Closed Bug 1764788 Opened 4 years ago Closed 3 years ago

TLS 1.3 Wrong undefined content type record layer alerts

Categories

(NSS :: Libraries, enhancement)

Product:
NSS
Component:
Libraries
Version:
3.77
Type:
enhancement

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: leander.schwarz, Assigned: leander.schwarz)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

Bug 1764788 - Correct invalid record inner and outter content type alerts. r?djackson
48 bytes, text/x-phabricator-request
Details

  • [S] upon receiving a record with an undefined content type at the beginning of the handshake. NSS sends an 'illegal parameter' alert upon receiving a record with an undefined content type during the handshake, NSS sends a 'decode error'.

  • [C] upon receiving a record with invalid content type (0xFF), NSS responds with a 'decode error' alert.

The relevant RFC section:

RFC 8446 - 5. Record Protocol
If a TLS implementation receives an unexpected record type, it MUST terminate the
connection with an "unexpected_message" alert.

The bugs were originally reported in Bug 1714579.

Added test cases for alerts during and pre handshake as well as TLS 1.3 only after handshake (application data) cases due to unsupported de- and encryption of lower TLS version records in gtest.

Adjusted some test cases that expect failed connections to the updated alerts.

Depends on D141841

https://hg.mozilla.org/projects/nss/rev/7f4b0af3a526e801a977831ef23f82e4e66d6b8a

Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: