summaryrefslogtreecommitdiff
path: root/lib
diff options
context:
space:
mode:
authorBob Beck <beck@cvs.openbsd.org>2024-03-28 00:22:36 +0000
committerBob Beck <beck@cvs.openbsd.org>2024-03-28 00:22:36 +0000
commitd27ce8ce2f9529b5653c7725d573fe9901f76608 (patch)
tree0c89de01fd304b1a43d48c1f29b82a5226600923 /lib
parent9614eb312e7a7e96ed4029679056b6b2fc829678 (diff)
Stop pandering to the loadbalancer industrial complex.
So we initially kept this hack around for f5 boxes that should have been patched in 2014, and were not as of 2017. The f5 article for the bug archived on their web site, and any of these devices on the public internet will have since been upgraded to deal with a host of record layer, TLS, and other bugs, or they likely won't be talking to modern stacks, since as of this point the software with the bug would not have been updated in 10 years. So just make this spec compliant and reject a supported groups extension that should not have been sent by a server. ok tb@ jsing@
Diffstat (limited to 'lib')
-rw-r--r--lib/libssl/ssl_tlsext.c20
1 files changed, 3 insertions, 17 deletions
diff --git a/lib/libssl/ssl_tlsext.c b/lib/libssl/ssl_tlsext.c
index 14cf6fce84b..6649baf291f 100644
--- a/lib/libssl/ssl_tlsext.c
+++ b/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_tlsext.c,v 1.145 2024/03/27 22:27:09 beck Exp $ */
+/* $OpenBSD: ssl_tlsext.c,v 1.146 2024/03/28 00:22:35 beck Exp $ */
/*
* Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
* Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -324,22 +324,8 @@ static int
tlsext_supportedgroups_client_process(SSL *s, uint16_t msg_type, CBS *cbs,
int *alert)
{
- /*
- * Servers should not send this extension per the RFC.
- *
- * However, certain F5 BIG-IP systems incorrectly send it. This bug is
- * from at least 2014 but as of 2017, there are still large sites with
- * this unpatched in production. As a result, we need to currently skip
- * over the extension and ignore its content:
- *
- * https://support.f5.com/csp/article/K37345003
- */
- if (!CBS_skip(cbs, CBS_len(cbs))) {
- *alert = SSL_AD_INTERNAL_ERROR;
- return 0;
- }
-
- return 1;
+ /* Servers should not send this extension per the RFC. */
+ return 0;
}
/*