From 530c97f22c645521413a86aa2dc6a5dd8354200d Mon Sep 17 00:00:00 2001 From: beck <> Date: Thu, 28 Mar 2024 00:22:35 +0000 Subject: Stop pandering to the loadbalancer industrial complex. So we initially kept this hack around for f5 boxes that should have been patched in 2014, and were not as of 2017. The f5 article for the bug archived on their web site, and any of these devices on the public internet will have since been upgraded to deal with a host of record layer, TLS, and other bugs, or they likely won't be talking to modern stacks, since as of this point the software with the bug would not have been updated in 10 years. So just make this spec compliant and reject a supported groups extension that should not have been sent by a server. ok tb@ jsing@ --- src/lib/libssl/ssl_tlsext.c | 20 +++----------------- 1 file changed, 3 insertions(+), 17 deletions(-) (limited to 'src') diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c index 14cf6fce84..6649baf291 100644 --- a/src/lib/libssl/ssl_tlsext.c +++ b/src/lib/libssl/ssl_tlsext.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_tlsext.c,v 1.145 2024/03/27 22:27:09 beck Exp $ */ +/* $OpenBSD: ssl_tlsext.c,v 1.146 2024/03/28 00:22:35 beck Exp $ */ /* * Copyright (c) 2016, 2017, 2019 Joel Sing * Copyright (c) 2017 Doug Hogan @@ -324,22 +324,8 @@ static int tlsext_supportedgroups_client_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) { - /* - * Servers should not send this extension per the RFC. - * - * However, certain F5 BIG-IP systems incorrectly send it. This bug is - * from at least 2014 but as of 2017, there are still large sites with - * this unpatched in production. As a result, we need to currently skip - * over the extension and ignore its content: - * - * https://support.f5.com/csp/article/K37345003 - */ - if (!CBS_skip(cbs, CBS_len(cbs))) { - *alert = SSL_AD_INTERNAL_ERROR; - return 0; - } - - return 1; + /* Servers should not send this extension per the RFC. */ + return 0; } /* -- cgit v1.2.3-55-g6feb