openssl/openssl

RFC 8446 violation: OpenSSL returns incorrect Alert when receiving incorrect extension in ServerHello

Open

#29.353 geöffnet am 9. Dez. 2025

Auf GitHub ansehen
 (7 Kommentare) (0 Reaktionen) (0 zugewiesene Personen)C (11.262 Forks)batch import
help wantedtriaged: bug

Repository-Metriken

Stars
 (30.157 Stars)
PR-Merge-Metriken
 (Keine gemergten PRs in 30 T)

Beschreibung

Version

3.6.0

Description

An OpenSSL TLS 1.3 client receiving a ServerHello with a StatusRequest extension returns an UnsupportedExtension Alert.

According to the RFC 8446 section 4.2 : If an implementation receives an extension which it recognizes and which is not specified for the message in which it appears, it MUST abort the handshake with an "illegal_parameter" alert. and StatusRequest extension should not be found in ServerHello message, this means that OpenSSL should return an IllegalParameter instead of an UnsupportedExtension when receiving the unsolicited StatusRequest extension.

Impact

RFC violation

Expected behavior

OpenSSL server should send an "IllegalParameter" Alert and abort the connection.

Reproduction steps

Here is an example of a TLS 1.3 handshake that triggers the described behavior :

  • Wait for a client's ClientHello
  • Send a ServerHello with a StatusRequest extension TLSv1.3 Record Layer: Handshake Protocol: Server Hello Content Type: Handshake (22) Version: TLS 1.2 (0x0303) Length: 127 Handshake Protocol: Server Hello Handshake Type: Server Hello (2) Length: 123 Version: TLS 1.2 (0x0303) Random: 0101010101010101010101010101010101010101010101010101010101010101 Session ID Length: 0 Cipher Suite: TLS_AES_128_GCM_SHA256 (0x1301) Compression Method: null (0) Extensions Length: 83 Extension: status_request (len=0) Type: status_request (5) Length: 0 Extension: key_share (len=69) secp256r1 Type: key_share (51) Length: 69 Key Share extension Extension: supported_versions (len=2) TLS 1.3 Type: supported_versions (43) Length: 2 Supported Version: TLS 1.3 (0x0304) in raw hex: 160303007f0200007b03030101010101010101010101010101010101010101010101010101010101010101001301000053000500000033004500170041040c901d423c831ca85e27c73c263ba132721bb9d7a84c4f0380b2a6756fd601331c8870234dec878504c174144fa4b14b66a651691606d8173e55bd37e381569e002b00020304
  • The client should send an UnsupportedExtension alert

Start the following Python TCP server :

import socket

HOST = "0.0.0.0"
PORT = 3000

payload1 = bytes.fromhex(
    "160303007f0200007b03030101010101010101010101010101010101010101010101010101010101010101001301000053000500000033004500170041040c901d423c831ca85e27c73c263ba132721bb9d7a84c4f0380b2a6756fd601331c8870234dec878504c174144fa4b14b66a651691606d8173e55bd37e381569e002b00020304"
)

with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as server_socket:
    server_socket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
    server_socket.bind((HOST, PORT))
    server_socket.listen(1)
    print(f"[*] Listening on {HOST}:{PORT} ...")

    # Accept client connection
    conn, addr = server_socket.accept()
    with conn:
        print(f"[+] Connection from {addr}")

        data = conn.recv(1024)
        print(f"[>] Received: {data.hex()}")

        # Send decoded payload
        conn.sendall(payload1)
        print(f"[<] Sent: {payload1.hex()}")

        data = conn.recv(1024)
        print(f"[>] Received: {data.hex()}")

        data = conn.recv(1024)
        print(f"[>] Received: {data.hex()}")

Then start a TLS 1.3 OpenSSL client :

openssl s_client -tls1_3 -port 3000 -state -ciphersuites "TLS_AES_128_GCM_SHA256" -curves "P-256:P-384"

You should see the OpenSSL client sending an UnsupportedExtension alert.

Acknowledgements

This bug was found thanks to the tlspuffin fuzzer designed and developed by the tlspuffin team:

  • Max Ammann
  • Olivier Demengeon - Loria, Inria
  • Tom Gouville - Loria, Inria
  • Lucca Hirschi - Loria, Inria
  • Steve Kremer - Loria, Inria
  • Michael Mera - Loria, Inria

Contributor Guide