[openssl-dev] [openssl.org #3712] TLS Renegotiation with Java is broken

Hubert Kario via RT rt at openssl.org
Fri Oct 16 15:05:37 UTC 2015 

On Friday 16 October 2015 13:52:14 Matt Caswell via RT wrote:
> On 16/10/15 10:56, Hubert Kario via RT wrote:
> > On Friday 16 October 2015 08:53:06 Matt Caswell via RT wrote:
> >> So now I really don't know what the "right" way forward is. Should
> >> we
> >> be applying the patch or not?
> > 
> > I can't think of a way to exploit it if two assumptions hold:
> >  1). we have secure renegotiation
> >  2). API calls return metadata (certificates especially) from
> >      *active*
> >      context, not one currently negotiated
> 
> So these API calls will return the *new* certificate and verification
> result *before* a CertificateVerify has been received.
> 
> Fixing this sort of problem is going to be *hard* and probably require
> quite a lot of non-trivial changes - definitely not the sort of the
> thing I want to be doing in a stable branch. Fixing this is an
> example of what I meant by "onerous mitigations", but I now realise
> it is absolutely necessary if we wanted to pursue this.
> 
> I think we should be marking this as a "won't fix" for all released
> versions. The question is whether we should even attempt to fix it for
> 1.1.0 or not.

we may actually be able to patch this up partially in 1.0.x

the original problem description mentions server being unable to process 
application data before Certificate/Client Key Exchange, not in any 
place what so ever

(Albe, please double check if you didn't saw Java sending app data at 
any different point)

unless the server is completely asynchronous, it's unlikely it will send 
application data messages between handshake messages from a single 
flight, it will send app data only between different flights

in other words, we should still be able to accept this data before the 
client responses had any chance to modify the certificates in the 
server.

of course, that doesn't allow us to fix it for the other side of 
connection - where the application data is sent by server after Server 
Hello Done and before server Change Cipher Spec
-- 
Regards,
Hubert Kario
Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20151016/b376be0c/attachment.sig>

More information about the openssl-dev mailing list