diff options
| author | tb <> | 2024-04-04 08:02:21 +0000 |
|---|---|---|
| committer | tb <> | 2024-04-04 08:02:21 +0000 |
| commit | 5833e6be811b874ec2bbc5731b548b270e6845a2 (patch) | |
| tree | 6c1e83cd7e12580772317468694668609bf9ceb6 /src | |
| parent | e8f02dfdf1f039627bc23fe657b3c87398ba6866 (diff) | |
| download | openbsd-5833e6be811b874ec2bbc5731b548b270e6845a2.tar.gz openbsd-5833e6be811b874ec2bbc5731b548b270e6845a2.tar.bz2 openbsd-5833e6be811b874ec2bbc5731b548b270e6845a2.zip | |
Recommit a better version of the removal of the F5 workaround
Unlike for previous TLS versions, TLSv1.3 servers can send the supported
groups extension to inform a client of the server's preferences. The
intention is that a client can adapt for subsequent commits. We ignore
this info for now, but sthen ran into java-based servers that do this.
Thus, rejecting the extension outright was incorrect. Instead, only allow
the extension in TLSv1.3 encrypted extensions. This way the F5 workaround
is also disabled, but we continue to interoperate with TLSv1.3 servers that
do follow the last paragraph of RFC 8446, section 4.2.7.
This mostly adjusts outdated/misleading comments.
ok jsing sthen
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/libssl/ssl_tlsext.c | 21 |
1 files changed, 12 insertions, 9 deletions
diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c index 90734457e5..6d8f51833b 100644 --- a/src/lib/libssl/ssl_tlsext.c +++ b/src/lib/libssl/ssl_tlsext.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_tlsext.c,v 1.147 2024/04/02 22:50:54 sthen Exp $ */ | 1 | /* $OpenBSD: ssl_tlsext.c,v 1.148 2024/04/04 08:02:21 tb Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org> |
| 4 | * Copyright (c) 2017 Doug Hogan <doug@openbsd.org> | 4 | * Copyright (c) 2017 Doug Hogan <doug@openbsd.org> |
| @@ -325,14 +325,17 @@ tlsext_supportedgroups_client_process(SSL *s, uint16_t msg_type, CBS *cbs, | |||
| 325 | int *alert) | 325 | int *alert) |
| 326 | { | 326 | { |
| 327 | /* | 327 | /* |
| 328 | * Servers should not send this extension per the RFC. | 328 | * This extension is only allowed in TLSv1.3 encrypted extensions. |
| 329 | * | 329 | * It is not permitted in a ServerHello in any version of TLS. |
| 330 | * However, certain F5 BIG-IP systems incorrectly send it. This bug is | 330 | */ |
| 331 | * from at least 2014 but as of 2017, there are still large sites with | 331 | if (msg_type != SSL_TLSEXT_MSG_EE) |
| 332 | * this unpatched in production. As a result, we need to currently skip | 332 | return 0; |
| 333 | * over the extension and ignore its content: | 333 | |
| 334 | * | 334 | /* |
| 335 | * https://support.f5.com/csp/article/K37345003 | 335 | * RFC 8446, section 4.2.7: TLSv1.3 servers can send this extension but |
| 336 | * clients must not act on it during the handshake. This allows servers | ||
| 337 | * to advertise their preferences for subsequent handshakes. We ignore | ||
| 338 | * this complication. | ||
| 336 | */ | 339 | */ |
| 337 | if (!CBS_skip(cbs, CBS_len(cbs))) { | 340 | if (!CBS_skip(cbs, CBS_len(cbs))) { |
| 338 | *alert = SSL_AD_INTERNAL_ERROR; | 341 | *alert = SSL_AD_INTERNAL_ERROR; |