You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
While playing with the OpenSSL server (version 1.0.2a), I found out it is possible to send ClientHello messages with invalid extension lengths where the extension length is larger than the amount of the extension data. If the server receives such a ClientHello message, it correctly omits further extension processing. However, it does not return any decoding error and proceeds with the handshake.
Even though this does not lead to any security vulnerability, I believe returning a decoding alert would be a correct practice (or is there any compatibility reason for not returning such an alert?)
I believe, this issue should be fixed here: https://github.com/openssl/openssl/blob/master/ssl/t1_lib.c#L1941
The text was updated successfully, but these errors were encountered:
While playing with the OpenSSL server (version 1.0.2a), I found out it is possible to send ClientHello messages with invalid extension lengths where the extension length is larger than the amount of the extension data. If the server receives such a ClientHello message, it correctly omits further extension processing. However, it does not return any decoding error and proceeds with the handshake.
Even though this does not lead to any security vulnerability, I believe returning a decoding alert would be a correct practice (or is there any compatibility reason for not returning such an alert?)
I believe, this issue should be fixed here:
https://github.com/openssl/openssl/blob/master/ssl/t1_lib.c#L1941
The text was updated successfully, but these errors were encountered: