From cccafe604becdfd2326c3f4d1c5664d824934cb4 Mon Sep 17 00:00:00 2001 From: jsing <> Date: Sat, 27 Jan 2018 15:17:13 +0000 Subject: Clarify the comment re the F5 EC curves extension bug. Also reference the knowledge base article instead of a discussion thread. --- src/lib/libssl/ssl_tlsext.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) (limited to 'src') diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c index d43ebc6775..d0764af3c0 100644 --- a/src/lib/libssl/ssl_tlsext.c +++ b/src/lib/libssl/ssl_tlsext.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_tlsext.c,v 1.18 2017/11/28 16:46:14 jsing Exp $ */ +/* $OpenBSD: ssl_tlsext.c,v 1.19 2018/01/27 15:17:13 jsing Exp $ */ /* * Copyright (c) 2016, 2017 Joel Sing * Copyright (c) 2017 Doug Hogan @@ -271,11 +271,12 @@ tlsext_ec_serverhello_parse(SSL *s, CBS *cbs, int *alert) /* * Servers should not send this extension per the RFC. * - * However, F5 sends it by mistake (case ID 492780) so we need to skip - * over it. This bug is from at least 2014 but as of 2017, there - * are still large sites with this bug in production. + * However, certain F5 BIG-IP systems incorrectly send it. This bug is + * from at least 2014 but as of 2017, there are still large sites with + * this unpatched in production. As a result, we need to currently skip + * over the extension and ignore its content: * - * https://devcentral.f5.com/questions/disable-supported-elliptic-curves-extension-from-server + * https://support.f5.com/csp/article/K37345003 */ if (!CBS_skip(cbs, CBS_len(cbs))) { *alert = TLS1_AD_INTERNAL_ERROR; -- cgit v1.2.3-55-g6feb