diff options
| author | 古大羊 <lj1788@gmail.com> | 2025-02-10 12:49:15 +0800 |
|---|---|---|
| committer | Sean Liao <sean@liao.dev> | 2025-03-17 14:34:46 -0700 |
| commit | cd2f347c61bd9f41e977d74dc2dd3a1f36b65800 (patch) | |
| tree | 12dd782c50393775ea172b1d1c6f24f8a2b39cad /src/crypto | |
| parent | c7ea87132f4e6f3c81e525c396a64471c9af0091 (diff) | |
| download | go-cd2f347c61bd9f41e977d74dc2dd3a1f36b65800.tar.xz | |
crypto/tls: fix ECH compatibility
Previously, the code only checked supportedVersions[0] for TLS 1.3
However, Chromium-based
browsers may list TLS 1.3 at different positions, causing ECH failures.
This fix:
Iterates through supportedVersions to accept connections as long as TLS 1.3 is present.
Improves ECH compatibility, ensuring Chrome, Edge, and other browsers work properly.
Fixes #71642
Change-Id: I32f4219fb6654d5cc22c7f33497c6142c0acb4f2
Reviewed-on: https://go-review.googlesource.com/c/go/+/648015
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: David Chase <drchase@google.com>
Reviewed-by: Daniel McCarney <daniel@binaryparadox.net>
Diffstat (limited to 'src/crypto')
| -rw-r--r-- | src/crypto/tls/ech.go | 24 |
1 files changed, 22 insertions, 2 deletions
diff --git a/src/crypto/tls/ech.go b/src/crypto/tls/ech.go index 8bfd47ced3..3ca9fd00b1 100644 --- a/src/crypto/tls/ech.go +++ b/src/crypto/tls/ech.go @@ -392,8 +392,28 @@ func decodeInnerClientHello(outer *clientHelloMsg, encoded []byte) (*clientHello return nil, errInvalidECHExt } - if len(inner.supportedVersions) != 1 || (len(inner.supportedVersions) >= 1 && inner.supportedVersions[0] != VersionTLS13) { - return nil, errors.New("tls: client sent encrypted_client_hello extension and offered incompatible versions") + hasTLS13 := false + for _, v := range inner.supportedVersions { + // Skip GREASE values (values of the form 0x?A0A). + // GREASE (Generate Random Extensions And Sustain Extensibility) is a mechanism used by + // browsers like Chrome to ensure TLS implementations correctly ignore unknown values. + // GREASE values follow a specific pattern: 0x?A0A, where ? can be any hex digit. + // These values should be ignored when processing supported TLS versions. + if v&0x0F0F == 0x0A0A && v&0xff == v>>8 { + continue + } + + // Ensure at least TLS 1.3 is offered. + if v == VersionTLS13 { + hasTLS13 = true + } else if v < VersionTLS13 { + // Reject if any non-GREASE value is below TLS 1.3, as ECH requires TLS 1.3+. + return nil, errors.New("tls: client sent encrypted_client_hello extension with unsupported versions") + } + } + + if !hasTLS13 { + return nil, errors.New("tls: client sent encrypted_client_hello extension but did not offer TLS 1.3") } return inner, nil |