Mention hybrid key exchange for split TLS ClientHello #1340
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Would it be worth mentioning this specific case https://tldr.fail/, where TLS ClientHello processing is not implemented correctly ?
|
The case in that website is not what the bullet point is talking about. The bullet point is talking about a single TLS ClientHello spread over multiple TLS records. That's about issues like CVE-2014-3511. The common problem with hybrids is when a single-record ClientHello does not fit in a TCP packet. |
|
Thanks for point this out. I will change the PR to have a dedicate line for the tldr issue. Is that ok @davidben ? |
|
This just seems like a basic failure of how the TLS stack interacts with the TCP layer. I'm not sure we need to mention it. |
|
Understood @ekr . I'm closing it. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Would it be worth mentioning this specific case https://tldr.fail/, where TLS ClientHello processing is not implemented correctly ?