From 183dc316a669d210cf5f47b850a5fc7823c6443d Mon Sep 17 00:00:00 2001 From: tb <> Date: Tue, 8 Jun 2021 18:05:47 +0000 Subject: Ignore the record version for early alerts On receiving the first flight from the peer, we do not yet know if we are using TLSv1.3. In particular, we might get an alert record with record version 0x0300 from a pre-TLSv1.2 peer in response to our client hello. Ignore the record version instead of sending a protocol version alert in that situtation. This may also be hit when talking to a LibreSSL 3.3 server with an illegal SNI. Part of an issue reported by danj. ok jsing --- src/lib/libssl/tls13_record_layer.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) (limited to 'src/lib') diff --git a/src/lib/libssl/tls13_record_layer.c b/src/lib/libssl/tls13_record_layer.c index ff2a6884b6..6556547353 100644 --- a/src/lib/libssl/tls13_record_layer.c +++ b/src/lib/libssl/tls13_record_layer.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_record_layer.c,v 1.61 2021/05/16 14:19:04 jsing Exp $ */ +/* $OpenBSD: tls13_record_layer.c,v 1.62 2021/06/08 18:05:47 tb Exp $ */ /* * Copyright (c) 2018, 2019 Joel Sing * @@ -826,12 +826,18 @@ tls13_record_layer_read_record(struct tls13_record_layer *rl) return ret; } + content_type = tls13_record_content_type(rl->rrec); + + /* + * In response to a client hello we may receive an alert in a + * record with a legacy version. Otherwise enforce that the + * legacy record version is 0x0303 per RFC 8446, section 5.1. + */ if (rl->legacy_version == TLS1_2_VERSION && - tls13_record_version(rl->rrec) != TLS1_2_VERSION) + tls13_record_version(rl->rrec) != TLS1_2_VERSION && + (content_type != SSL3_RT_ALERT || !rl->legacy_alerts_allowed)) return tls13_send_alert(rl, TLS13_ALERT_PROTOCOL_VERSION); - content_type = tls13_record_content_type(rl->rrec); - /* * Bag of hacks ahead... after the first ClientHello message has been * sent or received and before the peer's Finished message has been -- cgit v1.2.3-55-g6feb