From 130ddb114e9dfaab518a9e1c702cf00ef5a8897c Mon Sep 17 00:00:00 2001 From: beck Date: Thu, 28 Mar 2024 00:22:35 +0000 Subject: [PATCH] Stop pandering to the loadbalancer industrial complex. So we initially kept this hack around for f5 boxes that should have been patched in 2014, and were not as of 2017. The f5 article for the bug archived on their web site, and any of these devices on the public internet will have since been upgraded to deal with a host of record layer, TLS, and other bugs, or they likely won't be talking to modern stacks, since as of this point the software with the bug would not have been updated in 10 years. So just make this spec compliant and reject a supported groups extension that should not have been sent by a server. ok tb@ jsing@ --- lib/libssl/ssl_tlsext.c | 20 +++----------------- 1 file changed, 3 insertions(+), 17 deletions(-) diff --git a/lib/libssl/ssl_tlsext.c b/lib/libssl/ssl_tlsext.c index 14cf6fce84b..6649baf291f 100644 --- a/lib/libssl/ssl_tlsext.c +++ b/lib/libssl/ssl_tlsext.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_tlsext.c,v 1.145 2024/03/27 22:27:09 beck Exp $ */ +/* $OpenBSD: ssl_tlsext.c,v 1.146 2024/03/28 00:22:35 beck Exp $ */ /* * Copyright (c) 2016, 2017, 2019 Joel Sing * Copyright (c) 2017 Doug Hogan @@ -324,22 +324,8 @@ static int tlsext_supportedgroups_client_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) { - /* - * Servers should not send this extension per the RFC. - * - * However, certain F5 BIG-IP systems incorrectly send it. This bug is - * from at least 2014 but as of 2017, there are still large sites with - * this unpatched in production. As a result, we need to currently skip - * over the extension and ignore its content: - * - * https://support.f5.com/csp/article/K37345003 - */ - if (!CBS_skip(cbs, CBS_len(cbs))) { - *alert = SSL_AD_INTERNAL_ERROR; - return 0; - } - - return 1; + /* Servers should not send this extension per the RFC. */ + return 0; } /* -- 2.20.1