NSS Server sent "unsupported extension" alert
Categories
(NSS :: Libraries, defect, P1)
Tracking
(Not tracked)
People
(Reporter: hanumesh.nk, Assigned: djackson)
References
Details
Attachments
(2 files)
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
Steps to reproduce:
Server is using nss-3.68.4-with-nspr-4.32. Client(sendmail) did STARTTLS and sent TLS Client Hello to the server.
Actual results:
Server sent back "Alert (Level: Fatal, Unsupported Extension)". Which extension did the server not supported?
"Client hello" message is attached with the Bug.
Note: Content of the "Client hello" message is modified for privacy purpose. Sensitive data is replaced with exactly same number of letter 'z' string.
Expected results:
May simply reply with the subset of the extension it does support rather than failing like this ? OR at-least specify which extension it did not like ?
|
Assignee | |
Comment 1•1 year ago
|
||
Thank you for the report Hanumesh. Attaching the dev-tech-crypto thread.
TLS1.3 specifies the certificate_authorities extension for the client hello and certificate request messages (Sect 4.2.4), however NSS only tolerates it in the certificate request message (source).
We'll get this fixed so that the extension is correctly ignored. In the mean time, if you'd like to workaround the problem, configuring the client not to send the certificate_authorities extensions ought to fix the issue.
Aside: FYI NSS 3.68.4 is no longer supported, the current ESR version is 3.79.2.
|
|
Assignee | |
Updated•1 year ago
|
|
|
Assignee | |
Comment 2•1 year ago
|
||
|
||
Updated•1 year ago
|
|
|
||
Updated•1 year ago
|
|
|
Assignee | |
Comment 3•1 year ago
|
||
Description
•