TLS ServerKeyExchange with 1024 DHE may encode dh_Y as 127 bytes, breaking Internet Explorer 11

Issue #4906705


Oct 8, 2015
This issue is public.
Reported by 3 people

Sign in to watch or report this issue.

Steps to reproduce


Repro Steps:

I reproduced it by only “checking” TLS1.2 and making sure that the server offers DHE-DSS-AES256-SHA with 127-byte 1024 DHE KE (by modifying server code).

The IE will fail the handshake. Compliant TLS client will not (e.,g. openssl s_client, Firefox)

My colleague said that he also reproduced the issue with TLS_DHE_RSA_WITH_AES_128_GCM_SHA25 and scripting of SChannel.

Expected Results:

The TLS protocol never requires padding of values when values have a header telling the size. dh_Y can be encoded in fewer bytes than dh_p.

Aas you are aware, DH key agreement in TLS requires stripping of leading zeroes IE must be able to understand shorter dh_Y=g^x and it must recognize shorter DH shared secret g^xy by stripping the leading zero bytes. We expect, on average, 1 in 128 connections will depend on IE following the protocol.

Actual Results:

Dev Channel specific:



0 attachments

    Comments and activity

    • Microsoft Edge Team

      Changed Assigned To to “Sermet I.”

      Changed Assigned To to “Venkat K.”

      Changed Assigned To from “Venkat K.” to “Rob T.”

      Changed Assigned To from “Rob T.” to “Andrei P.”

      Changed Assigned To from “Andrei P.” to “IE S.”

      Changed Status

    • Hello,

      Thank you for providing this information about the issue. We confirmed the problem, and implemented a solution on a later build of Edge. We are resolving this issue as a duplicate of an existing internal bug report. We look forward to additional feedback you may have on how we can improve Microsoft Edge.

      Best Wishes,
      The MS Edge Team

    You need to sign in to your Microsoft account to add a comment.

    Sign in