Hi Hanumesh, I've submitted a patch <https://phabricator.services.mozilla.com/D169918> to fix this for you which we'll get into the next ESR. In the meantime, there are two workarounds which may work for you:
- Disable TLS1.3 on the server so that connections negotiate TLS1.2; or - Disable certificate_authorities on the clients. Best, Dennis On Wed, 15 Feb 2023 at 12:59, hanumesh nk <hanumeshn...@gmail.com> wrote: > Hi Martin, > Thanks for your reply. > I had raised a bug (https://bugzilla.mozilla.org/show_bug.cgi?id=1815167 ) > as you suggested. > > I want this bug to be fixed as soon as possible. The clients are not able > to connect to the NSS server and are terminated with "unsupported > extension". This is a high priority issue for us. > > Could you please guide me to make it a high priority issue and get it > fixed in the next ESR release ? > > Best Regards, > Hanumesh > > On Thu, Feb 2, 2023 at 6:58 AM Martin Thomson <m...@mozilla.com> wrote: > >> It's possible that we have a bug on our end here. >> >> There are two extensions we don't fully support here: >> * encrypt_then_mac - we have absolutely no knowledge of this, so we >> should be ignoring it. >> * certificate_authorities - the tricky one >> >> We do understand certificate_authorities, but we don't handle it from the >> client. Now, we can (and probably should) ignore it. TLS 1.3 allows the >> client to use it, even if it is a rare thing to see in practice. >> >> Can I suggest that you open a bug for this: >> https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS&component=Libraries >> (If you are able, including a full copy of the problematic ClientHello will >> make this a lot easier for us to diagnose.) >> >> >> On Thu, Feb 2, 2023 at 4:14 AM hanumesh nk <hanumeshn...@gmail.com> >> wrote: >> >>> Hi Team, >>> Iam using nss-3.68.4-with-nspr-4.32 in my server. Client is trying to >>> connect to the server using STARTTLS, but after "Client Hello" message is >>> sent, the server sending "Unsupported Extension" to the client and the >>> connection getting closed. >>> >>> Could anyone help me to figure out which extension did the server not >>> supported? >>> >>> Below is the client hello message with extensions obtained from tcpdump: >>> Transport Layer Security >>> TLSv1.2 Record Layer: Handshake Protocol: Client Hello >>> Content Type: Handshake (22) >>> Version: TLS 1.0 (0x0301) >>> Length: 751 >>> Handshake Protocol: Client Hello >>> Handshake Type: Client Hello (1) >>> Length: 747 >>> Version: TLS 1.2 (0x0303) >>> Random: <Random> >>> Session ID Length: 32 >>> Session ID: <Session id> >>> Cipher Suites Length: 62 >>> Cipher Suites (31 suites) >>> Compression Methods Length: 1 >>> Compression Methods (1 method) >>> Extensions Length: 612 >>> Extension: ec_point_formats (len=4) >>> Extension: supported_groups (len=12) >>> Extension: encrypt_then_mac (len=0) >>> Extension: extended_master_secret (len=0) >>> Extension: signature_algorithms (len=48) >>> Extension: supported_versions (len=9) >>> Extension: psk_key_exchange_modes (len=2) >>> Extension: key_share (len=38) >>> Extension: certificate_authorities (len=463) >>> >>> Any help to resolve this problem will be really helpful. >>> >>> >>> Best Regards, >>> Hanumesh >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "dev-tech-crypto@mozilla.org" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to dev-tech-crypto+unsubscr...@mozilla.org. >>> To view this discussion on the web visit >>> https://groups.google.com/a/mozilla.org/d/msgid/dev-tech-crypto/CAMiJu-nkJqwp3fwY9JXPYZSLeu%3DuLU15WYbNxK3OG5ZjTxps9A%40mail.gmail.com >>> <https://groups.google.com/a/mozilla.org/d/msgid/dev-tech-crypto/CAMiJu-nkJqwp3fwY9JXPYZSLeu%3DuLU15WYbNxK3OG5ZjTxps9A%40mail.gmail.com?utm_medium=email&utm_source=footer> >>> . >>> >> -- > You received this message because you are subscribed to the Google Groups " > dev-tech-crypto@mozilla.org" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to dev-tech-crypto+unsubscr...@mozilla.org. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-tech-crypto/CAMiJu-kF1TVDbY8wXeAW6cUubcFtaYppRCdck2-nRMArrK4Rgw%40mail.gmail.com > <https://groups.google.com/a/mozilla.org/d/msgid/dev-tech-crypto/CAMiJu-kF1TVDbY8wXeAW6cUubcFtaYppRCdck2-nRMArrK4Rgw%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "dev-tech-crypto@mozilla.org" group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-tech-crypto+unsubscr...@mozilla.org. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-tech-crypto/CAON8YFNubrscU1NnNovbvseQE2wNWqzfGvaJXhk_c0CnqDZrfQ%40mail.gmail.com.
