_p384 with NID 1344
OQS PROV: successfully registered mldsa87_bp384 with NID 1345
OQS PROV: successfully registered mldsa87_ed448 with NID 1346
OQS PROV: successfully registered falcon512 with NID 1347
OQS PROV: successfully registered p256_falcon512 with NID 1348
OQS PROV: successfully registered rsa3072_falcon512 with NID 1349
OQS PROV: successfully registered falconpadded512 with NID 1350
OQS PROV: successfully registered p256_falconpadded512 with NID 1351
OQS PROV: successfully registered rsa3072_falconpadded512 with NID 1352
OQS PROV: successfully registered falcon1024 with NID 1353
OQS PROV: successfully registered p521_falcon1024 with NID 1354
OQS PROV: successfully registered falconpadded1024 with NID 1355
OQS PROV: successfully registered p521_falconpadded1024 with NID 1356
OQS PROV: successfully registered sphincssha2128fsimple with NID 1357
OQS PROV: successfully registered p256_sphincssha2128fsimple with NID 1358
OQS PROV: successfully registered rsa3072_sphincssha2128fsimple with NID 1359
OQS PROV: successfully registered sphincssha2128ssimple with NID 1360
OQS PROV: successfully registered p256_sphincssha2128ssimple with NID 1361
OQS PROV: successfully registered rsa3072_sphincssha2128ssimple with NID 1362
OQS PROV: successfully registered sphincssha2192fsimple with NID 1363
OQS PROV: successfully registered p384_sphincssha2192fsimple with NID 1364
OQS PROV: successfully registered sphincsshake128fsimple with NID 1365
OQS PROV: successfully registered p256_sphincsshake128fsimple with NID 1366
OQS PROV: successfully registered rsa3072_sphincsshake128fsimple with NID 1367
OQS PROV: Default or FIPS provider available.
    Polling registry 'https://index.crates.io/'Unknown operation 5 requested from OQS provider
Unknown operation 5 requested from OQS provider
Unknown operation 2 requested from OQS provider
Unknown operation 2 requested from OQS provider
Unknown operation 2 requested from OQS provider
Unknown operation 2 requested from OQS provider
Unknown operation 2 requested from OQS provider
Unknown operation 2 requested from OQS provider
Unknown operation 2 requested from OQS provider
Unknown operation 2 requested from OQS provider
Unknown operation 2 requested from OQS provider
Unknown operation 2 requested from OQS provider
Unknown operation 2 requested from OQS provider
Unknown operation 2 requested from OQS provider
Unknown operation 2 requested from OQS provider
Unknown operation 2 requested from OQS provider
Unknown operation 2 requested from OQS provider
Unknown operation 2 requested from OQS provider
Unknown operation 2 requested from OQS provider
Unknown operation 2 requested from OQS provider
Unknown operation 2 requested from OQS provider
Unknown operation 1 requested from OQS provider
Unknown operation 1 requested from OQS provider
Unknown operation 1 requested from OQS provider
Unknown operation 1 requested from OQS provider
Unknown operation 1 requested from OQS provider
Unknown operation 1 requested from OQS provider
Unknown operation 1 requested from OQS provider
Unknown operation 11 requested from OQS provider
Unknown operation 11 requested from OQS provider

Failed to update index repository crates-io: package asn1rs: [35] SSL connect error (OpenSSL SSL_connect: SSL_ERROR_ZERO_RETURN in connection to index.crates.io:443 ).
$

Environment (please complete the following information):

OS: MacOS Sonoma 14.4.1
OpenSSL version 3.2.1 (Macports-installed)
oqsprovider version 0.6.0 (or whatever the current main is)
liboqs current master

Please run the following commands to obtain the version information:

For OpenSSL: openssl version
For oqsprovider: openssl list -providers

$ openssl version
OpenSSL 3.2.1 30 Jan 2024 (Library: OpenSSL 3.2.1 30 Jan 2024)
$ openssl list -providers
Providers:
  base
    name: OpenSSL Base Provider
    version: 3.2.1
    status: active
  default
    name: OpenSSL Default Provider
    version: 3.2.1
    status: active
  legacy
    name: OpenSSL Legacy Provider
    version: 3.2.1
    status: active
  oqs
    name: OpenSSL OQS Provider
    version: 0.6.0
    status: active
  pkcs11
    name: PKCS#11 Provider
    version: 3.2.1
    status: active
$

About this issue

Original URL
State: open
Created 2 months ago
Comments: 78 (75 by maintainers)

Commits related to this issue

Disable Dilithium and SPHINCS+ sig algs by default This fixes open-quantum-safe/oqs-provider#399 With the current default enabled sig algs, some servers may fail to complete the TLS handshake. This ... — committed to iyanmv/oqs-provider by iyanmv 2 months ago
Disable Dilithium and SPHINCS+ sig algs by default This fixes open-quantum-safe/oqs-provider#399 With the current default enabled sig algs, some servers may fail to complete the TLS handshake. This ... — committed to iyanmv/oqs-provider by iyanmv 2 months ago
upgpkg: oqsprovider 0.6.0-2 Enable less sig algs. See open-quantum-safe/oqs-provider#399 — committed to iyanmv/PKGBUILDs by iyanmv 2 months ago
upgpkg: oqsprovider 0.6.0-2 Enable less sig algs. See open-quantum-safe/oqs-provider#399 — committed to archlinux/aur by iyanmv 2 months ago

Most upvoted comments

For sure we know that https://github.com/fwupd/fwupd/issues/7207#issuecomment-2095874862. The TLS is terminated at the AWS load balancer, so s2n-tls is used in this case.

Thanks for this confirmation: In this case, on OpenSSL fix (if necessary at all) would not buy us anything. Tagging @brian-jarvis-aws FYI (in case you have s2n contacts to chime in here).

baentsch on May 6, 2024

why don’t you manage it on the system level?

How would you suggest doing this (short of creating a bespoke oqsprovider version supporting (and reporting) fewer algs to openssl)?

I mean smth like

[ ssl_module ]  
system_default = crypto_policy

[ crypto_policy ]
...
SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Groups = X25519:secp256r1:X448:secp521r1:secp384r1:ffdhe2048:ffdhe3072:ffdhe4096:ffdhe6144:ffdhe8192

beldmit on May 7, 2024

Thanks, Brian brought this to s2n-tls’s attention and we’re currently working on a fix. It looks like we have a hard-coded limit of 64 signature schemes. There are <40 standardized signature schemes with assigned IANA values as of today, so having a max of 64 probably seemed like a safe assumption at the time. We are working to increase the limit as a quick short term fix, and longer term we plan to remove the limit completely.

lrstewart on May 6, 2024

sed worked fine, but some other things did not. 😦

After straightening out all of those, I’m getting successful TLS connections.

Note: I’m only enabling ML-DSA and Dilithium5 signatures. No others.

@baentsch I strongly suggest changing the defaults (at least for now) in oqs-templates/generate.yml, and disabling all the signature algorithms except for ML-DSA.

$ echo Q | openssl s_client -connect index.crates.io:443
Connecting to 18.165.83.98
CONNECTED(00000006)
depth=2 C=US, O=Amazon, CN=Amazon Root CA 1
verify return:1
depth=1 C=US, O=Amazon, CN=Amazon RSA 2048 M02
verify return:1
depth=0 CN=crates.io
verify return:1
---
Certificate chain
 0 s:CN=crates.io
   i:C=US, O=Amazon, CN=Amazon RSA 2048 M02
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Dec 26 00:00:00 2023 GMT; NotAfter: Jan 23 23:59:59 2025 GMT
 1 s:C=US, O=Amazon, CN=Amazon RSA 2048 M02
   i:C=US, O=Amazon, CN=Amazon Root CA 1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Aug 23 22:25:30 2022 GMT; NotAfter: Aug 23 22:25:30 2030 GMT
 2 s:C=US, O=Amazon, CN=Amazon Root CA 1
   i:C=US, ST=Arizona, L=Scottsdale, O=Starfield Technologies, Inc., CN=Starfield Services Root Certificate Authority - G2
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: May 25 12:00:00 2015 GMT; NotAfter: Dec 31 01:00:00 2037 GMT
 3 s:C=US, ST=Arizona, L=Scottsdale, O=Starfield Technologies, Inc., CN=Starfield Services Root Certificate Authority - G2
   i:C=US, O=Starfield Technologies, Inc., OU=Starfield Class 2 Certification Authority
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Sep  2 00:00:00 2009 GMT; NotAfter: Jun 28 17:39:16 2034 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIF/zCCBOegAwIBAgIQBBKvEgBWFwE0iS+JidbVrjANBgkqhkiG9w0BAQsFADA8
MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRwwGgYDVQQDExNBbWF6b24g
UlNBIDIwNDggTTAyMB4XDTIzMTIyNjAwMDAwMFoXDTI1MDEyMzIzNTk1OVowFDES
MBAGA1UEAxMJY3JhdGVzLmlvMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAy2haLO787eMcOSGe4qehA+AmyuqyAMFqLeF33XyQjeR+GKvppgyMnIBZBHd6
aJhxxCn8tGefLUfOHN0fQhWFjQqJlpSB0pGlOM1NsdKERhUxMOU8/lWddPojhLDV
5ii3tFwDNz0hSEp9C1Pe+dxTs7QwM0QIoMWx0ilBuu97Nb8pFiQ9EAW54Qkkc3Vg
EvZsTcmn0/GdTXzUIdxfWwsdbOT3Op67Fydm+mgb6wBnfKEHVUYhXkdJO3qXyQ3C
mKj6JHtl6cuzM75F8WYezHfNrnuwPZupWZW0a6ynMS5UV8dDQX8Bw4KTvBUgJdst
zXnwbeqtv17NKlzIdDZQ+JrhMQIDAQABo4IDIzCCAx8wHwYDVR0jBBgwFoAUwDFS
zVpQw4J8dHHOy+mc+XrrguIwHQYDVR0OBBYEFC9gT8cdSeXvHZqAvv2dN3bUXqDL
MFQGA1UdEQRNMEuCCWNyYXRlcy5pb4IbY2xvdWRmcm9udC1zdGF0aWMuY3JhdGVz
Lmlvgg9pbmRleC5jcmF0ZXMuaW+CEHN0YXRpYy5jcmF0ZXMuaW8wEwYDVR0gBAww
CjAIBgZngQwBAgEwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMB
BggrBgEFBQcDAjA7BgNVHR8ENDAyMDCgLqAshipodHRwOi8vY3JsLnIybTAyLmFt
YXpvbnRydXN0LmNvbS9yMm0wMi5jcmwwdQYIKwYBBQUHAQEEaTBnMC0GCCsGAQUF
BzABhiFodHRwOi8vb2NzcC5yMm0wMi5hbWF6b250cnVzdC5jb20wNgYIKwYBBQUH
MAKGKmh0dHA6Ly9jcnQucjJtMDIuYW1hem9udHJ1c3QuY29tL3IybTAyLmNlcjAM
BgNVHRMBAf8EAjAAMIIBfwYKKwYBBAHWeQIEAgSCAW8EggFrAWkAdgBOdaMnXJoQ
wzhbbNTfP1LrHfDgjhuNacCx+mSxYpo53wAAAYyk7HigAAAEAwBHMEUCIQCkZI6S
6nOLaw9sa8Cd7RbhYX6FD9hu7lBh0XpqSTdSzQIgCkG3r93jwZFKF9vsfAZjGIYE
GLzxlECCAk4lT1MA/J0AdwB9WR4S4XgqexxhZ3xe/fjQh1wUoE6VnrkDL9kOjC55
uAAAAYyk7HjKAAAEAwBIMEYCIQDXRj1U4eH7nrlKXB418zI54VyYPMuiolkRYDTm
5W//uQIhAMgXFQyAod+UzSZzr/P8EhLUWv8f6SF10OVSd1LqzZ2IAHYA5tIxY0B3
jMEQQQbXcbnOwdJA9paEhvu6hzId/R43jlAAAAGMpOx48wAABAMARzBFAiBcJfi7
fjegAGvuLCxeGcayOuXkx/SIFfvTIWCUN1WsFQIhAMaIH5DhAvGa2/LSYTqHfZYa
QQOIOpU0kVNlwSmxKRiSMA0GCSqGSIb3DQEBCwUAA4IBAQB1pnJRwmFIT/7tCBgG
jpq9u3sBYenQh4ntJ4ueoMlofRoaxNVvgb1jozd1CYPo2tzJnXx+F1TX+2howFVQ
I9SP68YGV7ZaHCNPwiaQGtI6U3OEN8NawbZ8KwuitEytmpi1+AutVsvl11xQhYvJ
TMvO4Ixzb2z8KfrNQx2Ll1zxXhqydjX7VBp36FF6Nn6otgxL7o39aNEhbY6PnpnO
3TU6U8N73uDMe5zJJXgsuI8mLohqphC8mTR3fZAr10vbu843CiGl9iCnoVJ50mvG
Vab0jbgl/Sq1zYzYzwjGbr512wD/qfH4FKCFC5juAkgrxrFv5QgbMm4K622N9i4O
MOPX
-----END CERTIFICATE-----
subject=CN=crates.io
issuer=C=US, O=Amazon, CN=Amazon RSA 2048 M02
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 5539 bytes and written 458 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
Server public key is 2048 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
DONE
$ 
$ openssl list -signature-algorithms -provider oqs | wc -l
      32
$ openssl version
OpenSSL 3.2.1 30 Jan 2024 (Library: OpenSSL 3.2.1 30 Jan 2024)
$

and

$ openssl3 version
OpenSSL 3.4.0-dev  (Library: OpenSSL 3.4.0-dev )
$ openssl3 list -signature-algorithms -provider oqs | wc -l
      32
$ echo Q | openssl3 s_client -connect index.crates.io:443
Connecting to 18.165.83.101
CONNECTED(00000006)
depth=3 C=US, ST=Arizona, L=Scottsdale, O=Starfield Technologies, Inc., CN=Starfield Services Root Certificate Authority - G2
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=2 C=US, O=Amazon, CN=Amazon Root CA 1
verify return:1
depth=1 C=US, O=Amazon, CN=Amazon RSA 2048 M02
verify return:1
depth=0 CN=crates.io
verify return:1
---
Certificate chain
 0 s:CN=crates.io
   i:C=US, O=Amazon, CN=Amazon RSA 2048 M02
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Dec 26 00:00:00 2023 GMT; NotAfter: Jan 23 23:59:59 2025 GMT
 1 s:C=US, O=Amazon, CN=Amazon RSA 2048 M02
   i:C=US, O=Amazon, CN=Amazon Root CA 1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Aug 23 22:25:30 2022 GMT; NotAfter: Aug 23 22:25:30 2030 GMT
 2 s:C=US, O=Amazon, CN=Amazon Root CA 1
   i:C=US, ST=Arizona, L=Scottsdale, O=Starfield Technologies, Inc., CN=Starfield Services Root Certificate Authority - G2
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: May 25 12:00:00 2015 GMT; NotAfter: Dec 31 01:00:00 2037 GMT
 3 s:C=US, ST=Arizona, L=Scottsdale, O=Starfield Technologies, Inc., CN=Starfield Services Root Certificate Authority - G2
   i:C=US, O=Starfield Technologies, Inc., OU=Starfield Class 2 Certification Authority
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Sep  2 00:00:00 2009 GMT; NotAfter: Jun 28 17:39:16 2034 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIF/zCCBOegAwIBAgIQBBKvEgBWFwE0iS+JidbVrjANBgkqhkiG9w0BAQsFADA8
MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRwwGgYDVQQDExNBbWF6b24g
UlNBIDIwNDggTTAyMB4XDTIzMTIyNjAwMDAwMFoXDTI1MDEyMzIzNTk1OVowFDES
MBAGA1UEAxMJY3JhdGVzLmlvMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAy2haLO787eMcOSGe4qehA+AmyuqyAMFqLeF33XyQjeR+GKvppgyMnIBZBHd6
aJhxxCn8tGefLUfOHN0fQhWFjQqJlpSB0pGlOM1NsdKERhUxMOU8/lWddPojhLDV
5ii3tFwDNz0hSEp9C1Pe+dxTs7QwM0QIoMWx0ilBuu97Nb8pFiQ9EAW54Qkkc3Vg
EvZsTcmn0/GdTXzUIdxfWwsdbOT3Op67Fydm+mgb6wBnfKEHVUYhXkdJO3qXyQ3C
mKj6JHtl6cuzM75F8WYezHfNrnuwPZupWZW0a6ynMS5UV8dDQX8Bw4KTvBUgJdst
zXnwbeqtv17NKlzIdDZQ+JrhMQIDAQABo4IDIzCCAx8wHwYDVR0jBBgwFoAUwDFS
zVpQw4J8dHHOy+mc+XrrguIwHQYDVR0OBBYEFC9gT8cdSeXvHZqAvv2dN3bUXqDL
MFQGA1UdEQRNMEuCCWNyYXRlcy5pb4IbY2xvdWRmcm9udC1zdGF0aWMuY3JhdGVz
Lmlvgg9pbmRleC5jcmF0ZXMuaW+CEHN0YXRpYy5jcmF0ZXMuaW8wEwYDVR0gBAww
CjAIBgZngQwBAgEwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMB
BggrBgEFBQcDAjA7BgNVHR8ENDAyMDCgLqAshipodHRwOi8vY3JsLnIybTAyLmFt
YXpvbnRydXN0LmNvbS9yMm0wMi5jcmwwdQYIKwYBBQUHAQEEaTBnMC0GCCsGAQUF
BzABhiFodHRwOi8vb2NzcC5yMm0wMi5hbWF6b250cnVzdC5jb20wNgYIKwYBBQUH
MAKGKmh0dHA6Ly9jcnQucjJtMDIuYW1hem9udHJ1c3QuY29tL3IybTAyLmNlcjAM
BgNVHRMBAf8EAjAAMIIBfwYKKwYBBAHWeQIEAgSCAW8EggFrAWkAdgBOdaMnXJoQ
wzhbbNTfP1LrHfDgjhuNacCx+mSxYpo53wAAAYyk7HigAAAEAwBHMEUCIQCkZI6S
6nOLaw9sa8Cd7RbhYX6FD9hu7lBh0XpqSTdSzQIgCkG3r93jwZFKF9vsfAZjGIYE
GLzxlECCAk4lT1MA/J0AdwB9WR4S4XgqexxhZ3xe/fjQh1wUoE6VnrkDL9kOjC55
uAAAAYyk7HjKAAAEAwBIMEYCIQDXRj1U4eH7nrlKXB418zI54VyYPMuiolkRYDTm
5W//uQIhAMgXFQyAod+UzSZzr/P8EhLUWv8f6SF10OVSd1LqzZ2IAHYA5tIxY0B3
jMEQQQbXcbnOwdJA9paEhvu6hzId/R43jlAAAAGMpOx48wAABAMARzBFAiBcJfi7
fjegAGvuLCxeGcayOuXkx/SIFfvTIWCUN1WsFQIhAMaIH5DhAvGa2/LSYTqHfZYa
QQOIOpU0kVNlwSmxKRiSMA0GCSqGSIb3DQEBCwUAA4IBAQB1pnJRwmFIT/7tCBgG
jpq9u3sBYenQh4ntJ4ueoMlofRoaxNVvgb1jozd1CYPo2tzJnXx+F1TX+2howFVQ
I9SP68YGV7ZaHCNPwiaQGtI6U3OEN8NawbZ8KwuitEytmpi1+AutVsvl11xQhYvJ
TMvO4Ixzb2z8KfrNQx2Ll1zxXhqydjX7VBp36FF6Nn6otgxL7o39aNEhbY6PnpnO
3TU6U8N73uDMe5zJJXgsuI8mLohqphC8mTR3fZAr10vbu843CiGl9iCnoVJ50mvG
Vab0jbgl/Sq1zYzYzwjGbr512wD/qfH4FKCFC5juAkgrxrFv5QgbMm4K622N9i4O
MOPX
-----END CERTIFICATE-----
subject=CN=crates.io
issuer=C=US, O=Amazon, CN=Amazon RSA 2048 M02
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 5539 bytes and written 441 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
Server public key is 2048 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 20 (unable to get local issuer certificate)
---
DONE
$

mouse07410 on Apr 30, 2024

Also, not sure if it’s related - but with OpenSSL-3.4.0-dev master the tests report

Using Web proxy "xxxxx-irrelevant-xxxxx"
 Cloudflare:
  x25519_kyber768 @ oqsprovider
kex=X25519Kyber768Draft00
  x25519_kyber512 @ oqsprovider
kex=X25519Kyber512Draft00
Test project /Users/ur20980/src/oqs-provider/_build
    Start 1: oqs_signatures
1/6 Test #1: oqs_signatures ...................   Passed    3.97 sec
    Start 2: oqs_kems
2/6 Test #2: oqs_kems .........................   Passed    0.24 sec
    Start 3: oqs_groups
3/6 Test #3: oqs_groups .......................   Passed    0.37 sec
    Start 4: oqs_tlssig
4/6 Test #4: oqs_tlssig .......................   Passed  204.16 sec
    Start 5: oqs_endecode
5/6 Test #5: oqs_endecode .....................   Passed   10.88 sec
    Start 6: oqs_evp_pkey_params
6/6 Test #6: oqs_evp_pkey_params ..............   Passed    1.17 sec

100% tests passed, 0 tests failed out of 6

Total Test time (real) = 222.93 sec

Observe test #4: while normally all the tests take up to a few seconds each - this one is more than 3.5 minutes.

For comparison, with OpenSSL-3.2.1:

Test project /Users/ur20980/src/oqs-provider/_build
    Start 1: oqs_signatures
1/6 Test #1: oqs_signatures ...................   Passed    3.93 sec
    Start 2: oqs_kems
2/6 Test #2: oqs_kems .........................   Passed    0.31 sec
    Start 3: oqs_groups
3/6 Test #3: oqs_groups .......................   Passed    0.45 sec
    Start 4: oqs_tlssig
4/6 Test #4: oqs_tlssig .......................   Passed    2.81 sec
    Start 5: oqs_endecode
5/6 Test #5: oqs_endecode .....................   Passed   10.56 sec
    Start 6: oqs_evp_pkey_params
6/6 Test #6: oqs_evp_pkey_params ..............   Passed    0.61 sec

100% tests passed, 0 tests failed out of 6

Total Test time (real) =  18.67 sec

mouse07410 on Apr 28, 2024

Do you concur?

FWIW, I do: (PQ-)cert mgmt, CMS, etc all worked well before PQ-TLS-sig support. It’d be a pity to disable this by default just because of some weirdly behaving TLS servers.

there’s a possibility that OpenSSL itself will get fixed

Is this so? Do you know for fact that the servers rejecting these “high-count sigalg code point” handshakes are running OpenSSL?

baentsch on May 6, 2024

it would be great if it were possible to separately define what algorithms are available by the provider to use, and what subset of those is advertised in TLS

That’d be a possible compromise indeed, but if memory serves, openssl now simply advertises all sig algs it finds providers to, well, provide. Admittedly, it was me adding this logic to openssl, so I feel at liberty to also change it again 😃 @levitte: What’d be your take/recommendation in this regard? We could add a property “OSSL_CAPABILITY_TLS_SIGALG_ADVERTISE” or so to facilitate this.

baentsch on May 6, 2024

Are you using OpenSSL directly from their repos and the main branch or do you use the OpenSSL provided by your distro? Maybe you got the updated version with that commit later in time and that’s why it stopped working for you from April 12?

For my testing - all of the following:
* OpenSSL-3.2.1 binaries installed by Macports;

* OpenSSL-3.4.0-dev built myself from the source (daily), tracking `master` branch;

* `oqs-provider` built form the source (daily) tracking `main` branch (separate builds for both of the above OpenSSL versions).

Alright, then maybe you can try to disable some of the enabled sig algs and see if it works again for you? By default 48 sig algs are enabled in the current generate.yml, which triggers this issue in some servers (at least on my side with the experiments I did). For, example, you can do the following to modify the file:

# Disable all sig algs
sed -i -e 's/enable: true/enable: false/g' oqs-template/generate.yml
# Enable ML-DSA
sed -i -e '552,660s/enable: false/enable: true/g' oqs-template/generate.yml
# Enable Falcon
sed -i -e '661,763s/enable: false/enable: true/g' oqs-template/generate.yml

Then re-run the python script and compile oqsprovider. If it works for you as well, then I think a possible solution (even though the problem is not from openssl or oqsprovider) as suggested by @baentsch would be to reduce the list of default enabled sig algs.

iyanmv on Apr 30, 2024

Interesting. It worked for me both for the system openssl (3.0.2) and the latest “master” build:

$ OPENSSL_MODULES=_build/lib openssl version
OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)
$ OPENSSL_MODULES=_build/lib openssl s_client -connect fwupd.org:443 -provider oqsprovider -provider default
CONNECTED(00000003)
depth=2 C = US, O = Amazon, CN = Amazon Root CA 1
verify return:1
depth=1 C = US, O = Amazon, CN = Amazon RSA 2048 M02
verify return:1
depth=0 CN = fwupd.org
verify return:1
---
Certificate chain
 0 s:CN = fwupd.org
   i:C = US, O = Amazon, CN = Amazon RSA 2048 M02
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jul 21 00:00:00 2023 GMT; NotAfter: Aug 18 23:59:59 2024 GMT
 1 s:C = US, O = Amazon, CN = Amazon RSA 2048 M02
   i:C = US, O = Amazon, CN = Amazon Root CA 1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Aug 23 22:25:30 2022 GMT; NotAfter: Aug 23 22:25:30 2030 GMT
 2 s:C = US, O = Amazon, CN = Amazon Root CA 1
   i:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Services Root Certificate Authority - G2
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: May 25 12:00:00 2015 GMT; NotAfter: Dec 31 01:00:00 2037 GMT
 3 s:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Services Root Certificate Authority - G2
   i:C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Sep  2 00:00:00 2009 GMT; NotAfter: Jun 28 17:39:16 2034 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFzzCCBLegAwIBAgIQDamSmqqEGnwWKTPxnsR0UjANBgkqhkiG9w0BAQsFADA8
MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRwwGgYDVQQDExNBbWF6b24g
UlNBIDIwNDggTTAyMB4XDTIzMDcyMTAwMDAwMFoXDTI0MDgxODIzNTk1OVowFDES
MBAGA1UEAxMJZnd1cGQub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAwKR4xLltzre3+vc3QsCt/It3XgqyWRHgxEzf4wRSnHqMG4YFw6D/+oU2zm0y
fl/+OuqPmKT4ub58W8+LluPWyOJVNzKa2Ip0hevcNLzRSPdwjqFoxlIFKIS+YZo+
iW4rMYxMvQO1tJdkkKSWxAYPvsw+jcFcC7O2ibWQd5UluJUqqttExpj/O433sWkM
dQlmsx85UAXY9dHqqJAEx0iYyYPgo9GFwQv8w9FAMejFfYS6/HjAI/e7pEDJVRvY
OB9KM/1wD4oAYufN8jcuvZi/HgpiYmWNE7FdYodd+g+dYCCcmYRoJNl3cMb7jlFy
9qKJniF7Y6aj96oO3r7MUntapQIDAQABo4IC8zCCAu8wHwYDVR0jBBgwFoAUwDFS
zVpQw4J8dHHOy+mc+XrrguIwHQYDVR0OBBYEFKX2KafEg1sO6OBxj51UBv0Y6KCh
MCMGA1UdEQQcMBqCCWZ3dXBkLm9yZ4INd3d3LmZ3dXBkLm9yZzAOBgNVHQ8BAf8E
BAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMDsGA1UdHwQ0MDIw
MKAuoCyGKmh0dHA6Ly9jcmwucjJtMDIuYW1hem9udHJ1c3QuY29tL3IybTAyLmNy
bDATBgNVHSAEDDAKMAgGBmeBDAECATB1BggrBgEFBQcBAQRpMGcwLQYIKwYBBQUH
MAGGIWh0dHA6Ly9vY3NwLnIybTAyLmFtYXpvbnRydXN0LmNvbTA2BggrBgEFBQcw
AoYqaHR0cDovL2NydC5yMm0wMi5hbWF6b250cnVzdC5jb20vcjJtMDIuY2VyMAwG
A1UdEwEB/wQCMAAwggGABgorBgEEAdZ5AgQCBIIBcASCAWwBagB3AO7N0GTV2xrO
xVy3nbTNE6Iyh0Z8vOzew1FIWUZxH7WbAAABiXXwIvoAAAQDAEgwRgIhALQ/j39R
HRp23Au9w4YiFNTS7CkmViifZ1NvmH8KkHZlAiEA9hAFnzQBMlgOMfFXviajlFdM
a6A+foxp6vzNEq91VzQAdgBIsONr2qZHNA/lagL6nTDrHFIBy1bdLIHZu7+rOdiE
cwAAAYl18CLjAAAEAwBHMEUCIQDAesn/tkOWewSAjwj2HpY3IXpuvhykcizlswLz
MRxNIgIgFKdc+YDZUityA6JWnW4h2rI/DO4lw82nGglX1b/Ya6kAdwDatr9rP7W2
Ip+bwrtca+hwkXFsu1GEhTS9pD0wSNf7qwAAAYl18CLYAAAEAwBIMEYCIQCQdcWV
yj/PMbExCF8GgP0kUAH1QUK268LYH7szpKSwgwIhAJFk3Gx3EnXg96/aDOA8iaZs
2q0mzgEkzvpe1eM5vS3YMA0GCSqGSIb3DQEBCwUAA4IBAQAJBRibA1ALf2TR0N2a
s+7j96vI8YO0+AhFUy87yxKZdR/OmM6Jy8ezY2XU7nv/gfC46Ii5fVYEpal6sTpA
JXn3tdlcvAzWHR9MRmHdXSaspUKddcW2JdHrmipW1VD2CYRyvf+dpTMi+qv81fLo
wuiNrBXm3gKwFWjimlOExQAeEgl4Unk/K9LJROacFM9f+S+nbMekbPaRhiEyAEm6
Esf66kq7u/BwPEUCd2wJks5NC8HUHf8csf9K7Hx9cX1aZHSMmDGuKIMER1yDCEiw
sIWi2ElkG+5VUwD9UVhj0bxt4b1vkwHNoZqvMp/SdXGKJUdi1Ygj+2dNKiPqGmkL
mKk5
-----END CERTIFICATE-----
subject=CN = fwupd.org
issuer=C = US, O = Amazon, CN = Amazon RSA 2048 M02
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 5578 bytes and written 437 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 4ABA4644AC7C52DE2220E4AB9601B139F1AE41552DA44DFD7672C1FBA8BB1C1C
    Session-ID-ctx: 
    Master-Key: 6FA171C6466C85CA0EE59F12BCA8D4B2FDD011210AB6ED8414ACC30A0AD4F79E49A52B9275DACEB4755E3CED0C562B8C
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 86400 (seconds)
    TLS session ticket:
    0000 - 6d 6b 0e 96 cc 23 53 02-4a df ed 97 48 7f 3d c4   mk...#S.J...H.=.
    0010 - e2 e5 f8 68 98 1b 8f 6f-a5 96 40 f8 69 26 fd 77   ...h...o..@.i&.w
    0020 - 9e 8c a6 5c 07 73 f4 64-3b a2 07 6d 6a 9a 9a d9   ...\.s.d;..mj...
    0030 - b9 3e d9 63 2c 5e 61 10-23 cf e5 1d a3 67 28 df   .>.c,^a.#....g(.
    0040 - fd 5e 61 12 a7 0c b1 0e-a0 4d 2c e3 1b f2 cb 87   .^a......M,.....
    0050 - cb db c0 6a 7a 68 ed 19-1e e4 d4 72 54 db fd fd   ...jzh.....rT...
    0060 - 31 26 93 ea 6b f0 86 18-46                        1&..k...F

    Start Time: 1714055509
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---
Q
DONE

$ OPENSSL_MODULES=_build/lib ./.local/bin/openssl version
OpenSSL 3.4.0-dev  (Library: OpenSSL 3.4.0-dev )

