WolfSSL
/
wolfssl
mirror of https://github.com/wolfSSL/wolfssl.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Allow `trusted_ca_keys` with TLSv1.3 

It is possible that the client will provied `trusted_ca_keys` during a
TLSv1.3 connection with 1.2 downgrade. wolfSSL would error with
`EXT_NOT_ALLOWED`. The TLSv1.3 spec states that it can be provided and
should be ignored.

ZD 19936
pull/8860/head
Andrew Hutchings 2025-06-09 08:31:54 +01:00
parent 0bac2c2b34
commit 5e6cb2b0b6
2 changed files with 10 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/tls.c
View File

@ -16149,7 +16149,7 @@ int TLSX_Parse(WOLFSSL* ssl, const byte* input, word16 length, byte msgType,
/* RFC 8446 4.2.4 states trusted_ca_keys is not used /* RFC 8446 4.2.4 states trusted_ca_keys is not used
in TLS 1.3. */ in TLS 1.3. */
if (IsAtLeastTLSv1_3(ssl->version)) { if (IsAtLeastTLSv1_3(ssl->version)) {
return EXT_NOT_ALLOWED; break;
} }
else else
#endif #endif

7
tests/test-tls13-down.conf
View File

@ -119,3 +119,10 @@
-7 3 -7 3
-s -s
-l ECDHE-PSK-AES128-GCM-SHA256 -l ECDHE-PSK-AES128-GCM-SHA256
# server TLSv1.3
-v 4
# client downgrade with trusted ca
-v d
-5