TLS 1.2 servers reject ClientHello without an extension list

[gilles-peskine-arm]

In a TLS 1.2 ClientHello, the list of extensions is optional, and omitting the extension list is supposed to be equivalent to sending an empty list of extensions.

@mpg found that Mbed TLS servers do not always accept a ClientHello where the extension list is omitted. Specifically, servers that support TLS 1.3 reject ClientHello messages without an extension list, even if the client does not advertise TLS 1.3 support.

This is a regression in the Mbed TLS 3.6.0 in the default configuration, since prior versions did not enable TLS 1.3 at compile time by default.

Workarounds:

• On the Mbed TLS server, disable TLS 1.3 at compile time.
• On the Mbed TLS server, disable TLS 1.3 at run time by calling mbedtls_ssl_conf_max_tls_version(ssl_conf, MBEDTLS_SSL_VERSION_TLS1_2) (as in ssl_server2 force_version=tls12).
• On the client, arrange to send an extension list (possibly empty). Note that Mbed TLS clients never omit the extension list.

A ClientHello with no extensions in particular means no signature_algorithms extension. If the cipher suite uses a signature, this signature will use SHA-1, which is insecure. It may be viable with RSA-decryption or PSK key exchanges. (Or static ECDH, but that doesn't work with Mbed TLS due to another limitation: we require ECC extensions.)

At this time, we consider this a low-importance bug, and we do not intend to fix it. But if this affects you, please let us know and we'll raise the priority.