aboutsummaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/crypto/tls/bogo_config.json3
-rw-r--r--src/crypto/tls/handshake_server.go10
2 files changed, 9 insertions, 4 deletions
diff --git a/src/crypto/tls/bogo_config.json b/src/crypto/tls/bogo_config.json
index f61f234760..51482feddd 100644
--- a/src/crypto/tls/bogo_config.json
+++ b/src/crypto/tls/bogo_config.json
@@ -66,11 +66,8 @@
"SupportTicketsWithSessionID": "TODO: first pass, this should be fixed",
"NoNullCompression-TLS12": "TODO: first pass, this should be fixed",
"KeyUpdate-RequestACK": "TODO: first pass, this should be fixed",
- "ClientHelloVersionTooHigh": "TODO: first pass, this should be fixed",
- "MinorVersionTolerance": "TODO: first pass, this should be fixed",
"IgnoreClientVersionOrder": "TODO: first pass, this should be fixed",
"SupportedVersionSelection-TLS12": "TODO: first pass, this should be fixed",
- "MajorVersionTolerance": "TODO: first pass, this should be fixed",
"DuplicateExtensionServer-TLS-TLS1": "TODO: first pass, this should be fixed",
"DuplicateExtensionClient-TLS-TLS1": "TODO: first pass, this should be fixed",
"UnsolicitedServerNameAck-TLS-TLS1": "TODO: first pass, this should be fixed",
diff --git a/src/crypto/tls/handshake_server.go b/src/crypto/tls/handshake_server.go
index 77da9bb294..5be74e2967 100644
--- a/src/crypto/tls/handshake_server.go
+++ b/src/crypto/tls/handshake_server.go
@@ -169,7 +169,15 @@ func (c *Conn) readClientHello(ctx context.Context) (*clientHelloMsg, *echServer
c.ticketKeys = originalConfig.ticketKeys(configForClient)
clientVersions := clientHello.supportedVersions
- if len(clientHello.supportedVersions) == 0 {
+ if clientHello.vers >= VersionTLS13 && len(clientVersions) == 0 {
+ // RFC 8446 4.2.1 indicates when the supported_versions extension is not sent,
+ // compatible servers MUST negotiate TLS 1.2 or earlier if supported, even
+ // if the client legacy version is TLS 1.3 or later.
+ //
+ // Since we reject empty extensionSupportedVersions in the client hello unmarshal
+ // finding the supportedVersions empty indicates the extension was not present.
+ clientVersions = supportedVersionsFromMax(VersionTLS12)
+ } else if len(clientVersions) == 0 {
clientVersions = supportedVersionsFromMax(clientHello.vers)
}
c.vers, ok = c.config.mutualVersion(roleServer, clientVersions)
generated by cgit v1.3-5-g9baa (git 2.53.0) at 2026-04-17 06:26:15 +0000