Handshake failure due to ticket arrival

[irwir]

Summary

Testing sls_mail_client.c with locally installed hMailServer (based on OpenSSL library).
Server cannot be connected due to handshake failure.

System information

Mbed TLS version 3.5.0
Operating system and version: Windows 11
Compiler: Visual Studio 2022

Expected behavior

Successful mail exchange.

Actual behavior

When handshaking gets to MBEDTLS_SSL_HANDSHAKE_OVER state, the mail server sends a ticket.
Now, since the step returned with a non-zero state MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET, handshaking got aborted.

Additional information

mbedtls/library/ssl_tls.c

Line 3924 in 857d29f

ret = mbedtls_ssl_tls13_handshake_client_step(ssl);

This addition quickly patched the issue, but the problem might be deeper:

if (ret == MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET &&
ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER) {
ret = 0;
}

[ronald-cron-arm]

Thanks a lot for the report. The quick patch basically disables the reception of TLS 1.3 session tickets by applications thus we cannot to that. I see two possible ways forward:

1. ignoring in your application code (mail client it seems) the MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET returned value (can be returned by mbedtls_ssl_handshake_step(), mbedtls_ssl_handshake() and mbedtls_ssl_read()).
2. disabling the MBEDTLS_SSL_SESSION_TICKETS configuration option when you build the Mbed TLS library for your mail client. I know that we have some pending issues around that but we are aiming to fix them shortly.

[irwir]

The is MbedTLS example mail client. It has got changes for TLS 1.3, but more than one issue was encountered.

1. ignoring in your application code (mail client it seems) the MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET returned value (can be returned by mbedtls_ssl_handshake_step(), mbedtls_ssl_handshake() and mbedtls_ssl_read()).

The client calls mbedtls_ssl_handshake(), and one of the steps (not the last) fails inside the library code.
Should the remaining steps be skipped, the connection might end up having a wrong state.
Hence the patch was a natural choice.

Hopefully, the issue would be properely resolved soon.

[irwir]

My basic understanding of ticket handling is that server sends a ticket when a handshake had been completed successfully.
Client could store the ticket and might use it for future fast reconnects.
But only ssl_tls13_server.c has processing in MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET state, while there is nothing in the corresponding client module.
That server processing routine restarts (an already completed) handshaking, which is not what the client side needs.

[irwir]

After the commit 9b4e964 mail application could successfully connect and send an email.