Open
Bug 1438263
Opened 8 years ago
Updated 3 years ago
Unexpected TLS alerts should abort connections
Categories
(NSS :: Libraries, enhancement, P3)
NSS
Libraries
Tracking
(Not tracked)
NEW
People
(Reporter: jcj, Unassigned)
Details
(Whiteboard: [bogo])
The new BoGo test SendBogusAlertType sends an alert of type 0x42 [1] and expects the server to abort the connection with :UNKNOWN_ALERT_TYPE:. NSS ignores this and the connection succeeds.
We should abort as well.
[1] https://github.com/google/boringssl/blob/67968895b3b8cace34ea6dbdf65ac922667959ac/ssl/test/runner/runner.go#L841
|
||
Comment 1•8 years ago
|
||
Confirming, per spec:
"All alerts defined in this section below, as well as all unknown alerts, are universally considered fatal as of TLS 1.3 (see Section 6)."
|
||
Comment 2•8 years ago
|
||
Does this need to be hidden to protect our users? Or is it just a correctness bug?
Flags: needinfo?(jjones)
|
||
Comment 3•8 years ago
|
||
JC, if this is an authenticated alert, then there isn't any reason for this to be marked sensitive. Or is this sent in the clear?
|
Reporter | |
Comment 4•8 years ago
|
||
(In reply to Martin Thomson [:mt:] from comment #3)
> JC, if this is an authenticated alert, then there isn't any reason for this
> to be marked sensitive. Or is this sent in the clear?
Yes, it appears that BoGo is sending this as an authenticated alert [1] [2], so I agree, let's open this up.
[1] https://github.com/google/boringssl/blob/78a832d793bb6c097bf443f3c85d6a1ee4240764/ssl/test/runner/runner.go#L841
[2] https://golang.org/src/crypto/tls/conn.go line 718, 852
Flags: needinfo?(jjones)
|
|
||
Updated•8 years ago
|
Group: crypto-core-security
|
|
||
Updated•8 years ago
|
Priority: -- → P3
|
||
Updated•3 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•