Skip to content

[TLS 1.2, TLS 1.3] Fail immediately if server sends empty certificate message for TLS 1.2 and beyond #9662

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
AlexLanzano wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[TLS 1.2, TLS 1.3] Fail immediately if server sends empty certificate message for TLS 1.2 and beyond #9662

AlexLanzano wants to merge 1 commit into from
+2 −2

Conversation

@AlexLanzano
Copy link
Contributor

@AlexLanzano AlexLanzano commented Jan 14, 2026

Description

For TLS 1.2, the client accepts an empty certificate message from the server. This violates RFC 5246 section 7.4.2. However, for TLS 1.3 the client will properly fail immediately when receiving an empty certificate message from the server.

So to fix this, I modified the empty cert check to include both TLS 1.2 and TLS 1.3.

Fixes #9651

Testing

Reproduction steps in #9651

@AlexLanzano AlexLanzano mentioned this pull request Jan 14, 2026
Open
@SparkiDev
Copy link
Contributor

SparkiDev commented Jan 14, 2026
edited
Loading

How is accepting an empty ServerCertificate message violating RFC 5246 7.4.2?
I think you mean for non-anonymous cipher suites this is invalid. Which means you need to check the cipher suite before failing in the TLS 1.2 case.

@SparkiDev SparkiDev assigned AlexLanzano and unassigned wolfSSL-Bot Jan 14, 2026
@SparkiDev SparkiDev removed the request for review from wolfSSL-Bot January 14, 2026 22:27
@AlexLanzano
Copy link
Contributor Author

AlexLanzano commented Jan 15, 2026

@SparkiDev Here's the ServerCertificate message structure from the RFC

   Structure of this message:

      opaque ASN.1Cert<1..2^24-1>;

      struct {
          ASN.1Cert certificate_list<0..2^24-1>;
      } Certificate;

My understanding of this is that whenever the server sends this message there needs to be at least one cert with length 1 to 2^24-1 in order to be valid.

@SparkiDev
Copy link
Contributor

SparkiDev commented Jan 15, 2026
edited
Loading

OK.
I'm remembering TLS 1.1 and the fact that the minimum is 0.
Static DH/ECDH used to have an empty certificate message in older versions of the protocol. For TLS 1.2 it appears you don't send a certificate.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@AlexLanzano AlexLanzano

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Bug]: RFC 5246 violation: empty server certificate not rejected in TLS 1.2 handshake

3 participants

@AlexLanzano @SparkiDev @wolfSSL-Bot