Tolerate a bad record version in TLSv1.3 plaintext records

When a server responds to a second TLSv1.3 ClientHello it is required to set the legacy_record_version to 0x0303 (TLSv1.2). The client is required to ignore that field even if it is wrong. The recent changes to the read record layer in PR #18132 made the record layer stricter and it was checking that the legacy_record_version was the correct value. This caused connection failures when talking to buggy servers that set the wrong legacy_record_version value. We make us more tolerant again. Fixes #19051 Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #19058)
openssl · Aug 29, 2022 · 2093428 · 2093428
1 parent 6347b86
commit 2093428
Showing 1 changed file with 2 additions and 8 deletions.
diff --git a/ssl/record/methods/tlsany_meth.c b/ssl/record/methods/tlsany_meth.c
@@ -87,15 +87,9 @@ static int tls_validate_record_header(OSSL_RECORD_LAYER *rl, SSL3_RECORD *rec)
         } else if (rl->version == TLS1_3_VERSION) {
             /*
              * In this case we know we are going to negotiate TLSv1.3, but we've
-             * had an HRR, so we haven't actually done so yet. Nonetheless we
-             * still expect the record version to be TLSv1.2 as per a normal
-             * TLSv1.3 record
+             * had an HRR, so we haven't actually done so yet. In TLSv1.3 we
+             * must ignore the legacy record version in plaintext records.
              */
-            if (rec->rec_version != TLS1_2_VERSION) {
-                RLAYERfatal(rl, SSL_AD_PROTOCOL_VERSION,
-                            SSL_R_WRONG_VERSION_NUMBER);
-                return 0;
-            }
         } else if (rec->rec_version != rl->version) {
             if ((rl->version & 0xFF00) == (rec->rec_version & 0xFF00)) {
                 if (rec->type == SSL3_RT_ALERT) {