Hi Martin, Thanks for your reply. I had raised a bug (https://bugzilla.mozilla.org/show_bug.cgi?id=1815167 ) as you suggested.
I want this bug to be fixed as soon as possible. The clients are not able to connect to the NSS server and are terminated with "unsupported extension". This is a high priority issue for us. Could you please guide me to make it a high priority issue and get it fixed in the next ESR release ? Best Regards, Hanumesh On Thu, Feb 2, 2023 at 6:58 AM Martin Thomson <m...@mozilla.com> wrote: > It's possible that we have a bug on our end here. > > There are two extensions we don't fully support here: > * encrypt_then_mac - we have absolutely no knowledge of this, so we should > be ignoring it. > * certificate_authorities - the tricky one > > We do understand certificate_authorities, but we don't handle it from the > client. Now, we can (and probably should) ignore it. TLS 1.3 allows the > client to use it, even if it is a rare thing to see in practice. > > Can I suggest that you open a bug for this: > https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS&component=Libraries > (If you are able, including a full copy of the problematic ClientHello will > make this a lot easier for us to diagnose.) > > > On Thu, Feb 2, 2023 at 4:14 AM hanumesh nk <hanumeshn...@gmail.com> wrote: > >> Hi Team, >> Iam using nss-3.68.4-with-nspr-4.32 in my server. Client is trying to >> connect to the server using STARTTLS, but after "Client Hello" message is >> sent, the server sending "Unsupported Extension" to the client and the >> connection getting closed. >> >> Could anyone help me to figure out which extension did the server not >> supported? >> >> Below is the client hello message with extensions obtained from tcpdump: >> Transport Layer Security >> TLSv1.2 Record Layer: Handshake Protocol: Client Hello >> Content Type: Handshake (22) >> Version: TLS 1.0 (0x0301) >> Length: 751 >> Handshake Protocol: Client Hello >> Handshake Type: Client Hello (1) >> Length: 747 >> Version: TLS 1.2 (0x0303) >> Random: <Random> >> Session ID Length: 32 >> Session ID: <Session id> >> Cipher Suites Length: 62 >> Cipher Suites (31 suites) >> Compression Methods Length: 1 >> Compression Methods (1 method) >> Extensions Length: 612 >> Extension: ec_point_formats (len=4) >> Extension: supported_groups (len=12) >> Extension: encrypt_then_mac (len=0) >> Extension: extended_master_secret (len=0) >> Extension: signature_algorithms (len=48) >> Extension: supported_versions (len=9) >> Extension: psk_key_exchange_modes (len=2) >> Extension: key_share (len=38) >> Extension: certificate_authorities (len=463) >> >> Any help to resolve this problem will be really helpful. >> >> >> Best Regards, >> Hanumesh >> >> -- >> You received this message because you are subscribed to the Google Groups >> "dev-tech-crypto@mozilla.org" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to dev-tech-crypto+unsubscr...@mozilla.org. >> To view this discussion on the web visit >> https://groups.google.com/a/mozilla.org/d/msgid/dev-tech-crypto/CAMiJu-nkJqwp3fwY9JXPYZSLeu%3DuLU15WYbNxK3OG5ZjTxps9A%40mail.gmail.com >> <https://groups.google.com/a/mozilla.org/d/msgid/dev-tech-crypto/CAMiJu-nkJqwp3fwY9JXPYZSLeu%3DuLU15WYbNxK3OG5ZjTxps9A%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> > -- You received this message because you are subscribed to the Google Groups "dev-tech-crypto@mozilla.org" group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-tech-crypto+unsubscr...@mozilla.org. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-tech-crypto/CAMiJu-kF1TVDbY8wXeAW6cUubcFtaYppRCdck2-nRMArrK4Rgw%40mail.gmail.com.
