Add a comment about ServerHello.supported_groups.
In TLS 1.2 and below, the server is not supposed to echo it, but I just
came across a BigIP server which does. Document this so we know to take
care before trying to flip it in the future.
(It's actually kind of odd that it wasn't allowed to be sent given TLS
1.2 makes supported_groups interact with ECDSA client certificates. Ah
well.)
Change-Id: I4b97266f461e85bb1ad9bb935470e027f926d4df
Reviewed-on: https://boringssl-review.googlesource.com/10320
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Adam Langley <agl@google.com>
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 5e790a4..bb345b4 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -2193,7 +2193,8 @@
static int ext_supported_groups_parse_serverhello(SSL *ssl, uint8_t *out_alert,
CBS *contents) {
- /* This extension is not expected to be echoed by servers and is ignored. */
+ /* This extension is not expected to be echoed by servers in TLS 1.2, but some
+ * BigIP servers send it nonetheless, so do not enforce this. */
return 1;
}