From 57350ff906c2194c4a8ea6cae315ff5ba63a4a3f Mon Sep 17 00:00:00 2001 From: tb Date: Tue, 8 Jun 2021 18:05:47 +0000 Subject: [PATCH] Ignore the record version for early alerts On receiving the first flight from the peer, we do not yet know if we are using TLSv1.3. In particular, we might get an alert record with record version 0x0300 from a pre-TLSv1.2 peer in response to our client hello. Ignore the record version instead of sending a protocol version alert in that situtation. This may also be hit when talking to a LibreSSL 3.3 server with an illegal SNI. Part of an issue reported by danj. ok jsing --- lib/libssl/tls13_record_layer.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/lib/libssl/tls13_record_layer.c b/lib/libssl/tls13_record_layer.c index ff2a6884b6b..6556547353f 100644 --- a/lib/libssl/tls13_record_layer.c +++ b/lib/libssl/tls13_record_layer.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_record_layer.c,v 1.61 2021/05/16 14:19:04 jsing Exp $ */ +/* $OpenBSD: tls13_record_layer.c,v 1.62 2021/06/08 18:05:47 tb Exp $ */ /* * Copyright (c) 2018, 2019 Joel Sing * @@ -826,12 +826,18 @@ tls13_record_layer_read_record(struct tls13_record_layer *rl) return ret; } + content_type = tls13_record_content_type(rl->rrec); + + /* + * In response to a client hello we may receive an alert in a + * record with a legacy version. Otherwise enforce that the + * legacy record version is 0x0303 per RFC 8446, section 5.1. + */ if (rl->legacy_version == TLS1_2_VERSION && - tls13_record_version(rl->rrec) != TLS1_2_VERSION) + tls13_record_version(rl->rrec) != TLS1_2_VERSION && + (content_type != SSL3_RT_ALERT || !rl->legacy_alerts_allowed)) return tls13_send_alert(rl, TLS13_ALERT_PROTOCOL_VERSION); - content_type = tls13_record_content_type(rl->rrec); - /* * Bag of hacks ahead... after the first ClientHello message has been * sent or received and before the peer's Finished message has been -- 2.20.1