Opened 4 months ago

Closed 4 months ago

#33751 closed defect (fixed)

WKD: Error running auto-key-locate wkd in Windows 10

Reported by: ggus Owned by: anarcat
Priority: High Milestone:
Component: Internal Services/Tor Sysadmin Team Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

I'm reviewing our instructions to verify Tor Browser[1] and it looks like looks like our wkd has some issues with Windows. It works fine with macOS and Linux.

I asked in gnupg-users mailing list[2], and Werner Koch suggested that

"A reason for the failed handhake might be that no common parameters
could be found. We would need to look at the server log or run tests
with that server to see what it expects. I copy the full TLS log below.
I have no GNUTLS based build currently available, if that works, it log
could give also some conclusion. However, on Windows we always use
NTBTLS."

Here's the log:

DBG: ntbtls(2): handshake
DBG: ntbtls(2): client state: 0 (hello_request)
DBG: ntbtls(3): flush output
DBG: ntbtls(2): client state: 1 (client_hello)
DBG: ntbtls(3): flush output
DBG: ntbtls(2): write client_hello
DBG: ntbtls(3): client_hello, max version: [3:3]
DBG: ntbtls(3): client_hello, current time: 1585298512
DBG: client_hello, random bytes: 5e7dbc5008b76aa83d09c4393a4bdbe792ad9fee5198c6d9f88357ad16020156
DBG: ntbtls(3): client_hello, session id len.: 0
DBG: client_hello, session id: 
DBG: ntbtls(5): client_hello, add ciphersuite: 49192 TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384
DBG: ntbtls(5): client_hello, add ciphersuite:   107 TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
DBG: ntbtls(5): client_hello, add ciphersuite: 49172 TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA
DBG: ntbtls(5): client_hello, add ciphersuite:    57 TLS-DHE-RSA-WITH-AES-256-CBC-SHA
DBG: ntbtls(5): client_hello, add ciphersuite: 49271 TLS-ECDHE-RSA-WITH-CAMELLIA-256-CBC-SHA384
DBG: ntbtls(5): client_hello, add ciphersuite:   196 TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256
DBG: ntbtls(5): client_hello, add ciphersuite:   136 TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA
DBG: ntbtls(5): client_hello, add ciphersuite: 49191 TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256
DBG: ntbtls(5): client_hello, add ciphersuite:   103 TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
DBG: ntbtls(5): client_hello, add ciphersuite: 49171 TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA
DBG: ntbtls(5): client_hello, add ciphersuite:    51 TLS-DHE-RSA-WITH-AES-128-CBC-SHA
DBG: ntbtls(5): client_hello, add ciphersuite: 49270 TLS-ECDHE-RSA-WITH-CAMELLIA-128-CBC-SHA256
DBG: ntbtls(5): client_hello, add ciphersuite:   190 TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256
DBG: ntbtls(5): client_hello, add ciphersuite:    69 TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA
DBG: ntbtls(5): client_hello, add ciphersuite: 49170 TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA
DBG: ntbtls(5): client_hello, add ciphersuite:    22 TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA
DBG: ntbtls(5): client_hello, add ciphersuite: 49208 TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA384
DBG: ntbtls(5): client_hello, add ciphersuite:   179 TLS-DHE-PSK-WITH-AES-256-CBC-SHA384
DBG: ntbtls(5): client_hello, add ciphersuite: 49206 TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA
DBG: ntbtls(5): client_hello, add ciphersuite:   145 TLS-DHE-PSK-WITH-AES-256-CBC-SHA
DBG: ntbtls(5): client_hello, add ciphersuite: 49307 TLS-ECDHE-PSK-WITH-CAMELLIA-256-CBC-SHA384
DBG: ntbtls(5): client_hello, add ciphersuite: 49303 TLS-DHE-PSK-WITH-CAMELLIA-256-CBC-SHA384
DBG: ntbtls(5): client_hello, add ciphersuite: 49207 TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA256
DBG: ntbtls(5): client_hello, add ciphersuite:   178 TLS-DHE-PSK-WITH-AES-128-CBC-SHA256
DBG: ntbtls(5): client_hello, add ciphersuite: 49205 TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA
DBG: ntbtls(5): client_hello, add ciphersuite:   144 TLS-DHE-PSK-WITH-AES-128-CBC-SHA
DBG: ntbtls(5): client_hello, add ciphersuite: 49302 TLS-DHE-PSK-WITH-CAMELLIA-128-CBC-SHA256
DBG: ntbtls(5): client_hello, add ciphersuite: 49306 TLS-ECDHE-PSK-WITH-CAMELLIA-128-CBC-SHA256
DBG: ntbtls(5): client_hello, add ciphersuite: 49204 TLS-ECDHE-PSK-WITH-3DES-EDE-CBC-SHA
DBG: ntbtls(5): client_hello, add ciphersuite:   143 TLS-DHE-PSK-WITH-3DES-EDE-CBC-SHA
DBG: ntbtls(5): client_hello, add ciphersuite:    61 TLS-RSA-WITH-AES-256-CBC-SHA256
DBG: ntbtls(5): client_hello, add ciphersuite:    53 TLS-RSA-WITH-AES-256-CBC-SHA
DBG: ntbtls(5): client_hello, add ciphersuite:   192 TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256
DBG: ntbtls(5): client_hello, add ciphersuite:   132 TLS-RSA-WITH-CAMELLIA-256-CBC-SHA
DBG: ntbtls(5): client_hello, add ciphersuite:    60 TLS-RSA-WITH-AES-128-CBC-SHA256
DBG: ntbtls(5): client_hello, add ciphersuite:    47 TLS-RSA-WITH-AES-128-CBC-SHA
DBG: ntbtls(5): client_hello, add ciphersuite:   186 TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256
DBG: ntbtls(5): client_hello, add ciphersuite:    65 TLS-RSA-WITH-CAMELLIA-128-CBC-SHA
DBG: ntbtls(5): client_hello, add ciphersuite:    10 TLS-RSA-WITH-3DES-EDE-CBC-SHA
DBG: ntbtls(5): client_hello, add ciphersuite:   183 TLS-RSA-PSK-WITH-AES-256-CBC-SHA384
DBG: ntbtls(5): client_hello, add ciphersuite:   149 TLS-RSA-PSK-WITH-AES-256-CBC-SHA
DBG: ntbtls(5): client_hello, add ciphersuite: 49305 TLS-RSA-PSK-WITH-CAMELLIA-256-CBC-SHA384
DBG: ntbtls(5): client_hello, add ciphersuite:   182 TLS-RSA-PSK-WITH-AES-128-CBC-SHA256
DBG: ntbtls(5): client_hello, add ciphersuite:   148 TLS-RSA-PSK-WITH-AES-128-CBC-SHA
DBG: ntbtls(5): client_hello, add ciphersuite: 49304 TLS-RSA-PSK-WITH-CAMELLIA-128-CBC-SHA256
DBG: ntbtls(5): client_hello, add ciphersuite:   147 TLS-RSA-PSK-WITH-3DES-EDE-CBC-SHA
DBG: ntbtls(5): client_hello, add ciphersuite:   175 TLS-PSK-WITH-AES-256-CBC-SHA384
DBG: ntbtls(5): client_hello, add ciphersuite:   141 TLS-PSK-WITH-AES-256-CBC-SHA
DBG: ntbtls(5): client_hello, add ciphersuite: 49301 TLS-PSK-WITH-CAMELLIA-256-CBC-SHA384
DBG: ntbtls(5): client_hello, add ciphersuite:   174 TLS-PSK-WITH-AES-128-CBC-SHA256
DBG: ntbtls(5): client_hello, add ciphersuite:   140 TLS-PSK-WITH-AES-128-CBC-SHA
DBG: ntbtls(5): client_hello, add ciphersuite: 49300 TLS-PSK-WITH-CAMELLIA-128-CBC-SHA256
DBG: ntbtls(5): client_hello, add ciphersuite:   139 TLS-PSK-WITH-3DES-EDE-CBC-SHA
DBG: ntbtls(3): client_hello, got 54 ciphersuites
DBG: ntbtls(3): client_hello, compress len.: 2
DBG: ntbtls(3): client_hello, compress alg.: 1 0
DBG: ntbtls(3): client_hello, adding server name extension: 'openpgpkey.torproject.org'
DBG: ntbtls(3): client_hello, adding signature_algorithms extension
DBG: ntbtls(3): client hello, adding supported_elliptic_curves extension
DBG: ntbtls(3): client hello, adding supported_point_formats extension
DBG: ntbtls(3): client_hello, adding session ticket extension
DBG: ntbtls(3): client_hello, total extension length: 88
DBG: ntbtls(3): write record
DBG: ntbtls(3): output record: msgtype = 22, version = [3:3], msglen = 242
DBG: output record sent to network: 16030300f2010000ee03035e7dbc5008b76aa83d09c4393a4bdbe792ad9fee51 \
DBG:                                98c6d9f88357ad1602015600006c00ffc028006bc0140039c07700c40088c027 \
DBG:                                0067c0130033c07600be0045c0120016c03800b3c0360091c09bc097c03700b2 \
DBG:                                c0350090c096c09ac034008f003d003500c00084003c002f00ba0041000a00b7 \
DBG:                                0095c09900b60094c098009300af008dc09500ae008cc094008b020100005800 \
DBG:                                00001e001c0000196f70656e7067706b65792e746f7270726f6a6563742e6f72 \
DBG:                                67000d001600140601050104010301020106030503040303030203000a000e00 \
DBG:                                0c001700180019001a001b001c000b0002010000230000
DBG: ntbtls(3): flush output
DBG: ntbtls(3): message length: 247, out_left: 247
DBG: ntbtls(3): es_write returned: success
DBG: ntbtls(2): client state: 2 (server_hello)
DBG: ntbtls(3): flush output
DBG: ntbtls(2): read server_hello
DBG: ntbtls(3): read record
DBG: ntbtls(3): fetch input
DBG: ntbtls(3): in_left: 0, nb_want: 5
DBG: ntbtls(3): es_read returned: success
DBG: ntbtls(3): input record: msgtype = 21, version = [3:3], msglen = 2
DBG: ntbtls(3): fetch input
DBG: ntbtls(3): in_left: 5, nb_want: 7
DBG: ntbtls(3): es_read returned: success
DBG: input record from network: 15030300020228
DBG: ntbtls(2): got an alert message, type: [2:40]
DBG: ntbtls(1): is a fatal alert message (msg 40)
DBG: ntbtls(1): (handshake failed)
DBG: ntbtls(1): read_record returned: Fatal alert message received <TLS>
DBG: ntbtls(2): handshake ready
TLS handshake failed: Fatal alert message received <TLS>
error connecting to 'https://openpgpkey.torproject.org/.well-known/openpgpkey/torproject.org/hu/kounek7zrdx745qydx6p59t9mqjpuhdf?l=torbrowser': Fatal alert message received
DBG: ntbtls(2): release
command 'WKD_GET' failed: Fatal alert message received <TLS>

[1] gpg --auto-key-locate nodefault,wkd --locate-keys torbrowser at torproject.org https://support.torproject.org/tbb/how-to-verify-signature/
[2] https://lists.gnupg.org/pipermail/gnupg-users/2020-March/063385.html

Child Tickets

Change History (5)

comment:1 Changed 4 months ago by anarcat

which version of windows is this? could be related to a recent change in the ciphersuites #32351

comment:2 Changed 4 months ago by ggus

Windows Server 2019 / Microsoft Windows [Version 10.0.17763.134]

I started to review after an user asked on IRC (they were using Windows 10, too).

comment:3 Changed 4 months ago by ggus

From gnupg-users,

Probably, no matching cipher suite. According to ssllabs.com/ssltest 
openpgpkey.torproject.org (well, at least one of the actual servers) only 
supports the following cipher suites:
# TLS 1.3 (server has no preference)
TLS_AES_128_GCM_SHA256
TLS_AES_256_GCM_SHA384
TLS_CHACHA20_POLY1305_SHA256

# TLS 1.2 (server has no preference)
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256

I think none of those matches any of those in the output of ntbtls in your 
message.

Regards,
Ingo

https://lists.gnupg.org/pipermail/gnupg-users/2020-March/063386.html

comment:4 Changed 4 months ago by anarcat

Owner: changed from tpa to anarcat
Status: newaccepted

comment:5 Changed 4 months ago by anarcat

Resolution: fixed
Status: acceptedclosed

i reverted our ciphersuite change, please see if it fixes the problem for you.

commit 6cc23ac7ee461cd14cad96da2344f3c797fa9df5 (HEAD -> master, origin/master, origin/HEAD)
Author: Antoine Beaupré <anarcat@debian.org>
Date:   Fri Mar 27 17:03:27 2020 -0400

    Revert "Update SSL preferences and disable TLS 1 and 1.1 in apache re: #32351"
    
    This causes problems with GnuPG as a WKD client on windows, see #33751
    
    This reverts commit c5278f3562d8c6e8d05a0bc0f74ef17bd397e2e7.

diff --git a/modules/apache2/templates/puppet-conf.erb b/modules/apache2/templates/puppet-conf.erb
index 1f5583e9..4924b3a5 100644
--- a/modules/apache2/templates/puppet-conf.erb
+++ b/modules/apache2/templates/puppet-conf.erb
@@ -1,11 +1,15 @@
 <IfModule mod_ssl.c>
-  # this is a list that seems suitable as of 2020-03, when running buster
-  # (Debian 10).  It probably requires re-visiting regularly.
-  # 2020-03-11
-  #  https://ssl-config.mozilla.org/#server=apache&version=2.4.41&config=intermediate&openssl=1.1.1d&guideline=5.4
-  SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
-  SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
-  SSLHonorCipherOrder     off
+  SSLProtocol all -SSLv2 -SSLv3
+  SSLHonorCipherOrder On
+
+  # this is a list that seems suitable as of 2014-10, when running wheezy.  It
+  # probably requires re-visiting regularly.
+  # 2018-07-17
+  #  https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=apache-2.4.25&openssl=1.0.2l&hsts=yes&profile=intermediate
+  #  https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=apache-2.4.25&openssl=1.1.0&hsts=no&profile=intermediate
+  #
+  # https://trac.torproject.org/projects/tor/ticket/32351
+  SSLCipherSuite          ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
 
   <%- if has_variable?("apache2deb9") && ((@apache2deb9.kind_of?(String) and @apache2deb9 == "true") or (@apache2deb9.kind_of?(TrueClass))) -%>
     SSLUseStapling On

i made a note in #32351 so that we test on windows before the next attempt.

Note: See TracTickets for help on using tickets.