Backout previous commit (intending that libressl client rejects a supported

author sthen <sthen@openbsd.org>

Tue, 2 Apr 2024 22:50:54 +0000 (22:50 +0000)

committer sthen <sthen@openbsd.org>

Tue, 2 Apr 2024 22:50:54 +0000 (22:50 +0000)
author sthen <sthen@openbsd.org>
Tue, 2 Apr 2024 22:50:54 +0000 (22:50 +0000)
committer sthen <sthen@openbsd.org>
Tue, 2 Apr 2024 22:50:54 +0000 (22:50 +0000)
diff --git a/lib/libssl/ssl_tlsext.c b/lib/libssl/ssl_tlsext.c

index 6649baf..9073445 100644 (file)
--- a/lib/libssl/ssl_tlsext.c
+++ b/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_tlsext.c,v 1.146 2024/03/28 00:22:35 beck Exp $ */
+/* $OpenBSD: ssl_tlsext.c,v 1.147 2024/04/02 22:50:54 sthen Exp $ */
  /*
   * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
   * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -324,8 +324,22 @@ static int
  tlsext_supportedgroups_client_process(SSL *s, uint16_t msg_type, CBS *cbs,
      int *alert)
  {
-       /* Servers should not send this extension per the RFC. */
-       return 0;
+       /*
+        * Servers should not send this extension per the RFC.
+        *
+        * However, certain F5 BIG-IP systems incorrectly send it. This bug is
+        * from at least 2014 but as of 2017, there are still large sites with
+        * this unpatched in production. As a result, we need to currently skip
+        * over the extension and ignore its content:
+        *
+        *  https://support.f5.com/csp/article/K37345003
+        */
+       if (!CBS_skip(cbs, CBS_len(cbs))) {
+               *alert = SSL_AD_INTERNAL_ERROR;
+               return 0;
+       }
+
+       return 1;
  }
  
  /*
author	sthen <sthen@openbsd.org>
	Tue, 2 Apr 2024 22:50:54 +0000 (22:50 +0000)
committer	sthen <sthen@openbsd.org>
	Tue, 2 Apr 2024 22:50:54 +0000 (22:50 +0000)