Mbed-TLS/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2026-06-05 21:15:16 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add change log

Browse Source 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
This commit is contained in:
Ronald Cron
2026-03-10 17:01:50 +01:00
parent 759895e7df
commit 622b69d1d0
1 changed files with 9 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
ChangeLog.d/tls12-2nd-client-hello.txt
+9
View File
@@ -0,0 +1,9 @@
Security
* Fixed an issue in TLS 1.3 server handling of the second ClientHello, after
sending a HelloRetryRequest message. A man-in-the-middle attacker could
force a TLS 1.3 session resumption using a ticket to fall back to an
unintended TLS 1.2 session resumption with an all-zero master secret.
This could result in client authentication being bypassed and allow client
impersonation.
Found and reported by Jaehun Lee, Pohang University of Science and
Technology (POSTECH).