mirror/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-04-16 08:42:50 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Do not forget about TLS 1.2 disabled at runtime aspect

Browse Source 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
This commit is contained in:
Ronald Cron 2024-03-07 16:01:43 +01:00
parent e301813da4
commit 53dff7b0af
2 changed files with 10 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
ChangeLog.d/tls13-only-server-infinite-loop.txt
View File

@ -1,5 +0,0 @@
Security
* Fixed a denial of service in TLS 1.3-only server (TLS 1.2 support
disabled at build time): a TLS client could put the TLS 1.3-only server in
an infinite loop processing a TLS 1.2 ClientHello. Reported by Matthias
Mucha and Thomas Blattmann, SICK AG.

10
ChangeLog.d/tls13-only-server.txt Normal file
View File

@ -0,0 +1,10 @@
Security
* When negotiating TLS version on server side, do not fallback to the
TLS 1.2 implementation of the protocol if it is not enabled.
- If the TLS 1.2 implementation was disabled at build time, a TLS 1.2
client was able to put the TLS 1.3-only server in an infinite loop
processing a TLS 1.2 ClientHello, resulting in a Denial of Service.
Reported by Matthias Mucha and Thomas Blattmann, SICK AG.
- If the TLS 1.2 implementation was disabled at runtime, a TLS 1.2 client
was able to successfully established a connection with the TLS 1.3-only
server. Reported by alluettiv on GitHub.