Article Number
000035885
Applies To
RSA Product Set: BSAFE Micro Edition Suite (MES)
RSA Product/Service Type: Extended Random TLS Extension
RSA Version/Condition: 3.2.x.x to 4.0.3
Issue
TLS 1.3-capable clients may fail to connect to a TLS server build with RSA BSAFE Micro Edition Suite (MES).
Cause
Some versions of RSA BSAFE Micro Edition Suite (MES) implemented the draft TLS extension ID #40 as “Extended Random” whereas TLS 1.3 draft uses ID #40 as “key_share” extension, causing a TLS draft 1.3-capable client to fail to connect to a TLS server built with those versions of MES.
Resolution
Source code version customers of MES 3.2.x.x must recompile MES with -DNO_TLS_EXT_RAND compilation flag.
Source code version customers of MES 4.0 to 4.0.3 must ensure to recompile MES without -DTLS_EXT_RAND compilation flag.
Notes
The RSA BSAFE product suite is available in a pre-compiled binary format, as well as source code for customers licensed to the latter format.
RSA BSAFE MES versions 3.2.x.x. to 4.0.3 allowed the inclusion and use of the "Extended Random" TLS extension draft.
Binary format of MES provided by RSA to customers was compiled to make the Extended Random TLS extension unavailable.
Customers compiling their own version of MES have the ability to opt-in, or opt-out of this TLS extension.
Note that no version of BSAFE supports TLS 1.3 as of January 2018.
