sync with OpenBSD -current
This commit is contained in:
parent
a339fc8c86
commit
d47112308d
GPG key ID:
F42C07F07E2E35B7
14 changed files with 123 additions and 69 deletions
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: ssl_tlsext.c,v 1.146 2024/03/28 00:22:35 beck Exp $ */
|
||||
/* $OpenBSD: ssl_tlsext.c,v 1.147 2024/04/02 22:50:54 sthen Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
|
||||
* Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
|
||||
|
|
@ -324,8 +324,22 @@ static int
|
|||
tlsext_supportedgroups_client_process(SSL *s, uint16_t msg_type, CBS *cbs,
|
||||
int *alert)
|
||||
{
|
||||
/* Servers should not send this extension per the RFC. */
|
||||
return 0;
|
||||
/*
|
||||
* Servers should not send this extension per the RFC.
|
||||
*
|
||||
* However, certain F5 BIG-IP systems incorrectly send it. This bug is
|
||||
* from at least 2014 but as of 2017, there are still large sites with
|
||||
* this unpatched in production. As a result, we need to currently skip
|
||||
* over the extension and ignore its content:
|
||||
*
|
||||
* https://support.f5.com/csp/article/K37345003
|
||||
*/
|
||||
if (!CBS_skip(cbs, CBS_len(cbs))) {
|
||||
*alert = SSL_AD_INTERNAL_ERROR;
|
||||
return 0;
|
||||
}
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
||||
/*
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue