This is the most naïve and dirtiest effort but I don't know where else it's called - not going to check it and fix calling it with nonsense numbers - so I went like this: /// parse TLS ProtocolVersion (uint16) and convert it to AnyP::ProtocolVersion static AnyP::ProtocolVersion ParseProtocolVersion(Parser::BinaryTokenizer &tk, const char *contextLabel = ".version") { Parser::BinaryTokenizerContext context(tk, contextLabel); uint8_t vMajor = tk.uint8(".major"); uint8_t vMinor = tk.uint8(".minor"); if (vMajor>3) return AnyP::ProtocolVersion(AnyP::PROTO_TLS, 1, 0); if (vMajor == 0 && vMinor == 2) return AnyP::ProtocolVersion(AnyP::PROTO_SSL, 2, 0); Must(vMajor == 3); if (vMinor == 0) return AnyP::ProtocolVersion(AnyP::PROTO_SSL, 3, 0); return AnyP::ProtocolVersion(AnyP::PROTO_TLS, 1, (vMinor - 1)); } So - if someone tries to fool us with random numbers - rule it out as TLS 1.0. I know it deserves more - this code does what it is not mean to be doing etc. etc. (for every version >3 returns something) But: 2020/06/17 13:02:12.978 kid2| 24,7| BinaryTokenizer.cc(65) got: Extension.type=43 occupying 2 bytes @164 in 0x7ffcd4777170. 2020/06/17 13:02:12.978 kid2| 24,7| BinaryTokenizer.cc(65) got: Extension.data.length=11 occupying 2 bytes @166 in 0x7ffcd4777170. 2020/06/17 13:02:12.978 kid2| 24,8| SBuf.cc(38) SBuf: SBuf15611 created from id SBuf15576 2020/06/17 13:02:12.978 kid2| 24,7| BinaryTokenizer.cc(74) got: Extension.data.octets= 0a7a7a0304030303020301 occupying 11 bytes @168 in 0x7ffcd4777170. 2020/06/17 13:02:12.978 kid2| 24,8| SBuf.cc(70) ~SBuf: SBuf15611 destructed 2020/06/17 13:02:12.978 kid2| 24,7| BinaryTokenizer.cc(57) got: Extension occupying 15 bytes @164 in 0x7ffcd4777170. 2020/06/17 13:02:12.978 kid2| 24,8| SBuf.cc(38) SBuf: SBuf15612 created from id SBuf15610 2020/06/17 13:02:12.978 kid2| 24,7| BinaryTokenizer.cc(65) got: SupportedVersions.length=10 occupying 1 bytes @0 in 0x7ffcd4776fd0. 2020/06/17 13:02:12.978 kid2| 24,8| SBuf.cc(38) SBuf: SBuf15613 created from id SBuf15612 2020/06/17 13:02:12.978 kid2| 24,7| BinaryTokenizer.cc(74) got: SupportedVersions.octets= 7a7a0304030303020301 occupying 10 bytes @1 in 0x7ffcd4776fd0. 2020/06/17 13:02:12.979 kid2| 24,8| SBuf.cc(38) SBuf: SBuf15614 created from id SBuf15613 2020/06/17 13:02:12.979 kid2| 24,8| SBuf.cc(70) ~SBuf: SBuf15613 destructed 2020/06/17 13:02:12.979 kid2| 24,7| BinaryTokenizer.cc(65) got: supported_version.major=122 occupying 1 bytes @0 in 0x7ffcd4777010. 2020/06/17 13:02:12.979 kid2| 24,7| BinaryTokenizer.cc(65) got: supported_version.minor=122 occupying 1 bytes @1 in 0x7ffcd4777010. 2020/06/17 13:02:12.979 kid2| 24,7| BinaryTokenizer.cc(65) got: supported_version.major=3 occupying 1 bytes @2 in 0x7ffcd4777010. 2020/06/17 13:02:12.979 kid2| 24,7| BinaryTokenizer.cc(65) got: supported_version.minor=4 occupying 1 bytes @3 in 0x7ffcd4777010. 2020/06/17 13:02:12.979 kid2| 24,7| BinaryTokenizer.cc(65) got: supported_version.major=3 occupying 1 bytes @4 in 0x7ffcd4777010. 2020/06/17 13:02:12.979 kid2| 24,7| BinaryTokenizer.cc(65) got: supported_version.minor=3 occupying 1 bytes @5 in 0x7ffcd4777010. 2020/06/17 13:02:12.979 kid2| 24,7| BinaryTokenizer.cc(65) got: supported_version.major=3 occupying 1 bytes @6 in 0x7ffcd4777010. 2020/06/17 13:02:12.979 kid2| 24,7| BinaryTokenizer.cc(65) got: supported_version.minor=2 occupying 1 bytes @7 in 0x7ffcd4777010. 2020/06/17 13:02:12.979 kid2| 24,7| BinaryTokenizer.cc(65) got: supported_version.major=3 occupying 1 bytes @8 in 0x7ffcd4777010. 2020/06/17 13:02:12.979 kid2| 24,7| BinaryTokenizer.cc(65) got: supported_version.minor=1 occupying 1 bytes @9 in 0x7ffcd4777010. 2020/06/17 13:02:12.979 kid2| 24,8| SBuf.cc(70) ~SBuf: SBuf15614 destructed 2020/06/17 13:02:12.979 kid2| 24,8| SBuf.cc(70) ~SBuf: SBuf15612 destructed 2020/06/17 13:02:12.979 kid2| 83,7| Handshake.cc(594) parseSupportedVersionsExtension: found TLS/1.3 2020/06/17 13:02:12.979 kid2| 24,8| SBuf.cc(70) ~SBuf: SBuf15610 destructed Note 7a7a0304030303020301, 0x7A = 122 I think fixing it everywhere would involve BinaryTokenizing extension string (like tkVersions) and check every value sent to ParseProtocolVersion. In the HandShake.cc file on about six occassions. It seems very likely that *some* vendors will send nonsense values to the other parts as well. So it would be nice to have them all sanitized. For me it looks like Google initiative - but I could be wrong. Anyway - what seemed to be problem with TLS on my box now seems to be problem with additive, random numbers in the supported versions string - waiting for someone to investigate it further... LL _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users