Fix ssl ecc handshake crash on unknown curve #286

Closed
wants to merge 2 commits into
from

Projects

None yet

2 participants

@stolen
Contributor
stolen commented Mar 9, 2014

original message at http://erlang.org/pipermail/erlang-questions/2014-March/078083.html

When buggy client or security scanner opens a connection to OTP ssl server and sends Supported Elliptic Curves Client Hello Extension with '0' or any other curve id not defined in tls_v1:enum_to_oid/1, a server crashes.

This pull requests fixes this problem by ignoring unknown curve ids.

stolen added some commits Mar 9, 2014
@stolen stolen Add test for unknown elliptic curve supported by client
When TLS client sends a Supported Elliptic Curves Client Hello Extension
containing an unknown curve enum value, a server crashes with a
function_clause instead of just ignoring specified unknown curve.
29a89a6
@stolen stolen Fix ssl server crash on unknown elliptic curve enum value
When TLS client sends Supported Elliptic Curves Client Hello Extension
server should select curves supported by both of them or refuse to
negotiate the use of an ECC cipher suite. So it should be OK to ignore
unknown curves specified by a client.
e10f831
@proxyles
Contributor

We have decided to include this but with a slightly different implementation. Thank you for your contribution!

@proxyles proxyles closed this Mar 14, 2014
@stolen
Contributor
stolen commented Mar 14, 2014

Are there chances for it to be included in R16B04?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment