crypto/tls: check client's supported versions when using QUIC
According to RFC 9001 Section 4.2, the client MUST NOT offer any TLS version
older than 1.3.
Fixes #63723.
Change-Id: Ia92f98274ca784e2bc151faf236380af51f699c1
Reviewed-on: https://go-review.googlesource.com/c/go/+/537576
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Auto-Submit: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
diff --git a/src/crypto/tls/handshake_server_tls13.go b/src/crypto/tls/handshake_server_tls13.go
index 07b1a38..21d798d 100644
--- a/src/crypto/tls/handshake_server_tls13.go
+++ b/src/crypto/tls/handshake_server_tls13.go
@@ -240,8 +240,15 @@
c.clientProtocol = selectedProto
if c.quic != nil {
+ // RFC 9001 Section 4.2: Clients MUST NOT offer TLS versions older than 1.3.
+ for _, v := range hs.clientHello.supportedVersions {
+ if v < VersionTLS13 {
+ c.sendAlert(alertProtocolVersion)
+ return errors.New("tls: client offered TLS version older than TLS 1.3")
+ }
+ }
+ // RFC 9001 Section 8.2.
if hs.clientHello.quicTransportParameters == nil {
- // RFC 9001 Section 8.2.
c.sendAlert(alertMissingExtension)
return errors.New("tls: client did not send a quic_transport_parameters extension")
}
