RFC 8446 violation: OpenSSL returns incorrect Alert when receiving incorrect extension in ServerHello
#29.353 geöffnet am 9. Dez. 2025
Repository-Metriken
- Stars
- (30.157 Stars)
- PR-Merge-Metriken
- (Keine gemergten PRs in 30 T)
Beschreibung
Version
3.6.0
Description
An OpenSSL TLS 1.3 client receiving a ServerHello with a StatusRequest extension returns an UnsupportedExtension Alert.
According to the RFC 8446 section 4.2 : If an implementation receives an extension which it recognizes and which is not specified for the message in which it appears, it MUST abort the handshake with an "illegal_parameter" alert. and StatusRequest extension should not be found in ServerHello message, this means that OpenSSL should return an IllegalParameter instead of an UnsupportedExtension when receiving the unsolicited StatusRequest extension.
Impact
RFC violation
Expected behavior
OpenSSL server should send an "IllegalParameter" Alert and abort the connection.
Reproduction steps
Here is an example of a TLS 1.3 handshake that triggers the described behavior :
- Wait for a client's ClientHello
- Send a ServerHello with a StatusRequest extension
TLSv1.3 Record Layer: Handshake Protocol: Server Hello
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 127
Handshake Protocol: Server Hello
Handshake Type: Server Hello (2)
Length: 123
Version: TLS 1.2 (0x0303)
Random: 0101010101010101010101010101010101010101010101010101010101010101
Session ID Length: 0
Cipher Suite: TLS_AES_128_GCM_SHA256 (0x1301)
Compression Method: null (0)
Extensions Length: 83
Extension: status_request (len=0)
Type: status_request (5)
Length: 0
Extension: key_share (len=69) secp256r1
Type: key_share (51)
Length: 69
Key Share extension
Extension: supported_versions (len=2) TLS 1.3
Type: supported_versions (43)
Length: 2
Supported Version: TLS 1.3 (0x0304)
in raw hex:
160303007f0200007b03030101010101010101010101010101010101010101010101010101010101010101001301000053000500000033004500170041040c901d423c831ca85e27c73c263ba132721bb9d7a84c4f0380b2a6756fd601331c8870234dec878504c174144fa4b14b66a651691606d8173e55bd37e381569e002b00020304 - The client should send an
UnsupportedExtensionalert
Start the following Python TCP server :
import socket
HOST = "0.0.0.0"
PORT = 3000
payload1 = bytes.fromhex(
"160303007f0200007b03030101010101010101010101010101010101010101010101010101010101010101001301000053000500000033004500170041040c901d423c831ca85e27c73c263ba132721bb9d7a84c4f0380b2a6756fd601331c8870234dec878504c174144fa4b14b66a651691606d8173e55bd37e381569e002b00020304"
)
with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as server_socket:
server_socket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
server_socket.bind((HOST, PORT))
server_socket.listen(1)
print(f"[*] Listening on {HOST}:{PORT} ...")
# Accept client connection
conn, addr = server_socket.accept()
with conn:
print(f"[+] Connection from {addr}")
data = conn.recv(1024)
print(f"[>] Received: {data.hex()}")
# Send decoded payload
conn.sendall(payload1)
print(f"[<] Sent: {payload1.hex()}")
data = conn.recv(1024)
print(f"[>] Received: {data.hex()}")
data = conn.recv(1024)
print(f"[>] Received: {data.hex()}")
Then start a TLS 1.3 OpenSSL client :
openssl s_client -tls1_3 -port 3000 -state -ciphersuites "TLS_AES_128_GCM_SHA256" -curves "P-256:P-384"
You should see the OpenSSL client sending an UnsupportedExtension alert.
Acknowledgements
This bug was found thanks to the tlspuffin fuzzer designed and developed by the tlspuffin team:
- Max Ammann
- Olivier Demengeon - Loria, Inria
- Tom Gouville - Loria, Inria
- Lucca Hirschi - Loria, Inria
- Steve Kremer - Loria, Inria
- Michael Mera - Loria, Inria