From 2093428834151ea4788aa773b5aa2d35e0bbc90a Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Wed, 24 Aug 2022 16:02:23 +0100 Subject: [PATCH] Tolerate a bad record version in TLSv1.3 plaintext records When a server responds to a second TLSv1.3 ClientHello it is required to set the legacy_record_version to 0x0303 (TLSv1.2). The client is required to ignore that field even if it is wrong. The recent changes to the read record layer in PR #18132 made the record layer stricter and it was checking that the legacy_record_version was the correct value. This caused connection failures when talking to buggy servers that set the wrong legacy_record_version value. We make us more tolerant again. Fixes #19051 Reviewed-by: Dmitry Belyavskiy Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/19058) --- ssl/record/methods/tlsany_meth.c | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/ssl/record/methods/tlsany_meth.c b/ssl/record/methods/tlsany_meth.c index 8f731af0922..e34b8ca8ae9 100644 --- a/ssl/record/methods/tlsany_meth.c +++ b/ssl/record/methods/tlsany_meth.c @@ -87,15 +87,9 @@ static int tls_validate_record_header(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec) } else if (rl->version == TLS1_3_VERSION) { /* * In this case we know we are going to negotiate TLSv1.3, but we've - * had an HRR, so we haven't actually done so yet. Nonetheless we - * still expect the record version to be TLSv1.2 as per a normal - * TLSv1.3 record + * had an HRR, so we haven't actually done so yet. In TLSv1.3 we + * must ignore the legacy record version in plaintext records. */ - if (rec->rec_version != TLS1_2_VERSION) { - RLAYERfatal(rl, SSL_AD_PROTOCOL_VERSION, - SSL_R_WRONG_VERSION_NUMBER); - return 0; - } } else if (rec->rec_version != rl->version) { if ((rl->version & 0xFF00) == (rec->rec_version & 0xFF00)) { if (rec->type == SSL3_RT_ALERT) { -- 2.47.3