Closed Bug 1396487 Opened 8 years ago Closed 7 years ago

TLS record size limit extension

Categories

(NSS :: Libraries, enhancement, P2)

Product:
NSS
Component:
Libraries
Type:
enhancement

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: mt, Assigned: mt)

References

(
URL
)

Details

Attachments

(4 files, 1 obsolete file)

Refactor DTLS handshake record fragmentation
44 bytes, text/x-phabricator-request
ekr
: review+
Details | Review
Refactor 1/n-1 record splitting code
44 bytes, text/x-phabricator-request
ekr
: review+
Details | Review
Bug 1396487 - Record size limiting extension
44 bytes, text/x-phabricator-request
Details | Review
Extra test case for ACK, fragmentation and reassembly
44 bytes, text/x-phabricator-request
ekr
: review+
Details | Review
This was recently adopted by the TLS working group and is fairly trivial to implement.
https://phabricator.services.mozilla.com/D23 I need to implement a check for the size limit on receipt. The code doesn't currently reject too-large records if it receives them.
Assignee: nobody → martin.thomson
Status: NEW → ASSIGNED
Priority: -- → P2
Comment on attachment 8904125 [details] Refactor 1/n-1 record splitting code Eric Rescorla (:ekr) has approved the revision. https://phabricator.services.mozilla.com/D21#1441
Attachment #8904125 - Flags: review+
Comment on attachment 8904124 [details] Refactor DTLS handshake record fragmentation Eric Rescorla (:ekr) has approved the revision. https://phabricator.services.mozilla.com/D20#2973
Attachment #8904124 - Flags: review+
Comment on attachment 8905464 [details] Extra test case for ACK, fragmentation and reassembly Eric Rescorla (:ekr) has approved the revision. https://phabricator.services.mozilla.com/D39#3421
Attachment #8905464 - Flags: review+
Until we have an assigned codepoint, we should not be sending this extension. However, we want to land the code and keep it tested, so this is what we have. This uses an option value of 0 as a sentinel, disabling the extension almost entirely. Both client and server reject this extension if it appears in messages other than ClientHello/ EncryptedExtensions in TLS 1.3 as well. So the disabling isn't perfect, but it should be good enough if the assigment isn't far away (and the draft is almost done, so that seems possible). Changing the option in any way enables the extension with the experimental codepoint that was chosen. Tests use this to test the feature. This change is made as a separate commit so that it is easy to revert. I've tried to keep the changes as discreet as possible.
Attachment #8981339 - Attachment is obsolete: true
Got a codepoint today: 28 https://hg.mozilla.org/projects/nss/rev/bde45e406ea449f0a6259814587b8508539802d5
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.38
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: