Edit

IABSD.fr/src/lib

Branch :

  • Show log

    Commit

  • Author : jsing
    Date : 2025-10-16 14:42:21
    Hash : 976353b5
    Message : Ensure that we specify the correct group when creating a HelloRetryRequest. When processing the client supported groups and key shares extensions, the group selection is currently based on client preference. However, when building a HRR the preferred group is identified by calling tls1_get_supported_group(). If SSL_OP_CIPHER_SERVER_PREFERENCE is enabled, group selection will be based on server instead of client preference. This in turn can result in the server sending a HRR for a group that the client has already provided a key share for, violating the RFC. Avoid this issue by storing the client preferred group when processing the key share extension, then using this group when creating the HRR. Thanks to dzwdz for identifying and reporting the issue. ok beck@ tb@