Merge pull request #8979 from anhu/abort_on_bad_legacy

Abort TLS connection if legacy version field is TLS 1.3 or higher
2026-01-27 12:42:25 +01:00 · 2025-07-22 17:12:39 +10:00
parent 1f72866489 dc3209b797
commit cd7256ae63
3 changed files with 100 additions and 0 deletions
--- a/src/tls13.c
+++ b/src/tls13.c
@@ -6826,6 +6826,23 @@ int DoTls13ClientHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
 #endif /* WOLFSSL_DTLS13 */

    if (!ssl->options.dtls) {
+#ifndef WOLFSSL_ALLOW_BAD_TLS_LEGACY_VERSION
+        /* Check for TLS 1.3 version (0x0304) in legacy version field. RFC 8446
+         * Section 4.2.1 allows this action:
+         *
+         * "Servers MAY abort the handshake upon receiving a ClientHello with
+         * legacy_version 0x0304 or later."
+         *
+         * Note that if WOLFSSL_ALLOW_BAD_TLS_LEGACY_VERSION is defined then the
+         * semantics of RFC 5246 Appendix E will be followed. A ServerHello with
+         * version 1.2 will be sent. The same is true if TLS 1.3 is not enabled.
+         */
+        if (args->pv.major == SSLv3_MAJOR && args->pv.minor >= TLSv1_3_MINOR) {
+            WOLFSSL_MSG("Legacy version field is TLS 1.3 or later. Aborting.");
+            ERROR_OUT(VERSION_ERROR, exit_dch);
+        }
+#endif /* WOLFSSL_ALLOW_BAD_TLS_LEGACY_VERSION */
+
        /* Legacy protocol version cannot negotiate TLS 1.3 or higher. */
        if (args->pv.major > SSLv3_MAJOR || (args->pv.major == SSLv3_MAJOR &&
                                             args->pv.minor >= TLSv1_3_MINOR)) {