Steps to reproduce
I reproduced it by only “checking” TLS1.2 and making sure that the server offers DHE-DSS-AES256-SHA with 127-byte 1024 DHE KE (by modifying server code).
The IE will fail the handshake. Compliant TLS client will not (e.,g. openssl s_client, Firefox)
My colleague said that he also reproduced the issue with TLS_DHE_RSA_WITH_AES_128_GCM_SHA25 and scripting of SChannel.
The TLS protocol never requires padding of values when values have a header telling the size. dh_Y can be encoded in fewer bytes than dh_p.
Aas you are aware, DH key agreement in TLS requires stripping of leading zeroes https://tools.ietf.org/html/rfc5246#section-8.1.2. IE must be able to understand shorter dh_Y=g^x and it must recognize shorter DH shared secret g^xy by stripping the leading zero bytes. We expect, on average, 1 in 128 connections will depend on IE following the protocol.
Dev Channel specific:
Comments and activity
- Microsoft Edge Team
Changed Assigned To to “Sermet I.”
Changed Assigned To to “Venkat K.”
Changed Assigned To from “Venkat K.” to “Rob T.”
Changed Assigned To from “Rob T.” to “Andrei P.”
Changed Assigned To from “Andrei P.” to “IE S.”
Changed Status to “Duplicate”