Allow TLSv1.3 clients to send CCS without middlebox compatibility mode.

While RFC 8446 is clear about what legacy session identifiers can be sent by a TLSv1.3 client and how middlebox compatibility mode is requested, it is delightfully vague about the circumstances under which a client is permitted to send CCS messages. While it does not make sense for a client to send CCS messages when they are not requesting middlebox compatibility mode, it is not strictly forbidden by the RFC and at least one (unknown) TLSv1.3 stack has been observed to do this in the wild. Revert part of the previous change and allow clients to send CCS messages, even if they are not requesting middlebox compatibility mode. Found the hard way by florian@ ok tb@
libressl · Sep 17, 2022 · 7749901 · 7749901
1 parent b3b3d39
commit 7749901
Showing 1 changed file with 2 additions and 4 deletions.
diff --git a/src/lib/libssl/tls13_server.c b/src/lib/libssl/tls13_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_server.c,v 1.102 2022/09/11 14:39:44 jsing Exp $ */
+/* $OpenBSD: tls13_server.c,v 1.103 2022/09/17 17:14:06 jsing Exp $ */
 /*
  * Copyright (c) 2019, 2020 Joel Sing <[email protected]>
  * Copyright (c) 2020 Bob Beck <[email protected]>
@@ -318,9 +318,7 @@ tls13_client_hello_recv(struct tls13_ctx *ctx, CBS *cbs)
 	if (ctx->hs->key_share != NULL)
 		ctx->handshake_stage.hs_type |= NEGOTIATED | WITHOUT_HRR;
 
-	/* Only allow CCS if client requested middlebox compatibility mode. */
-	if (ctx->hs->tls13.legacy_session_id_len > 0)
-		tls13_record_layer_allow_ccs(ctx->rl, 1);
+	tls13_record_layer_allow_ccs(ctx->rl, 1);
 
 	return 1;