Skip to content

TLS 1.3, plaintext alert: ignore when expecting encrypted #9466

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

TLS 1.3, plaintext alert: ignore when expecting encrypted #9466

wants to merge 1 commit into from
+189 −36

Conversation

@SparkiDev
Copy link
Contributor

@SparkiDev SparkiDev commented Nov 24, 2025

Description

In TLS 1.3, ignore valid unencrypted alerts that appear after encryption has started.
Only ignore WOLFSSL_ALERT_COUNT_MAX-1 alerts.

Fixes zd#20857

Testing

./configure --disable-shared
make
./tests/unit.test -test_tls13_plaintext_alert

Checklist

  • added tests
  • updated/added doxygen
  • updated appropriate READMEs
  • Updated manual and documentation

@SparkiDev SparkiDev self-assigned this Nov 24, 2025
@devin-ai-integration
Copy link
Contributor

devin-ai-integration bot commented Nov 24, 2025

🛟 Devin Lifeguard found 1 likely issues in this PR

  • check-all-return-codes snippet snippet snippet: Capture and assert the return value of wolfSSL_SetIORecv, wolfSSL_SetIOSend and wolfSSL_SetIOReadCtx (e.g. ExpectIntEQ(wolfSSL_SetIORecv(ctx, MbRecv), WOLFSSL_SUCCESS);).

@SparkiDev
please take a look at the above issues which Devin flagged. Devin will not fix these issues automatically.

@SparkiDev SparkiDev force-pushed the tls13_pt_alert_when_enc branch from 64ca090 to 130c70d Compare November 24, 2025 02:59
@SparkiDev
TLS 1.3, plaintext alert: ignore when expecting encrypted
8943d6c 
In TLS 1.3, ignore valid unencrypted alerts that appear after encryption
has started.
Only ignore WOLFSSL_ALERT_COUNT_MAX-1 alerts.
@SparkiDev SparkiDev force-pushed the tls13_pt_alert_when_enc branch from 130c70d to 8943d6c Compare November 24, 2025 08:08
@rizlik
Copy link
Contributor

rizlik commented Nov 24, 2025
edited
Loading

If the goal of this PR is to protect against DoS I don't think it's a good idea:

  • under TCP one can easily forge a RST packet and close the connection
  • peer can still forge arbitrary packets that cause the handshake to error out (handshake, app_data) ecc

UDP is different but DtlsShouldDrop ignores plaintext packet after handshake keys are computed.

@SparkiDev
Copy link
Contributor Author

SparkiDev commented Nov 24, 2025
edited
Loading

DoS can be done by any message, it doesn't have to be a valid alert.
But yes that is the report.

Instead the PR is about skipping alerts that were sent by the client before it received anything from the server to indicate it should be encrypted. OpenSSL and others do this.

May make this a compile time option.

@SparkiDev
Copy link
Contributor Author

SparkiDev commented Nov 24, 2025

retest this please

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@SparkiDev SparkiDev

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@SparkiDev @rizlik