[Bug]: ClientHello's handshake version issue

Question

[Bug]: ClientHello's handshake version issue

SmallTown123 opened this issue 5 months ago · comments

SmallTown123 commented 5 months ago

Contact Details

small_town_123@163.com

Version

5.5.1

Description

We found that the handshake version field of TLS1.3 can only be 0x0303, and will respond with an Alert message for any other content, is this a compatibility issue with other TLS implementation libraries?

Reproduction steps

No response

Relevant log output

No response

Anthony Hu · Answer 1 · Tue Feb 27 2024 23:12:05 GMT+0800 (China Standard Time)

Hi @SmallTown123 ,

My name is Anthony and I am a member of the wolfSSL team. Please see the RFC for TLS 1.3: https://datatracker.ietf.org/doc/html/rfc8446#section-4.1.2

In particular, I will quote a specific passage:

legacy_version: In previous versions of TLS, this field was used for
version negotiation and represented the highest version number
supported by the client. Experience has shown that many servers
do not properly implement version negotiation, leading to "version
intolerance" in which the server rejects an otherwise acceptable
ClientHello with a version number higher than it supports. In
TLS 1.3, the client indicates its version preferences in the
"supported_versions" extension (Section 4.2.1) and the
legacy_version field MUST be set to 0x0303, which is the version
number for TLS 1.2. TLS 1.3 ClientHellos are identified as having
a legacy_version of 0x0303 and a supported_versions extension
present with 0x0304 as the highest version indicated therein.
(See Appendix D for details about backward compatibility.)

So this is required to be this way.

I hope this helps. Please let me know if you need more clarifications.

Warm regards, Anthony

Anthony Hu · Answer 2 · Tue Feb 27 2024 23:13:50 GMT+0800 (China Standard Time)

May ask, can you please let us know a bit about yourself and your project? Is this project academic, professional or personal? We love to know how people are using our software so please feel free to let us know as much as you care to share.

Warm regards, Anthony

SmallTown123 · Answer 3 · Tue Feb 27 2024 23:21:14 GMT+0800 (China Standard Time)

Hi, Anthony. Thanks for your reply, we are using a deep differential fuzzing framework TLS-DeepDiffer, but sorry the work is not yet published and we are not yet able to provide more detailed information, we will get in touch with you if we have more security findings, thanks.

SmallTown123 · Answer 4 · Tue Feb 27 2024 23:22:27 GMT+0800 (China Standard Time)

After your analysis, we feel that there may be some problems with other TLS implementation libraries in this regard, thanks!

Anthony Hu · Answer 5 · Tue Feb 27 2024 23:55:31 GMT+0800 (China Standard Time)

Excellent. When you are able to show us your published work, please send a message to "facts at wolfssl.com" and "anthony at wolfssl.com". I will now proceed to close this issue.

Warm regards, Anthony

SmallTown123 · Answer 6 · Thu Feb 29 2024 11:12:26 GMT+0800 (China Standard Time)

Dear Anthony, Still on the issue of the legacy_version field of TLS 1.3 ClientHello message. I don't know if you have time to read the reply to this issue from OpenSSL. openssl/openssl#23702 And I'm also trying to figure out if the issue poses a potential security threat. Thank you! | | small_town_123 | | ***@***.*** | ---- Replied Message ---- | From | Anthony ***@***.***> | | Date | 2/27/2024 23:55 | | To | ***@***.***> | | Cc | ***@***.***>, ***@***.***> | | Subject | Re: [wolfSSL/wolfssl] [Bug]: ClientHello's handshake version issue (Issue #7276) | Closed #7276 as completed. — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you were mentioned.Message ID: ***@***.***>

Anthony Hu · Answer 7 · Thu Feb 29 2024 22:14:31 GMT+0800 (China Standard Time)

I think wolfSSL and OpenSSL can agree to different approaches. We are a bit more strict about how we approach this. OpenSSL team chooses to be a bit more relaxed. That's fine.