legacy cookie field #118

martinthomson · 2020-02-25T18:45:38Z

I can't reconcile:

In this case, the cookie extension is omitted and the legacy_cookie field in the ClientHello message SHOULD be set to a zero length vector (i.e., a single zero byte length field) and MUST be ignored by a server negotiating DTLS 1.3.

... with:

If a DTLS 1.3 ClientHello is received with any other value in this field, the server MUST abort the handshake with an "illegal_parameter" alert.

The MUSTs in these appear to be pulling in opposite directions. I suspect that the latter is correct though. It is possible that a DTLS 1.3 client could get a legacy cookie from a DTLS 1.2 server, so that it is valid for the legacy cookie to appear when supported_versions includes DTLS 1.3. However, that represents an attack and a DTLS 1.3 server shouldn't continue to establish the connection. Maybe it isn't a bad attack because the client doesn't change its posture in ways that would materially affect the resulting session, but we have generally tried to avoid these.

Zero length cookies must be used. Fixes #118

ekr added the pr-exists label Mar 6, 2020

chris-wood closed this as completed in 94cf390 Mar 6, 2020

chris-wood added a commit that referenced this issue Mar 6, 2020

Merge pull request #119 from ekr/issue118_refuse_cookie

89fd00f

Zero length cookies must be used. Fixes #118

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

legacy cookie field #118

legacy cookie field #118

martinthomson commented Feb 25, 2020

legacy cookie field #118

legacy cookie field #118

Comments

martinthomson commented Feb 25, 2020