Dear all, we are working on an approach/framework for testing TLS implementations (currently only servers, but clients are planned for the future as well). While running our tests against a bunch of different TLS (server) implementations, we found several types of suspicious behaviour (see below). As the TLS specification left me with doubts on what the correct behaviour should be, I'd like to raise this questions here (please let me know if this is not the appropriate place or this has been answered before).
(1) Several server implementations seem to ignore the list of proposed compression methods in a ClientHello and simply select null compression even if that has not been in the ClientHello's list. The specification is rather clear that null compression MUST be part of the list. However, I'm not aware of any clear statement about what a compliant server should do in case it receives a ClientHello without null compression. My best guess would have been that in such cases the server should abort the handshake (at least if it does not support whatever the client proposed). (2) In a ClientHello several server implementations don't ignore data following the extension list. That is, they somehow seem to ignore the length field of the extension list and simply consider everything following the list of compression methods as extensions. Aside from this certainly being a deviation from the specification, I was wondering whether a server should silently ignore data following the extension list (e.g. for the sake of upward compatibility) or (as one could infer from RFC5246, p. 42) send e.g. a "decode_error" alert. (3) If a ClientHello contains multiple extensions of the same type, several server implementations proceed with the handshake (even if they parse these specific extensions). The specification again is clear that "there MUST NOT be more than one extension of the same type". However, what should a server do in case there are? Again, my guess would be that it should abort the handshake. Should this also be the case for extensions that a server simply ignores (as it e.g. doesn't know them)? Thank you very much. Cheers, Andi
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls