-
Notifications
You must be signed in to change notification settings - Fork 81
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
TLS-RFC compliance #469
Comments
Thanks for the report!
Could you explain in what situation it happens? In majority of cases it should send the correct
I don't think enforcing that is useful; the extension may have been included because of an ECC ciphersuite that's unknown to the server, and even if all the ciphersuites are known, that's rather brittle code that does not increase interoperability or security. |
Thank you for the feedback. We agree that enforcing this ECC cipher suite check may cause problems - that's a good point! I think the alert description for the lack of overlapping parameters may be caused by deprecated groups we include in the ClientHello we send in the test. |
RFC 8446 says that deprecated groups "MUST NOT be offered or negotiated by TLS 1.3 implementations."; so that's what causing the rejection: if the ClientHello is recognised as a TLS 1.3 CH, and includes those obsolete curves then technically the message is malformed, so |
Yes, it's a false positive on our end - sorry if my last comment didn't convey this. |
Hi,
we (@jurajsomorovsky @ic0ns @mmaehren @XoMEX @Kavakuo) are performing an analysis of the RFC-compliance of open-source TLS implementations. Below we list our findings for this implementation. We admit that some are rather nit-picky, but we added them for the sake of completeness. We tried to keep the descriptions brief and didn’t want to spam the issues section so feel free to split up the list into individual issues as you see fit.
If you disagree with our interpretation of certain RFC statements, please leave feedback as we’re interested in your view.
Our results apply to the default configuration of version 0.8.0-alpha39. We used the example implementations for client and server.
[S] = Applies to server
[C] = Applies to client
[C+S] = Applies to both
Misc
[S] tlslite-ng allows to resume a session even if the previous session was terminated with a fatal close_notify
[S] tlslite-ng accepts records with a deprecated version
Session not aborted
[C] upon receiving a ServerHello with a SupportedVersions extension containing 0x0303 (TLS 1.2), tlslite_ng negotiates TLS 1.2
[C] upon receiving a ServerHello that contains unproposed extensions (besides the TLS 1.3 Cookie extension)
[C] upon receiving a ServerHello that negotiates an AEAD cipher suite and encrypt-then-MAC at the same time
[C] upon receiving a TLS 1.3 HelloRetryRequest with invalid content(cipher suite, compression value, session id)
[C] upon receiving an EncryptedExtensions message that contains an extension that must not appear in this message
[C] upon receiving a ServerHello that negotiates TLS 1.3 but does not echo the client's session ID
[C] upon receiving an encrypted Finished message without receiving a ChangeCipherSpec first. tlslite-ng attempts to parse the record as unencrypted - for cipher suites with a random IV at the beginning of the record, tlslite_ng parses the first bytes of this IV as handshake message type and message length fields. As this 'length' is usually not within the bounds of the record, tlslite_ng waits for more records
[C+S] upon receiving an encrypted CCS or a CCS after a completed handshake when TLS 1.3 is used
[S] upon receiving a Padding extension that contains bytes other than 0x00
[S] upon receiving a SupportedPointFormat extension that only accepts compressed points or an invalid format
[S] upon receiving a ClientHello that contains elliptic curve extensions but no ECC cipher suite
[S] upon receiving a ClientHello that negotiates TLS 1.3 but does not set the legacy version field to 0x0303
Only session closed but no alert sent
[C] upon receiving an invalid verify_data in a TLS 1.3 Finished message
[C] upon receiving an invalid CertificateVerify message (invalid signature scheme / signature or missing signature)
[C] upon receiving a second TLS 1.3 HelloRetryRequest
[C] upon receiving a ServerHello with a KeyShare extension that contains a NamedGroup for which the client did not send a KeyShare (e.g X448)
Different alert sent than defined by the RFC
[C] upon receiving a ServerHello with an SSL2 protocol version set in the version field, tlslite_ng replies with 0x80 02 02 46 which is an SSL2 record header carrying a TLS alert (fatal, protocol_version)
[S] when there are no overlapping parameters. tlslite-ng sends an 'illegal parameter' alert
[C+S] when another record type interleaves handshake messages
[C] upon receiving a record with an undefined record content type. tlslite-ng sends a 'record overflow' alert
The text was updated successfully, but these errors were encountered: