crypto/tls: error handshake if there are duplicate TLS extensions #51088
Labels
FrozenDueToAge
NeedsInvestigation
Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
What version of Go are you using (
go version
)?Does this issue reproduce with the latest release?
Yes.
What operating system and processor architecture are you using (
go env
)?go env
OutputWhat did you do?
When unmarshalling a
serverHello
message, we currently just iterate over the set of all all extensions that appear in the message. If a given extension appears more than once, the last instance of that extension "wins", with its contents (for example, the ALPN protocol) being written to the appropriate field (e.g..alpnProtocol) on the
serverHelloMsg` struct.The same is true when a TLS server unmarshalls a
clientHello
message.What did you expect to see?
RFC 5246, Section 7.4.1.4, which specifies TLS 1.2, states "There MUST NOT be more than one extension of the same type.". There is an equivalent statement in RFC 8446, Section 4.2, which specifies TLS 1.3. Therefore I expected message unmarshalling to fail if multiple extensions of the same type are present.
What did you see instead?
Message unmarshalling does not fail.
It should be noted: the relevant RFCs do not specify that one end of the connection MUST abort the connection if the other end sends duplicate extensions, so there is a reasonable interpretation that it is only required that the library not produce messages with duplicate extensions.
The text was updated successfully, but these errors were encountered: