Closed Bug 1815167 Opened 2 years ago Closed 1 year ago

NSS Server sent "unsupported extension" alert

Categories

(NSS :: Libraries, defect, P1)

3.68

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: hanumesh.nk, Assigned: djackson)

References

Details

Attachments

(2 files)

Attached file ClientHello.txt

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36

Steps to reproduce:

Server is using nss-3.68.4-with-nspr-4.32. Client(sendmail) did STARTTLS and sent TLS Client Hello to the server.

Actual results:

Server sent back "Alert (Level: Fatal, Unsupported Extension)". Which extension did the server not supported?

"Client hello" message is attached with the Bug.
Note: Content of the "Client hello" message is modified for privacy purpose. Sensitive data is replaced with exactly same number of letter 'z' string.

Expected results:

May simply reply with the subset of the extension it does support rather than failing like this ? OR at-least specify which extension it did not like ?

Thank you for the report Hanumesh. Attaching the dev-tech-crypto thread.

TLS1.3 specifies the certificate_authorities extension for the client hello and certificate request messages (Sect 4.2.4), however NSS only tolerates it in the certificate request message (source).

We'll get this fixed so that the extension is correctly ignored. In the mean time, if you'd like to workaround the problem, configuring the client not to send the certificate_authorities extensions ought to fix the issue.

Aside: FYI NSS 3.68.4 is no longer supported, the current ESR version is 3.79.2.

Severity: -- → S4
Priority: -- → P3
Summary: Server sent "unsupported extension" alert → NSS Server sent "unsupported extension" alert
Assignee: nobody → djackson
Priority: P3 → P1
Attachment #9317865 - Attachment description: Bug 1815167: Tolerate certificate_authorities xtn in ClientHello. r=mt! → Bug 1815167: Tolerate certificate_authorities xtn in ClientHello. r=#nss-reviewers
Attachment #9317865 - Attachment description: Bug 1815167: Tolerate certificate_authorities xtn in ClientHello. r=#nss-reviewers → Bug 1815167: Tolerate certificate_authorities xtn in ClientHello. r=mt!
Blocks: 1818174
Status: UNCONFIRMED → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: