TLS ServerKeyExchange with 1024 DHE may encode dh_Y as 127 bytes, breaking Internet Explorer 11

Duplicate Issue #4906705 • See Issue #2909068

Details

Created
Oct 8, 2015
Privacy
This issue is public.
Duplicates
See progress on Bug #2909068
Reports
Reported by 3 people

Sign in to watch or report this issue.

Steps to reproduce

URL:

Repro Steps:

I reproduced it by only “checking” TLS1.2 and making sure that the server offers DHE-DSS-AES256-SHA with 127-byte 1024 DHE KE (by modifying server code).

The IE will fail the handshake. Compliant TLS client will not (e.,g. openssl s_client, Firefox)

My colleague said that he also reproduced the issue with TLS_DHE_RSA_WITH_AES_128_GCM_SHA25 and scripting of SChannel.

Expected Results:

The TLS protocol never requires padding of values when values have a header telling the size. dh_Y can be encoded in fewer bytes than dh_p.

Aas you are aware, DH key agreement in TLS requires stripping of leading zeroes https://tools.ietf.org/html/rfc5246#section-8.1.2. IE must be able to understand shorter dh_Y=g^x and it must recognize shorter DH shared secret g^xy by stripping the leading zero bytes. We expect, on average, 1 in 128 connections will depend on IE following the protocol.

Actual Results:

Dev Channel specific:

No

Attachments

0 attachments

    Comments and activity

    • Microsoft Edge Team

      Changed Assigned To to “Sermet I.”

      Changed Assigned To to “Venkat K.”

      Changed Assigned To from “Venkat K.” to “Rob T.”

      Changed Assigned To from “Rob T.” to “Andrei P.”

      Changed Assigned To from “Andrei P.” to “IE S.”

      Changed Status to “Duplicate”

    You need to sign in to your Microsoft account to add a comment.

    Sign in