Compatibility of X25519Kyber768 ClientHello
Jeffrey Walton
noloader at gmail.com
Mon Oct 9 18:47:27 UTC 2023
On Mon, Oct 9, 2023 at 11:55 AM Gentry Deng via nginx <nginx at nginx.org> wrote:
>
> ...
> I'm able to reproduce the problem. It looks like a bug in www.paypal.cn's server. They didn't implement TLS 1.2 correctly. Specifically, they do not correctly handle when the ClientHello comes in in two reads. Before Kyber, this wasn't very common because ClientHellos usually fit in a packet. But Kyber makes ClientHellos larger, so it is possible to get only a partial ClientHello in the first read, and require a second read to try again. This is something that any TCP-based application needs to handle; you may not have gotten the whole message on a given read and need to keep on reading.
>
> www.paypal.cn will need to fix their server to correctly handle this case.
It sounds like this, assuming they are using a F5:
<https://my.f5.com/manage/s/article/K72042050>.
Broken middleware is always interesting. One of my favorites was
Ironport and its fixed sized buffer for a ClientHello that resulted in
buffer overflows and crashes when TLS 1.1 and TLS 1.2 increased the
size of a ClientHello due to additional cipher suites. See
<https://www.mail-archive.com/openssl-users@openssl.org/msg73489.html>.
Jeff
More information about the nginx
mailing list