crypto/tls: server doesn't check for empty legacy_session_id when doing QUIC session resumption #63936
Labels
NeedsInvestigation
Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone
What version of Go are you using (
go version
)?Does this issue reproduce with the latest release?
Yes
What did you do?
I sent a ClientHello containing a legacy_session_id when resuming a QUIC session. This is not permitted, see section 8.4 of RFC 9001.
What did you expect to see?
The server should have rejected the handshake. RFC 9001 section 8.4 says that the server SHOULD treat the receipt of a TLS ClientHello with a non-empty legacy_session_id field as a connection error of type PROTOCOL_VIOLATION.
What did you see instead?
The handshake succeeded.
The text was updated successfully, but these errors were encountered: