diff options
Diffstat (limited to 'src/lib')
| -rw-r--r-- | src/lib/libssl/ssl_tlsext.c | 18 |
1 files changed, 16 insertions, 2 deletions
diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c index 646c59e5d6..60daff6f8d 100644 --- a/src/lib/libssl/ssl_tlsext.c +++ b/src/lib/libssl/ssl_tlsext.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_tlsext.c,v 1.9 2017/08/12 23:38:12 beck Exp $ */ | 1 | /* $OpenBSD: ssl_tlsext.c,v 1.10 2017/08/23 15:39:38 doug Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org> |
| 4 | * Copyright (c) 2017 Doug Hogan <doug@openbsd.org> | 4 | * Copyright (c) 2017 Doug Hogan <doug@openbsd.org> |
| @@ -130,7 +130,21 @@ tlsext_ec_serverhello_build(SSL *s, CBB *cbb) | |||
| 130 | int | 130 | int |
| 131 | tlsext_ec_serverhello_parse(SSL *s, CBS *cbs, int *alert) | 131 | tlsext_ec_serverhello_parse(SSL *s, CBS *cbs, int *alert) |
| 132 | { | 132 | { |
| 133 | return 0; | 133 | /* |
| 134 | * Servers should not send this extension per the RFC. | ||
| 135 | * | ||
| 136 | * However, F5 sends it by mistake (case ID 492780) so we need to skip | ||
| 137 | * over it. This bug is from at least 2014 but as of 2017, there | ||
| 138 | * are still large sites with this bug in production. | ||
| 139 | * | ||
| 140 | * https://devcentral.f5.com/questions/disable-supported-elliptic-curves-extension-from-server | ||
| 141 | */ | ||
| 142 | if (!CBS_skip(cbs, CBS_len(cbs))) { | ||
| 143 | *alert = TLS1_AD_INTERNAL_ERROR; | ||
| 144 | return 0; | ||
| 145 | } | ||
| 146 | |||
| 147 | return 1; | ||
| 134 | } | 148 | } |
| 135 | 149 | ||
| 136 | /* | 150 | /* |