When unmarshalling a serverHello message, we currently just iterate over the set of all all extensions that appear in the message. If a given extension appears more than once, the last instance of that extension "wins", with its contents (for example, the ALPN protocol) being written to the appropriate field (e.g. .alpnProtocol) on the serverHelloMsg` struct.
The same is true when a TLS server unmarshalls a clientHello message.
What did you expect to see?
RFC 5246, Section 184.108.40.206, which specifies TLS 1.2, states "There MUST NOT be more than one extension of the same type.". There is an equivalent statement in RFC 8446, Section 4.2, which specifies TLS 1.3. Therefore I expected message unmarshalling to fail if multiple extensions of the same type are present.
What did you see instead?
Message unmarshalling does not fail.
It should be noted: the relevant RFCs do not specify that one end of the connection MUST abort the connection if the other end sends duplicate extensions, so there is a reasonable interpretation that it is only required that the library not produce messages with duplicate extensions.
The text was updated successfully, but these errors were encountered: