Closed Bug 1789410 Opened 2 years ago Closed 1 year ago

ECH client - Connection with valid ECHConfig but server negotiating TLS 1.2 does not throw ech_required.

Categories

(NSS :: Libraries, defect, P1)

Product:
NSS
Component:
Libraries
Version:
3.82
Type:
defect

Tracking

(firefox-esr102 unaffected, firefox110 disabled, firefox111 fixed)

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox-esr102 --- unaffected
firefox110 --- disabled
firefox111 --- fixed

People

(Reporter: lschwarz, Assigned: djackson)

References

(Blocks 1 open bug)

Details

(Keywords: sec-low, Whiteboard: [adv-main111-][post-critsmash-triage])

Attachments

(1 file, 1 obsolete file)

Bug 1789410 - ECH client: Send ech_required alert on server negotiating TLS 1.2. Fixed misleading Gtest, enabled corresponding BoGo test. r?djackson
48 bytes, text/x-phabricator-request
Details | Review

nightly-only

Security Sensitive Crypto Bug

If the NSS ECH client is setup with valid ECHConfigs for a server, but on connection the server negotiates TLS 1.2 this does NOT result in an ech_required alert but in a successful TLS 1.2 connection without the server securely disabling ECH.

This should lead to termination of the connection with ech_required alert.

The behavior was detected using the BoringSSL test runner (bogo) "TLS-ECH-Client-Reject-TLS12" test.

Attachment #9294581 - Attachment is obsolete: true

There's a r+ patch which didn't land and no activity in this bug for 2 weeks.
:lschwarz, could you have a look please?
If you still have some work to do, you can add an action "Plan Changes" in Phabricator.
For more information, please visit auto_nag documentation.

Flags: needinfo?(lschwarz)
Flags: needinfo?(djackson)
Flags: needinfo?(lschwarz)
Flags: needinfo?(djackson)
Assignee: lschwarz → djackson

https://hg.mozilla.org/projects/nss/rev/07b5cf23885cde9dc256e6a91bd4985847b471ee

Status: ASSIGNED → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
Group: crypto-core-security → core-security-release
status-firefox111: --- → fixed
Target Milestone: --- → 3.88
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
Whiteboard: [post-critsmash-triage] → [adv-main111+][post-critsmash-triage]
status-firefox110: --- → disabled
status-firefox-esr102: --- → unaffected
Whiteboard: [adv-main111+][post-critsmash-triage] → [adv-main111-][post-critsmash-triage]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: