From 53dff7b0af544d22d801e886a11ce1f5e3bab89e Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Thu, 7 Mar 2024 16:01:43 +0100 Subject: [PATCH] Do not forget about TLS 1.2 disabled at runtime aspect Signed-off-by: Ronald Cron --- ChangeLog.d/tls13-only-server-infinite-loop.txt | 5 ----- ChangeLog.d/tls13-only-server.txt | 10 ++++++++++ 2 files changed, 10 insertions(+), 5 deletions(-) delete mode 100644 ChangeLog.d/tls13-only-server-infinite-loop.txt create mode 100644 ChangeLog.d/tls13-only-server.txt diff --git a/ChangeLog.d/tls13-only-server-infinite-loop.txt b/ChangeLog.d/tls13-only-server-infinite-loop.txt deleted file mode 100644 index 7232242c8..000000000 --- a/ChangeLog.d/tls13-only-server-infinite-loop.txt +++ /dev/null @@ -1,5 +0,0 @@ -Security - * Fixed a denial of service in TLS 1.3-only server (TLS 1.2 support - disabled at build time): a TLS client could put the TLS 1.3-only server in - an infinite loop processing a TLS 1.2 ClientHello. Reported by Matthias - Mucha and Thomas Blattmann, SICK AG. diff --git a/ChangeLog.d/tls13-only-server.txt b/ChangeLog.d/tls13-only-server.txt new file mode 100644 index 000000000..0ee63eab8 --- /dev/null +++ b/ChangeLog.d/tls13-only-server.txt @@ -0,0 +1,10 @@ +Security + * When negotiating TLS version on server side, do not fallback to the + TLS 1.2 implementation of the protocol if it is not enabled. + - If the TLS 1.2 implementation was disabled at build time, a TLS 1.2 + client was able to put the TLS 1.3-only server in an infinite loop + processing a TLS 1.2 ClientHello, resulting in a Denial of Service. + Reported by Matthias Mucha and Thomas Blattmann, SICK AG. + - If the TLS 1.2 implementation was disabled at runtime, a TLS 1.2 client + was able to successfully established a connection with the TLS 1.3-only + server. Reported by alluettiv on GitHub.