s2n-quic icon indicating copy to clipboard operation
s2n-quic copied to clipboard
verified publisher icon aws

fail earlier when handling malformed ClientHello (s2n-tls)

Open toidiu opened this issue 3 years ago • 1 comments

NOTE: This is an integration bug and not a bug with s2n-tls/rustls. All references to s2n-tls and rustls mean the integration of tls provider with s2n-quic.

Currently rustls and s2n-tls behavior differs when the Initial Client packet is malformed.

  • rustls integration detects the malformed data, and we respond with an Error.
  • s2n-tls integration: we (server) sends an Ack, some crypto data... (a ConnectionNode is added for the connection, only to be removed soon after).

Proposed Fix:

The error is then detected in the function session_context::on_one_rtt_keys() and the connection.close() is invoked. The s2n-tls integration seems needlessly expensive and can be optimized so that we send a ConnectionClose and discard the connection rather than adding it to the connection_map.

This will require some refactor of the tls provider integration code https://github.com/awslabs/s2n-quic/blob/main/quic/s2n-quic-tls/src/session.rs

toidiu avatar Jan 28 '22 20:01 toidiu

This PR adds some checks and helps verify the behavior in the issue: https://github.com/awslabs/s2n-quic/pull/1110

toidiu avatar Jan 29 '22 01:01 toidiu