crypto/tls: abort handshake if unrequested extensions are sent #51090
Labels
NeedsInvestigation
Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone
What version of Go are you using (
go version
)?Does this issue reproduce with the latest release?
Yes.
What operating system and processor architecture are you using (
go env
)?go env
OutputWhat did you do?
When processing a
serverHello
message, the extensions sent by the server are processed regardless of whether they were requested by the client. For example, a client could send aclientHello
which does not include theSCTs
extension, but any SCTs provided by the server will be accepted regardless.The same appears to be true in the TLS 1.3 implementation.
What did you expect to see?
RFC 5246, Section 7.4.1.4 states “An extension type MUST NOT appear in the ServerHello unless the same extension type appeared in the corresponding ClientHello.”. Similarly, RFC 8446, Section 4.2 states “Implementations MUST NOT send extension responses if the remote endpoint did not send the corresponding extension requests... Upon receiving such an extension, an endpoint MUST abort the handshake with an
unsupported_extension
alert.”.Therefore I expected that receiving an extension that was not requested would result in
alertUnexpectedExtension
being sent.What did you see instead?
The handshake is not aborted.
It should be noted that, unlike #51088, the RFCs here do explicitly require that the connection be aborted if the other side presents a non-compliant message. At the same time, it does seem useful to always accept extensions like SCTs and Stapled OCSP regardless of whether they were explicitly requested by the client.
The text was updated successfully, but these errors were encountered: