Closed Bug 1765753 Opened 3 years ago Closed 3 years ago

TLS 1.3 Wrong ClientHello alerts / ServerHello behavior

Categories

(NSS :: Libraries, enhancement)

Product:
NSS
Component:
Libraries
Version:
3.7.7
Type:
enhancement

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: leander.schwarz, Assigned: leander.schwarz)

References

(Blocks 1 open bug)

Details

Attachments

(2 files)

Bug 1765753 - TLS 1.3 Server: Send protocol_version alert on unsupported ClientHello.legacy_version. r?djackson
48 bytes, text/x-phabricator-request
Details | Review
Bug 1765753 - Added RFC8422 compliant TLS <= 1.2 undefined/compressed ECPointFormat extension alerts. r=djackson
48 bytes, text/x-phabricator-request
Details | Review

  • [S] upon receiving a ClientHello that only offers a legacy version not supported by NSS server. NSS sends a 'handshake failure'

    • RFC 8446, Appendix D.2

      If the "supported_versions" extension is absent and the
      server only supports versions greater than
      ClientHello.legacy_version, the server MUST abort the handshake with
      a "protocol_version" alert.

  • [S] upon receiving a ClientHello with an EcPointFormats extension that only contains compressed or undefined point formats. NSS sends a 'handshake failure'

    • RFC 8422, Section 5.1.2: Supported Point Formats Extension

      If the client sends the extension and the extension does not contain
      the uncompressed point format, and the client has used the Supported
      Groups extension to indicate support for any of the curves defined in
      this specification, then the server MUST abort the handshake and
      return an illegal_parameter alert.

    • NOTE: RFC 8422 is a specification for TLS 1.2 and earlier!

  • [C] NSS does not accept an invalid legacy version (such as 0x0304 and 0x0505) set in the ServerHello when TLS 1.3 is negotiated

    • RFC8446, Section 4.2.1 does specify only that the ServerHello.legacy_version MUST be set to 0x303 (TLS 1.2) but does not state that the client needs to check this or the connection needs to be terminated/alerts to be sent.

Bugs originally reported in Bug 1714579.

Summary: TLS 1.3 Wrong ClientHello alerts → TLS 1.3 Wrong ClientHello alerts / ServerHello behavior

There are some r+ patches which didn't land and no activity in this bug for 2 weeks.
:lschwarz, could you have a look please?
If you still have some work to do, you can add an action "Plan Changes" in Phabricator.
For more information, please visit auto_nag documentation.

Flags: needinfo?(lschwarz)
Flags: needinfo?(djackson)

https://hg.mozilla.org/projects/nss/rev/d06a8831ec84b55ac7d4e4c208a573a1a3cff7bd
https://hg.mozilla.org/projects/nss/rev/bc7bfba47e0aba6aab5849c58038c881610dab7f

Status: NEW → RESOLVED
Closed: 3 years ago
Flags: needinfo?(lschwarz)
Flags: needinfo?(djackson)
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: