diff --git a/ChangeLog.d/tls13-only-server.txt b/ChangeLog.d/tls13-only-server.txt new file mode 100644 index 0000000000..9583bfb331 --- /dev/null +++ b/ChangeLog.d/tls13-only-server.txt @@ -0,0 +1,10 @@ +Security + * When negotiating TLS version on server side, do not fall back to the + TLS 1.2 implementation of the protocol if it is disabled. + - If the TLS 1.2 implementation was disabled at build time, a TLS 1.2 + client could put the TLS 1.3-only server in an infinite loop processing + a TLS 1.2 ClientHello, resulting in a denial of service. Reported by + Matthias Mucha and Thomas Blattmann, SICK AG. + - If the TLS 1.2 implementation was disabled at runtime, a TLS 1.2 client + was able to successfully establish a TLS 1.2 connection with the server. + Reported by alluettiv on GitHub.