[openssl-dev] [openssl.org #3712] TLS Renegotiation with Java is broken
Nikos Mavrogiannopoulos via RT
rt at openssl.org
Mon Oct 12 15:17:46 UTC 2015
On Mon, 2015-09-28 at 11:35 +0000, Albe Laurenz via RT wrote:
> The RFC writes:
>
> Note: If a rehandshake occurs while data is flowing on a
> connection,
> the communicating parties may continue to send data using the old
> CipherSpec. However, once the ChangeCipherSpec has been sent, the
> new CipherSpec MUST be used. The first side to send the
> ChangeCipherSpec does not know that the other side has finished
> computing the new keying material (e.g., if it has to perform a
> time-consuming public key operation). Thus, a small window of
> time,
> during which the recipient must buffer the data, MAY exist. In
> practice, with modern machines this interval is likely to be
> fairly
> short.
>
> Could that be interpreted to mean that the recepient should buffer
> all incoming Application Data messages that are sent between
> ChangeCipherSpec and Finished?
That doesn't sound safe. Consider the case where re-authentication
occurs and a different identity is presented while the previous
commands are being cached. The server will see the commands of the
initial session as commands coming from the new session which is under
a new user. I think that unless you can separate re-authentication from
rehandshake to refresh the keys, the current behavior of openssl which
drops the session is quite safe.
regards,
Nikos
More information about the openssl-dev
mailing list