[openssl-users] [AES-GCM] TLS packet nounce_explicit overflow

Michael Wojcik Michael.Wojcik at microfocus.com
Thu Mar 9 15:26:30 UTC 2017


And there's no reason for it to do so, because it isn't needed. If you generate one TLS packet every nanosecond, it will take nearly six centuries to overflow, by which time the version of TLS you're using will have been deprecated and all security guarantees are moot anyway.

In general, most security experts recommend against keeping a TLS conversation open for years at a time.

Michael Wojcik
Distinguished Engineer, Micro Focus



From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf Of Salz, Rich via openssl-users
Sent: Thursday, March 09, 2017 05:49
To: openssl-users at openssl.org
Subject: Re: [openssl-users] [AES-GCM] TLS packet nounce_explicit overflow

No, it does not do this automatically.

    if the nounce _explicit overflows or overlaps , then does openssl code handles it (atleast by initiating renegotiation )?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20170309/74c007f4/attachment-0001.html>


More information about the openssl-users mailing list