Skip to content

WIP: Remove TLS rehandshaking support

Michael Catanzaro requested to merge mcatanzaro/drop-rehandshaking into master

Rehandshaking was removed from the TLS protocol in TLS 1.3. It's possible that we still need to support it for TLS 1.2 connections, but I'm pretty sure we don't. There are three ways a rehandshake could be triggered: (1) by application API request, when calling g_tls_connection_handshake() for a connection that has already handshaked; (2) for a client connection, when the server peer requests a rehandshake; (3) for a server connection, when the client requests a rehandshake. Let's consider each case.

For (1), I previously deprecated this functionality in GLib 2.60. Calling handshake multiple times is now undefined behavior, except it's guaranteed to not break the connection in any way, for backwards compatibility. See also glib!1305 (merged) for recent documentation clarifications. I'm relatively confident that no real-world applications are relying on this behavior; if they are, they're probably broken now anyway, because we default to TLS 1.3 nowadays and have no documented way to change that. (There's an undocumented environment variable.) If your application is intentionally doing (1) and this causes problems for you, please let us know (but I'll be surprised :)

In case (2), the client can simply ignore the rehandshake request. This could in theory also break some applications... but again, I'm not expecting much in the way of bug reports. I don't think this should affect web browsers, at least. Maybe if a website decides it wants to authenticate an existing connection without starting a new page load, then it could be a problem? My suspicion is zero users will complain.

Finally, case (3). In this case, we have no choice but to terminate the connection. However, this also should basically never happen. Almost all users of GTlsConnection are using GTlsClientConnection, for starters. The main user of GTlsServerConnection is probably cockpit. Since we support TLS 1.3, and virtually all clients nowadays do too, almost all negotiated connections should wind up using TLS 1.3. We need to continue supporting TLS 1.2 indefinitely for client connections, until web servers migrate to TLS 1.3 over the course of the next decade. But clients have mostly already migrated. So for a server, rehandshaking is pretty much out of the question already: a GTlsServerConnection relying on this behavior is already broken.

Conclusion: I think we can get away with this. Now, we could keep the rehandshaking code around forever if it doesn't cause problems, but I'm trying to finish up a major refactor, during which I removed rehandshaking support to simplify things, and bringing it back for that would entail some additional complexity that I'd rather not have. Also, now that support for TLS 1.2 session resumption has been removed, rehandshakes are the only remaining legacy TLS feature that we support, and it's kind of nice to clean house with an entirely modern implementation as long as doing so doesn't break real-world applications. Lack of bug reports will be interpreted as lack of breakage.

Lastly, note that we still need to support TLS 1.3 post-handshake authentication, #39. That's still a TODO item regardless of this change.

Edited by Michael Catanzaro

Merge request reports