search

h2o / picotls

TLS 1.3 implementation in C (master supports RFC8446 as well as draft-26, -27, -28)
536 stars 140 forks source link

CH wo. ext block is valid pre TLS 1.2, decode them then raise version alert #473

Closed kazuho closed 1 year ago

kazuho commented 1 year ago

The code path for possibly valid ClientHellos but are incompatible with picotls are:

  1. decode them,
  2. call the on_client_hello callback, then
  3. raise INCOMPATIBLE_VERSION alert.

Also, TLS records with unknown ContentTypes are rejected outright. This includes SSL 2 ClientHellos.

kazuho commented 1 year ago

@robguima Would you mind reviewing this PR?