Skip to content

E26: TLS Hardening #279

Description

@DavidCozens

Hardening of the library's TLS reference integrations beyond the
walking-skeleton + cert-validation work shipped under E03 and the
mbedTLS walking skeleton shipped under S08.07. Covers both
Platform/OpenSsl/ (the original SL4-targeted hosted-target reference)
and Platform/MbedTls/ (the embedded-target reference). Targets
revocation visibility, resource-lifetime correctness, and other
client-side TLS concerns surfaced by real-world deployment patterns now
that the fail-fast reconnect model (S12.14) makes handshake frequency a
first-class concern.

E03 took the OpenSSL-on-POSIX reference integration from "no TLS" to
"validated, hardened, mutually authenticated TLS that satisfies SL4".
S08.07 brought the mbedTLS reference integration up to the same
client-auth feature set on embedded targets. E26 picks up the items
both deferred and the ones that surfaced once the rest of the stack
landed.

Scope

Client-side TLS concerns inside Platform/OpenSsl/ and
Platform/MbedTls/. Concrete items:

  • Adapter resource lifetime — unwind on Open failure. When a
    layered TLS adapter's Open fails after the inner transport or SSL
    state has been allocated, the adapter must unwind so subsequent
    retries are a clean cycle. S26.02 (mbedTLS), S26.03 (OpenSSL).
  • OCSP stapling / revocation visibility — E03 deferred CRL/OCSP
    with an ADR; revisit once a deployment surfaces a need or the
    regulator asks.
  • Renegotiation policy — explicit decision on whether to permit
    server-initiated renegotiation; OpenSSL defaults are
    platform-version dependent.
  • Handshake-failure audit callback — surface why a handshake
    failed to the integrator without leaking OpenSSL or mbedTLS types
    into the public API. E03 noted this could fold into E12; pulling it
    here keeps TLS-specific diagnostics together.

Each item becomes a story when scope is clear and we're ready to do
the work.

Architecture boundary

Same boundary as E03 — Core stays untouched. All work lives in
Platform/OpenSsl/Source/SolidSyslogTlsStream.c,
Platform/MbedTls/Source/SolidSyslogMbedTlsStream.c, and the
corresponding unit / BDD / integration tests. Public configs
(SolidSyslogTlsStreamConfig, SolidSyslogMbedTlsStreamConfig) only
grow when an item genuinely requires integrator input.

Stories

Story Title Status
S26.01 (#280) Client-side session resumption (RFC 5077 tickets / session IDs) — OpenSSL Won't do — resumption out of scope (see below)
S26.02 (#420) MbedTlsStream Open() unwinds inner transport and SSL state on failure Done
S26.03 (#441) TlsStream Open() unwinds inner transport and SSL state on failure — OpenSSL parity of S26.02 Done
S26.04 (#489) mbedTLS client-side TLS session resumption Reverted — resumption out of scope (see below)

Candidate ideas

Ideas live here until commitment, matching the E24 convention. Stories
get fleshed out only when we're close to doing the work — keeps the
backlog lean and avoids rework when the design shifts.

  • OCSP stapling support — opt-in via
    SSL_CTX_set_tlsext_status_cb / SSL_set_tlsext_status_type.
    Re-evaluate whether to require, prefer, or ignore stapled responses.
  • Renegotiation policy — explicit decision and lockdown.
  • Handshake-failure audit callback — typed reason code surfaced to
    the integrator without leaking OpenSSL SSL_ERROR_* or mbedTLS
    MBEDTLS_ERR_* values.
  • Cipher / group tightening beyond S03.08 — track FIPS /
    quantum-safe group adoption.

Out of scope

  • TLS session resumption (RFC 5077 tickets / session IDs / RFC 8446
    1.3 PSK)
    — out of scope for both reference integrations, on either
    backend, for either TLS version. S26.01 (OpenSSL) closed won't-do;
    S26.04 (mbedTLS) merged then reverted (revert: S26.04 mbedTLS client-side TLS session resumption #492). Rationale:

    1. Resumption is an optimization, never correctness — a full
      handshake must always succeed on every (re)connect regardless.
    2. The TCP streams use keepalive: one handshake then a long-lived
      stream, so resumption only pays at reconnect and reconnects are
      rare.
    3. When reconnects do happen they're usually a disgraceful close —
      exactly when the server has discarded resumable state — so the
      optimization is least likely to be available in the very case it
      was meant to help.
    4. Disproportionate cost to do honestly: 1.2 and 1.3 use different
      mechanisms, 1.3 tickets arrive post-handshake, and mTLS-on-resume
      has separate identity semantics — four cases each needing an
      honest mechanism-correct test for an optional speedup.

    If ever revisited: drive the real sender stack against an
    off-the-shelf server (openssl s_server / stunnel) observed
    server-side at the BDD/compose layer — do not hand-roll a TLS server
    in the in-process harness.

  • TLS 1.3 0-RTT (early data) — replay-attack tradeoff not justified
    for syslog. Likely never.

  • Alternate TLS backend integrations beyond OpenSSL and mbedTLS
    (BearSSL, wolfSSL) — remain future work; would be a fresh
    integration epic per backend.

  • Server-side TLS concerns — we're a client.

  • Cryptographic integrity / encryption of stored records — that's
    E17 (E17: Cryptographic integrity and confidentiality at rest #105).

  • Certificate rotation mid-connection — E03 retired S03.10; the
    Open-rebuilds-CTX behaviour already satisfies CR 1.5 / CR 1.8.
    Revisit only if a deployment surfaces a need.

  • Cert-validation policy itself — E03 (S03.08, S03.09) and S08.07
    are the authoritative homes for what counts as an acceptable peer
    cert in their respective backends.

  • PSK mode — out of scope of E03, S08.07, and E26.

Metadata

Metadata

Assignees

No one assigned

    Labels

    epicEpic issue

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions