2

SSL Labs checks for TLS version intolerance and TLS extension intolerance. I've seen another answer on this site that covers version intolerance, but what does extension intolerance mean, specifically, in this context?

The most information I could find online is that specifying extensions in the ServerHello message that are unsupported by a poorly written server might lead to a protocol downgrade or a closed connection, but it isn't clear to me exactly what that means in terms of the actual messages that might be sent in order to trigger this issue.

Are they talking about ClientHello extension records whose 16-bit identifiers do not match any known by the server?

Polynomial
  • 132,208
  • 43
  • 298
  • 379

1 Answers1

4

The book "Bulletproof SSL and TLS: Understanding and Deploying SSL/TLS and PKI to Secure Servers and Web Applications" describes this at page 168 essentially as a server side handshake failure caused by the inability to process TLS extension in the ClientHello. See the following part taking from Google Books:

enter image description here

Given that the author of this book is Ivan Ristić who works for Qualys who provides the SSL Labs service I expect that this is the intended meaning within the context of the SSL Labs tests.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • Hah, coincidentally, I actually just sent Ivan a message on Twitter about something else he did at SSL Labs. This explanation makes total sense though, as I did think it was a bit far-fetched that servers would reject connections with unrecognised extension records, whereas random unattributed garbage at the end of a message is definitely a more likely reason for rejecting a packet. And I'll definitely grab a copy of that book! – Polynomial Feb 07 '20 at 16:58