$ OPENSSL_MODULES=_build/lib ./.local/bin/openssl s_client -provider oqsprovider -provider default -connect fwupd.org:443 
Connecting to 2600:1f14:414:5602::6ea1
CONNECTED(00000003)
depth=3 C=US, ST=Arizona, L=Scottsdale, O=Starfield Technologies, Inc., CN=Starfield Services Root Certificate Authority - G2
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=2 C=US, O=Amazon, CN=Amazon Root CA 1
verify return:1
depth=1 C=US, O=Amazon, CN=Amazon RSA 2048 M02
verify return:1
depth=0 CN=fwupd.org
verify return:1
---
Certificate chain
 0 s:CN=fwupd.org
   i:C=US, O=Amazon, CN=Amazon RSA 2048 M02
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jul 21 00:00:00 2023 GMT; NotAfter: Aug 18 23:59:59 2024 GMT
 1 s:C=US, O=Amazon, CN=Amazon RSA 2048 M02
   i:C=US, O=Amazon, CN=Amazon Root CA 1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Aug 23 22:25:30 2022 GMT; NotAfter: Aug 23 22:25:30 2030 GMT
 2 s:C=US, O=Amazon, CN=Amazon Root CA 1
   i:C=US, ST=Arizona, L=Scottsdale, O=Starfield Technologies, Inc., CN=Starfield Services Root Certificate Authority - G2
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: May 25 12:00:00 2015 GMT; NotAfter: Dec 31 01:00:00 2037 GMT
 3 s:C=US, ST=Arizona, L=Scottsdale, O=Starfield Technologies, Inc., CN=Starfield Services Root Certificate Authority - G2
   i:C=US, O=Starfield Technologies, Inc., OU=Starfield Class 2 Certification Authority
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Sep  2 00:00:00 2009 GMT; NotAfter: Jun 28 17:39:16 2034 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFzzCCBLegAwIBAgIQDamSmqqEGnwWKTPxnsR0UjANBgkqhkiG9w0BAQsFADA8
MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRwwGgYDVQQDExNBbWF6b24g
UlNBIDIwNDggTTAyMB4XDTIzMDcyMTAwMDAwMFoXDTI0MDgxODIzNTk1OVowFDES
MBAGA1UEAxMJZnd1cGQub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAwKR4xLltzre3+vc3QsCt/It3XgqyWRHgxEzf4wRSnHqMG4YFw6D/+oU2zm0y
fl/+OuqPmKT4ub58W8+LluPWyOJVNzKa2Ip0hevcNLzRSPdwjqFoxlIFKIS+YZo+
iW4rMYxMvQO1tJdkkKSWxAYPvsw+jcFcC7O2ibWQd5UluJUqqttExpj/O433sWkM
dQlmsx85UAXY9dHqqJAEx0iYyYPgo9GFwQv8w9FAMejFfYS6/HjAI/e7pEDJVRvY
OB9KM/1wD4oAYufN8jcuvZi/HgpiYmWNE7FdYodd+g+dYCCcmYRoJNl3cMb7jlFy
9qKJniF7Y6aj96oO3r7MUntapQIDAQABo4IC8zCCAu8wHwYDVR0jBBgwFoAUwDFS
zVpQw4J8dHHOy+mc+XrrguIwHQYDVR0OBBYEFKX2KafEg1sO6OBxj51UBv0Y6KCh
MCMGA1UdEQQcMBqCCWZ3dXBkLm9yZ4INd3d3LmZ3dXBkLm9yZzAOBgNVHQ8BAf8E
BAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMDsGA1UdHwQ0MDIw
MKAuoCyGKmh0dHA6Ly9jcmwucjJtMDIuYW1hem9udHJ1c3QuY29tL3IybTAyLmNy
bDATBgNVHSAEDDAKMAgGBmeBDAECATB1BggrBgEFBQcBAQRpMGcwLQYIKwYBBQUH
MAGGIWh0dHA6Ly9vY3NwLnIybTAyLmFtYXpvbnRydXN0LmNvbTA2BggrBgEFBQcw
AoYqaHR0cDovL2NydC5yMm0wMi5hbWF6b250cnVzdC5jb20vcjJtMDIuY2VyMAwG
A1UdEwEB/wQCMAAwggGABgorBgEEAdZ5AgQCBIIBcASCAWwBagB3AO7N0GTV2xrO
xVy3nbTNE6Iyh0Z8vOzew1FIWUZxH7WbAAABiXXwIvoAAAQDAEgwRgIhALQ/j39R
HRp23Au9w4YiFNTS7CkmViifZ1NvmH8KkHZlAiEA9hAFnzQBMlgOMfFXviajlFdM
a6A+foxp6vzNEq91VzQAdgBIsONr2qZHNA/lagL6nTDrHFIBy1bdLIHZu7+rOdiE
cwAAAYl18CLjAAAEAwBHMEUCIQDAesn/tkOWewSAjwj2HpY3IXpuvhykcizlswLz
MRxNIgIgFKdc+YDZUityA6JWnW4h2rI/DO4lw82nGglX1b/Ya6kAdwDatr9rP7W2
Ip+bwrtca+hwkXFsu1GEhTS9pD0wSNf7qwAAAYl18CLYAAAEAwBIMEYCIQCQdcWV
yj/PMbExCF8GgP0kUAH1QUK268LYH7szpKSwgwIhAJFk3Gx3EnXg96/aDOA8iaZs
2q0mzgEkzvpe1eM5vS3YMA0GCSqGSIb3DQEBCwUAA4IBAQAJBRibA1ALf2TR0N2a
s+7j96vI8YO0+AhFUy87yxKZdR/OmM6Jy8ezY2XU7nv/gfC46Ii5fVYEpal6sTpA
JXn3tdlcvAzWHR9MRmHdXSaspUKddcW2JdHrmipW1VD2CYRyvf+dpTMi+qv81fLo
wuiNrBXm3gKwFWjimlOExQAeEgl4Unk/K9LJROacFM9f+S+nbMekbPaRhiEyAEm6
Esf66kq7u/BwPEUCd2wJks5NC8HUHf8csf9K7Hx9cX1aZHSMmDGuKIMER1yDCEiw
sIWi2ElkG+5VUwD9UVhj0bxt4b1vkwHNoZqvMp/SdXGKJUdi1Ygj+2dNKiPqGmkL
mKk5
-----END CERTIFICATE-----
subject=CN=fwupd.org
issuer=C=US, O=Amazon, CN=Amazon RSA 2048 M02
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 5578 bytes and written 525 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: A5ABBCAD7B60FDC204D3F4AA46C2530636DD941FDA07217A8503B6730F4B39ED
    Session-ID-ctx: 
    Master-Key: CE470EB96F3E1849AC9D2988FB29F3C295FDC33B3C4AEC61AECAC2D94B387B67D8E9912E7A682117977FE8A5A6A10232
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 86400 (seconds)
    TLS session ticket:
    0000 - 39 2b 77 f6 3f dd cc d4-17 1a 3c 0a 2a b3 36 96   9+w.?.....<.*.6.
    0010 - ba 4f 42 f1 e0 7e 7c f7-b0 72 d0 5b f1 fb 17 53   .OB..~|..r.[...S
    0020 - 1f 2d da fe ba 4f 0e 28-9a 46 3d 9c fb e5 af 69   .-...O.(.F=....i
    0030 - 2a 61 b8 d3 fb b3 75 85-86 95 96 c2 f2 2e 9b ef   *a....u.........
    0040 - 06 66 3f 06 62 72 59 54-d6 d6 0a 72 8a 8c 4e 0f   .f?.brYT...r..N.
    0050 - b1 72 12 e8 73 e1 5a 9c-07 9c bb 52 7b ca 1b 80   .r..s.Z....R{...
    0060 - ae e1 ab e0 4d 53 75 7c-69                        ....MSu|i

    Start Time: 1714055690
    Timeout   : 7200 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
    Extended master secret: yes
---
Q
DONE

–> What’s your openssl version?

baentsch on Apr 25, 2024

It isn’t clear to me if the servers that were tested against are using the oqsprovider or not. What I get out of that the outputs shown here is it may as well be that they respond in different (possibly faulty) ways when faced with cipher suites they do not know… but, TLS isn’t my area of expertise, so I can’t do much more than relay my impression

levitte on Apr 25, 2024

I suspected something like that. The server like, “yo’weeeird, I’m walking away”

Is there any way to test/validate this hypothesis? And if it proves true - how can we work around this problem without completely disabling OQS provider?

You could run s_client to connect to your server with a limited list of cipher suites, groups and sig algs? ./openssl s_client -connect <server_ip>:<port> -tls1_3 -groups kyber512 -provider oqsprovider

ashman-p on Apr 18, 2024

I was writing this for something else, but I leave it here in case it’s useful for anyone to reproduce the issue with my exact setup:

podman run -it --rm archlinux:base-devel sh -c "$(cat <<EOF
# Update packages & install dependencies to build liboqs and oqs-provider
pacman -Syu --noconfirm &&
pacman -S --noconfirm \
    cmake \
    curl \
    doxygen \
    git \
    ninja \
    python \
    python-jinja \
    python-tabulate \
    python-yaml

# Build liboqs & install
git clone https://aur.archlinux.org/liboqs.git
# chmod 777 directory because makepkg cannot run as root
chmod 777 liboqs && cd liboqs
runuser -unobody -- makepkg --nocheck
pacman -U --noconfirm liboqs-1\:0.10.0-2-x86_64.pkg.tar.zst

# Build oqs-provider & install
cd ..
git clone https://aur.archlinux.org/oqsprovider.git
# chmod 777 directory because makepkg cannot run as root
chmod 777 oqsprovider && cd oqsprovider
runuser -unobody -- makepkg --nocheck
pacman -U --noconfirm oqsprovider-0.6.0-1-x86_64.pkg.tar.zst

# Get openssl conf file from oqs-provider/scripts
cd ..
curl -O https://raw.githubusercontent.com/open-quantum-safe/oqs-provider/main/scripts/openssl-ca.cnf

# This works (oqsprovider is not enabled)
curl -v -o /dev/null https://downloads.1password.com/linux/tar/stable/x86_64/1password-8.10.30.x64.tar.gz.sig

# This doesn't work (oqsprovider enabled)
export OPENSSL_CONF=/openssl-ca.cnf
curl -v -o /dev/null https://downloads.1password.com/linux/tar/stable/x86_64/1password-8.10.30.x64.tar.gz.sig
EOF
)"

But I was able to reproduce using the fullbuild.sh script, so I don’t think it’s an issue of how I’m building liboqs or oqs-provider.

Since this only happens with certain servers, can it also be a “misconfiguration” on the server side? If the client offers PQC KEM, perhaps that triggers something on the server side that causes the handshake to fail.

iyanmv on Apr 18, 2024