1 files changed, 12 insertions, 9 deletions
diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c
index 90734457e5..6d8f51833b 100644
--- a/src/lib/libssl/ssl_tlsext.c
+++ b/src/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_tlsext.c,v 1.147 2024/04/02 22:50:54 sthen Exp $ */
+/* $OpenBSD: ssl_tlsext.c,v 1.148 2024/04/04 08:02:21 tb Exp $ */
 /*
 * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -325,14 +325,17 @@ tlsext_supportedgroups_client_process(SSL *s, uint16_t msg_type, CBS *cbs,
    int *alert)
 {
        /*
-         * Servers should not send this extension per the RFC.
+         * This extension is only allowed in TLSv1.3 encrypted extensions.
-         *
+         * It is not permitted in a ServerHello in any version of TLS.
-         * However, certain F5 BIG-IP systems incorrectly send it. This bug is
+         */
-         * from at least 2014 but as of 2017, there are still large sites with
+        if (msg_type != SSL_TLSEXT_MSG_EE)
-         * this unpatched in production. As a result, we need to currently skip
+                return 0;
-         * over the extension and ignore its content:
-         *
+        /*
-         *  https://support.f5.com/csp/article/K37345003
+         * RFC 8446, section 4.2.7: TLSv1.3 servers can send this extension but
+         * clients must not act on it during the handshake. This allows servers
+         * to advertise their preferences for subsequent handshakes. We ignore
+         * this complication.
         */
        if (!CBS_skip(cbs, CBS_len(cbs))) {
                *alert = SSL_AD_INTERNAL_ERROR;

diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c index 90734457e5..6d8f51833b 100644 --- a/src/lib/libssl/ssl_tlsext.c +++ b/src/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_tlsext.c,v 1.147 2024/04/02 22:50:54 sthen Exp $ */	1	/* $OpenBSD: ssl_tlsext.c,v 1.148 2024/04/04 08:02:21 tb Exp $ */
2	/*	2	/*
3	* Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
4	* Copyright (c) 2017 Doug Hogan <doug@openbsd.org>	4	* Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -325,14 +325,17 @@ tlsext_supportedgroups_client_process(SSL s, uint16_t msg_type, CBS cbs,
325	int *alert)	325	int *alert)
326	{	326	{
327	/*	327	/*
328	* Servers should not send this extension per the RFC.	328	* This extension is only allowed in TLSv1.3 encrypted extensions.
329	*	329	* It is not permitted in a ServerHello in any version of TLS.
330	* However, certain F5 BIG-IP systems incorrectly send it. This bug is	330	*/
331	* from at least 2014 but as of 2017, there are still large sites with	331	if (msg_type != SSL_TLSEXT_MSG_EE)
332	* this unpatched in production. As a result, we need to currently skip	332	return 0;
333	* over the extension and ignore its content:	333
334	*	334	/*
335	* https://support.f5.com/csp/article/K37345003	335	* RFC 8446, section 4.2.7: TLSv1.3 servers can send this extension but
		336	* clients must not act on it during the handshake. This allows servers
		337	* to advertise their preferences for subsequent handshakes. We ignore
		338	* this complication.
336	*/	339	*/
337	if (!CBS_skip(cbs, CBS_len(cbs))) {	340	if (!CBS_skip(cbs, CBS_len(cbs))) {
338	*alert = SSL_AD_INTERNAL_ERROR;	341	*alert = SSL_AD_INTERNAL_ERROR;