Skip to content

Tolerate DTLS alerts with an incorrect version number (1.0.2) #5019

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
mattcaswell wants to merge 1 commit into from
Closed

Tolerate DTLS alerts with an incorrect version number (1.0.2) #5019

mattcaswell wants to merge 1 commit into from

Conversation

@mattcaswell
Copy link
Member

@mattcaswell mattcaswell commented Jan 5, 2018

In the case of a protocol version alert being sent by a peer the record
version number may not be what we are expecting. In DTLS records with an
unexpected version number are silently discarded. This probably isn't
appropriate for alerts, so we tolerate a mismatch in the minor version
number.

This resolves an issue reported on openssl-users where an OpenSSL server
chose DTLS1.0 but the client was DTLS1.2 only and sent a protocol_version
alert with a 1.2 record number. This was silently ignored by the server.

This is the 1.0.2 version of PR #5018

@mattcaswell
Tolerate DTLS alerts with an incorrect version number
61e4f1e 
In the case of a protocol version alert being sent by a peer the record
version number may not be what we are expecting. In DTLS records with an
unexpected version number are silently discarded. This probably isn't
appropriate for alerts, so we tolerate a mismatch in the minor version
number.

This resolves an issue reported on openssl-users where an OpenSSL server
chose DTLS1.0 but the client was DTLS1.2 only and sent a protocol_version
alert with a 1.2 record number. This was silently ignored by the server.
@mattcaswell mattcaswell added the branch: 1.0.2 Applies to OpenSSL_1_0_2-stable branch (EOL) label Jan 5, 2018
levitte pushed a commit that referenced this pull request Jan 9, 2018
@mattcaswell
Tolerate DTLS alerts with an incorrect version number
da9ed72 
In the case of a protocol version alert being sent by a peer the record
version number may not be what we are expecting. In DTLS records with an
unexpected version number are silently discarded. This probably isn't
appropriate for alerts, so we tolerate a mismatch in the minor version
number.

This resolves an issue reported on openssl-users where an OpenSSL server
chose DTLS1.0 but the client was DTLS1.2 only and sent a protocol_version
alert with a 1.2 record number. This was silently ignored by the server.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from #5019)
@mattcaswell
Copy link
Member Author

mattcaswell commented Jan 9, 2018

Pushed. Thanks.

@mattcaswell mattcaswell closed this Jan 9, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vdukhovni vdukhovni vdukhovni approved these changes

Assignees

No one assigned

Labels

branch: 1.0.2 Applies to OpenSSL_1_0_2-stable branch (EOL)

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mattcaswell @vdukhovni