From 36edd48c61c9c86edd9d3774496c83d12d2cfaa5 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 5 Mar 2025 17:41:59 +0100 Subject: [PATCH] Document the limitations of TLS handshake message defragmentation Signed-off-by: Gilles Peskine --- include/mbedtls/ssl.h | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 0c0c8bb4d2..85255498b2 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -4360,6 +4360,24 @@ void mbedtls_ssl_conf_cert_req_ca_list(mbedtls_ssl_config *conf, * with \c mbedtls_ssl_read()), not handshake messages. * With DTLS, this affects both ApplicationData and handshake. * + * \note Defragmentation of incoming handshake messages in TLS + * (excluding DTLS) is supported with some limitations: + * - On an Mbed TLS server that only accepts TLS 1.2, + * the initial ClientHello message must not be fragmented. + * A TLS 1.2 ClientHello may be fragmented if the server + * also accepts TLS 1.3 connections (meaning + * that #MBEDTLS_SSL_PROTO_TLS1_3 enabled, and the + * accepted versions have not been restricted with + * mbedtls_ssl_conf_max_tls_version() or the like). + * - A ClientHello message that initiates a renegotiation + * must not be fragmented. + * - The first fragment of a handshake message must be + * at least 4 bytes long. + * - Non-handshake records must not be interleaved between + * the fragments of a handshake message. (This is permitted + * in TLS 1.2 but not in TLS 1.3, but Mbed TLS rejects it + * even in TLS 1.2.) + * * \note This sets the maximum length for a record's payload, * excluding record overhead that will be added to it, see * \c mbedtls_ssl_get_record_expansion().