When processing a serverHello message, the extensions sent by the server are processed regardless of whether they were requested by the client. For example, a client could send a clientHello which does not include the SCTs extension, but any SCTs provided by the server will be accepted regardless.
The same appears to be true in the TLS 1.3 implementation.
What did you expect to see?
RFC 5246, Section 22.214.171.124 states “An extension type MUST NOT appear in the ServerHello unless the same extension type appeared in the corresponding ClientHello.”. Similarly, RFC 8446, Section 4.2 states “Implementations MUST NOT send extension responses if the remote endpoint did not send the corresponding extension requests... Upon receiving such an extension, an endpoint MUST abort the handshake with an unsupported_extension alert.”.
Therefore I expected that receiving an extension that was not requested would result in alertUnexpectedExtension being sent.
What did you see instead?
The handshake is not aborted.
It should be noted that, unlike #51088, the RFCs here do explicitly require that the connection be aborted if the other side presents a non-compliant message. At the same time, it does seem useful to always accept extensions like SCTs and Stapled OCSP regardless of whether they were explicitly requested by the client.
The text was updated successfully, but these errors were encountered: