1490006 - Invalid CH.legacy_version is not rejected in TLS 1.3

Status: RESOLVED FIXED

(NSS :: Libraries, defect)

Description

[Daiki Ueno [:ueno]]

While RFC 8446 Appendix D.5 says:
   Implementations MUST NOT send a ClientHello.legacy_version or
   ServerHello.legacy_version set to 0x0300 or less.  Any endpoint
   receiving a Hello message with ClientHello.legacy_version or
   ServerHello.legacy_version set to 0x0300 MUST abort the handshake
   with a "protocol_version" alert.

NSS server ignores the field and continues the handshake.

To reproduce with tlsfuzzer:

selfserv -w nss -d sql:server -V tls1.3: -H 1 -n localhost.localdomain -u -p 443
PYTHONPATH=. python ./scripts/test-tls13-legacy-version.py
version (3, 0) ...
Error encountered while processing node <tlsfuzzer.expect.ExpectAlert object at 0x7f4c6c764090> (child: <tlsfuzzer.expect.ExpectClose object at 0x7f4c6c7640d0>) with last message being: <tlslite.messages.Message object at 0x7f4c6c76a510>
Error while processing
Traceback (most recent call last):
  File "./scripts/test-tls13-legacy-version.py", line 174, in main
    runner.run()
  File "/home/dueno/devel/tlsfuzzer/tlsfuzzer/runner.py", line 217, in run
    RecordHeader2)))
AssertionError: Unexpected message from peer: Handshake(server_hello)

Comment 1

[Daiki Ueno [:ueno]]

Attachment: nss-legacy-version.patch

This should fix the issue, though it would be nice to have a self test.

Comment 2

[Daiki Ueno [:ueno]]

Attachment: Bug 1490006, reject invalid CH.legacy_version in TLS 1.3

As suggested in RFC 8446 Appendix D.5, TLS 1.3 server should send protocol_version alert in response to a ClientHello with legacy_version set to 0x300 or smaller.

Comment 3

[Daiki Ueno [:ueno]]

Pushed as:
https://hg.mozilla.org/projects/nss/rev/c8f7602ce9e6