Ok fine you can be forward compatible but i still don't agree its my personal opinion if I don't know what the packet format for next version why should I support it. But this was not the major issue for what i started the discussion. I think the major is relaxing the record layer check to SSLv3 and we should fix it.
On Fri, Apr 11, 2014 at 4:32 PM, Lukas Tribus <[email protected]> wrote: > Hi, > > > > I think the next version may or may not contain the same client hello > > format if it allows i don't have any issues if it doesn't allows then > > the code may crash or it may return bad value for SNI. I just suggested > > it for safety reasons its just my input. > > If HAproxy would crash, we would need to fix the actual reason of the > crash, not ignore SNI when TLS version is higher than 1.2, because an > attacker can always send packets with TLSv1.2 and the offending payload, > even if its not valid packet as per RFC. > > > As for bad values: SNI is a client provided value and thus must never > be trusted. We can use it for routing the request to different backends, > but we always need to validate it before doing something with it. > > > > > Regards, > > Lukas > >
