diff options
| -rw-r--r-- | src/lib/libssl/ssl_tlsext.c | 20 |
1 files changed, 3 insertions, 17 deletions
diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c index 14cf6fce84..6649baf291 100644 --- a/src/lib/libssl/ssl_tlsext.c +++ b/src/lib/libssl/ssl_tlsext.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_tlsext.c,v 1.145 2024/03/27 22:27:09 beck Exp $ */ | 1 | /* $OpenBSD: ssl_tlsext.c,v 1.146 2024/03/28 00:22:35 beck Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org> |
| 4 | * Copyright (c) 2017 Doug Hogan <doug@openbsd.org> | 4 | * Copyright (c) 2017 Doug Hogan <doug@openbsd.org> |
| @@ -324,22 +324,8 @@ static int | |||
| 324 | tlsext_supportedgroups_client_process(SSL *s, uint16_t msg_type, CBS *cbs, | 324 | tlsext_supportedgroups_client_process(SSL *s, uint16_t msg_type, CBS *cbs, |
| 325 | int *alert) | 325 | int *alert) |
| 326 | { | 326 | { |
| 327 | /* | 327 | /* Servers should not send this extension per the RFC. */ |
| 328 | * Servers should not send this extension per the RFC. | 328 | return 0; |
| 329 | * | ||
| 330 | * However, certain F5 BIG-IP systems incorrectly send it. This bug is | ||
| 331 | * from at least 2014 but as of 2017, there are still large sites with | ||
| 332 | * this unpatched in production. As a result, we need to currently skip | ||
| 333 | * over the extension and ignore its content: | ||
| 334 | * | ||
| 335 | * https://support.f5.com/csp/article/K37345003 | ||
| 336 | */ | ||
| 337 | if (!CBS_skip(cbs, CBS_len(cbs))) { | ||
| 338 | *alert = SSL_AD_INTERNAL_ERROR; | ||
| 339 | return 0; | ||
| 340 | } | ||
| 341 | |||
| 342 | return 1; | ||
| 343 | } | 329 | } |
| 344 | 330 | ||
| 345 | /* | 331 | /* |