Re: Removing Extensions from Client Hello Header

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




On 11/11/2019 20:51, Phil Neumiller wrote:
>     Extension: ec_point_formats (len=4)
>         Type: ec_point_formats (11)
>         Length: 4
>         EC point formats Length: 3
>         Elliptic curves point formats (3)
>             EC point format: uncompressed (0)
>             EC point format: ansiX962_compressed_prime (1)
>             EC point format: ansiX962_compressed_char2 (2)

>     Extension: session_ticket (len=0)
>         Type: session_ticket (35)
>         Length: 0
>         Data (0 bytes)
>     Extension: encrypt_then_mac (len=0)
>         Type: encrypt_then_mac (22)
>         Length: 0
>     Extension: extended_master_secret (len=0)
>         Type: extended_master_secret (23)
>         Length: 0


You don't need these four for TLSv1.3

SSL_OP_NO_TICKET will turn off session_ticket.
SSL_OP_NO_ENCRYPT_THEN_MAC will turn off encrypt_then_mac.
SSL_OP_NO_EXTENDED_MASTER_SECRET will turn off extended_master_secret.

Don't switch off encrypt-then-mac or extended-master-secret unless you
*really* need to. They don't do anything in TLSv1.3 but if you ever
ended up negotiating TLSv1.2 by mistake for some reason then switching
these things off has security consequences.

I think the only way to get rid of ec_point_formats would be to disable
EC from being used completely. But, you need EC to be enabled in order
use TLSv1.3 (at least in 1.1.1 - in master its different). So I don't
think you can get rid of this extension.

But I'd really look at why your hardware is failing when these
extensions are present. Is it intolerant of one particular extension? If
so I'd just disable that one.


Matt






[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux