Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Showing content from https://github.com/rustls/rustls/issues/2257 below:

UnsolicitedCertificateTypeExtension is not RFC 7250 compliant · Issue #2257 · rustls/rustls · GitHub

Checklist

• I've searched the issue tracker for similar bugs.

Describe the bug

Consider the following scenario:

• a rustls server using X.509 certificates
• a third party client advertising both X.509 certificates and Raw Public Keys as supported client certificate types

If this client attempts to connect to the rustls server, the handshake will fail with TLS alert "handshake failure" and message "UnsolicitedCertificateTypeExtension".

This is not RFC 7250 compliant.

To Reproduce

Steps to reproduce the behavior:

1. Run a rustls server with a X.509 cert and Raw Public Key support disabled
2. Craft a ClientHello with a client_certificate_types extension advertising both X.509 and Raw Public Keys (RFC 7250)
3. Attempt to connect

Applicable Version(s)

rustls 0.23.16

Expected behavior

The client and server share a supported certificate type (both understand X.509).

According to RFC 7250 Section 4.2, the server should then behave as follows:

• Don't send an alert (RFC 7250 makes no specific allowances to fail if both peers support X.509)
• Respond with the client_certificate_type extension in ServerHello; set the cert type to X.509
• Same for server_certificate_type

Additional context

Here's an example of this failure in the wild. Below is a ClientHello sent by third party software

DEBUG  12-04 20:24:30.682265 1431788 f0   0    src/waltz/tls/fd_tls.c(1013): HEXDUMP "client hello" (194 bytes at 0x7fffe35689b0)
        0000:  01 00 00 be 03 03 76 b0 fc 10 9e b7 09 a3 0f 1c  ......v.........
        0010:  7c 1d 98 8e f6 38 4a ad 12 60 0d e8 75 ce 80 a0  |....8J..`..u...
        0020:  54 2f cc 00 44 ea 00 00 02 13 01 01 00 00 93 00  T/..D...........
        0030:  2b 00 03 02 03 04 00 33 00 26 00 24 00 1d 00 20  +......3.&.$... 
        0040:  bd c5 6b dd 45 85 c6 e2 a4 f5 aa 02 f9 7f 05 81  ..k.E...........
        0050:  a5 f4 42 83 3e 7a 73 e1 15 8d 9b 7c 42 ae 6b 31  ..B.>zs....|B.k1
        0060:  00 0a 00 04 00 02 00 1d 00 0d 00 04 00 02 08 07  ................
        0070:  00 10 00 0d 00 0b 0a 73 6f 6c 61 6e 61 2d 74 70  .......solana-tp
        0080:  75 00 39 00 2f 01 02 43 e8 03 02 45 c0 04 08 ff  u.9./..C...E....
        0090:  ff ff ff ff ff ff ff 07 02 44 d0 08 01 00 09 01  .........D......
        00a0:  00 0a 01 00 0b 02 40 64 0c 00 0f 08 8e 54 e4 ca  ......@d.....T..
        00b0:  1f 2e 30 2e 00 14 00 03 02 02 00 00 13 00 03 02  ..0.............
        00c0:  02 00                                            ..
DEBUG   12-04 20:24:30.682831 1431788 f0   0    src/waltz/quic/fd_quic.c(1673): initial pkt_number: 0
WARNING 12-04 20:24:30.682838 1431788 f0   0    src/waltz/quic/fd_quic.c(5524): fd_quic_frame_handle_conn_close_frame - error_code: 296  frame_type: 0  reason: peer is incompatible: UnsolicitedCertificateTypeExtension

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4