Closed Bug 1252745 Opened 8 years ago Closed 8 years ago

Signed certificate timestamp extension doesn't work in TLS 1.3

Categories

(NSS :: Libraries, defect)

Product:
NSS
Component:
Libraries
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(firefox47 affected)

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox47 --- affected

People

(Reporter: mt, Assigned: mt)

References

Details

This is largely because we were talked into accepting a dodgy memory management scheme for the extension data, but it is more than that.  The state is copied into the session (so that it is available after resumption), but that session isn't available in TLS <=1.2 until after the extension processing.

In TLS 1.3, this extension should be in EncryptedExtensions, which means that the session will be available.
The simplest fix would be to:

a) add this to KnownExtensions
b) in the client handler, copy the extension data over to the session if the version is TLS 1.3

That is, however, a disgusting option.
Blocks: tls13
Review: https://nss-review.dev.mozaws.net/D50
Code: https://hg.mozilla.org/projects/nss/rev/467e55ab450c
Assignee: nobody → martin.thomson
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.28
You need to log in before you can comment on or make changes to this bug.