[tls_client] session resumption doesn't work when server sends session ticket along with other data
When using policy.TLS_FORWARD
against a kresd that was compiled with new-enough gnutls to supports TLS 1.3 (Arch, Debian 10, ...), session resumption doesn't work.
When the connection is established for the first time, queries are answered. When this connection is closed (usually after TCP keepalive expires, ~10secs), it can no longer be re-established and forwarding stops working. Log contains many attempts to reconnect, all ending up with the following error:
[tls_client] TLS handshake with 127.0.0.1#00853 has completed
[tls_client] TLS session has resumed
[gnutls] (5) REC[0x55989bcfd8f0]: Preparing Packet Application Data(23) with length: 33 and min pad: 0
[gnutls] (5) REC[0x55989bcfd8f0]: Sent Packet[1] Application Data(23) in epoch 2 and length: 55
[gnutls] (3) ASSERT: buffers.c[_gnutls_io_read_buffered]:589
[gnutls] (3) ASSERT: record.c[_gnutls_recv_int]:1777
[gnutls] (5) REC[0x55989bcfd8f0]: SSL 3.3 Application Data packet received. Epoch 2, length: 268
[gnutls] (5) REC[0x55989bcfd8f0]: Expected Packet Application Data(23)
[gnutls] (5) REC[0x55989bcfd8f0]: Received Packet Application Data(23) with length: 268
[gnutls] (5) REC[0x55989bcfd8f0]: Decrypted Packet[0] Handshake(22) with length: 251
[gnutls] (3) ASSERT: buffers.c[get_last_packet]:1170
[gnutls] (4) HSK[0x55989bcfd8f0]: NEW SESSION TICKET (4) was received. Length 247[247], frag offset 0, frag length: 247, sequence: 0
[gnutls] (3) ASSERT: buffers.c[_gnutls_handshake_io_recv_int]:1431
[gnutls] (4) HSK[0x55989bcfd8f0]: parsing session ticket message
[gnutls] (3) ASSERT: record.c[_gnutls_recv_in_buffers]:1579
[gnutls] (3) ASSERT: record.c[_gnutls_recv_int]:1777
[io] => connection to '127.0.0.1#00853': error processing TLS data, close
The resolver attempt the same resolution multiple times with the same result, and ultimately answers the client with SERVFAIL. Cached queries are still answered correctly.
This can be easily to reproducible when both client and fwd target resolver are compiled with gnutls>3.6 and these configs are used:
# kresd_fwd_target.conf
net.listen('127.0.0.1', 853, { kind = 'tls' })
# kresd.conf
net.listen('127.0.0.1', 53535)
policy.add(policy.all(policy.TLS_FORWARD({
{'127.0.0.1', insecure=true}
})))