Commit 4ac2dc4c authored by David Benjamin's avatar David Benjamin Committed by CQ bot account: [email protected]
Browse files

Add a comment about ServerHello.supported_groups.

In TLS 1.2 and below, the server is not supposed to echo it, but I just
came across a BigIP server which does. Document this so we know to take
care before trying to flip it in the future.

(It's actually kind of odd that it wasn't allowed to be sent given TLS
1.2 makes supported_groups interact with ECDSA client certificates. Ah

Change-Id: I4b97266f461e85bb1ad9bb935470e027f926d4df

CQ-Verified: CQ bot account: [email protected] <[email protected]>
Reviewed-by: default avatarAdam Langley <[email protected]>
Commit-Queue: Adam Langley <[email protected]>
parent aa248515
......@@ -2193,7 +2193,8 @@ static int ext_supported_groups_add_clienthello(SSL *ssl, CBB *out) {
static int ext_supported_groups_parse_serverhello(SSL *ssl, uint8_t *out_alert,
CBS *contents) {
/* This extension is not expected to be echoed by servers and is ignored. */
/* This extension is not expected to be echoed by servers in TLS 1.2, but some
* BigIP servers send it nonetheless, so do not enforce this. */
return 1;
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment