[openssl-dev] [openssl.org #3712] TLS Renegotiation with Java is broken
Albe Laurenz
laurenz.albe at wien.gv.at
Mon Oct 19 10:18:57 UTC 2015
Hubert Kario wrote:
>> Fixing this sort of problem is going to be *hard* and probably require
>> quite a lot of non-trivial changes - definitely not the sort of the
>> thing I want to be doing in a stable branch. Fixing this is an
>> example of what I meant by "onerous mitigations", but I now realise
>> it is absolutely necessary if we wanted to pursue this.
>>
>> I think we should be marking this as a "won't fix" for all released
>> versions. The question is whether we should even attempt to fix it for
>> 1.1.0 or not.
>
> we may actually be able to patch this up partially in 1.0.x
>
> the original problem description mentions server being unable to process
> application data before Certificate/Client Key Exchange, not in any
> place what so ever
>
> (Albe, please double check if you didn't saw Java sending app data at
> any different point)
I ran my test with the patched version of OpenSSL 1.0.2, PostgreSQL 9.4.5 and
Java 1.7.0_71 which completes without errors, and this is a Wireshark trace:
4 0.002744000 10.155.6.40 10.153.93.229 TLSv1 62 Ignored Unknown Record
6 0.003135000 10.153.93.229 10.155.6.40 TLSv1 60 Ignored Unknown Record
7 0.189902000 10.155.6.40 10.153.93.229 TLSv1 259 Client Hello
8 0.192699000 10.153.93.229 10.155.6.40 TLSv1 1485 Server Hello, Certificate, Server Key Exchange, Server Hello Done
9 0.201141000 10.155.6.40 10.153.93.229 TLSv1 129 Client Key Exchange
10 0.208975000 10.155.6.40 10.153.93.229 TLSv1 60 Change Cipher Spec
12 0.210346000 10.155.6.40 10.153.93.229 TLSv1 107 Encrypted Handshake Message
13 0.210739000 10.153.93.229 10.155.6.40 TLSv1 113 Change Cipher Spec, Encrypted Handshake Message
14 0.211317000 10.155.6.40 10.153.93.229 TLSv1 187 Application Data
15 0.212242000 10.153.93.229 10.155.6.40 TLSv1 144 Application Data, Application Data
16 0.212865000 10.155.6.40 10.153.93.229 TLSv1 91 Application Data
17 0.212932000 10.155.6.40 10.153.93.229 TLSv1 123 Application Data
19 0.216170000 10.153.93.229 10.155.6.40 TLSv1 448 Application Data, Application Data
20 0.223596000 10.155.6.40 10.153.93.229 TLSv1 91 Application Data
21 0.223671000 10.155.6.40 10.153.93.229 TLSv1 155 Application Data
23 0.224256000 10.153.93.229 10.155.6.40 TLSv1 144 Application Data, Application Data
24 0.235175000 10.155.6.40 10.153.93.229 TLSv1 91 Application Data
25 0.235258000 10.155.6.40 10.153.93.229 TLSv1 171 Application Data
27 0.235622000 10.153.93.229 10.155.6.40 TLSv1 160 Application Data, Application Data
28 0.236106000 10.155.6.40 10.153.93.229 TLSv1 91 Application Data
29 0.236175000 10.155.6.40 10.153.93.229 TLSv1 155 Application Data
31 0.237038000 10.153.93.229 10.155.6.40 TLSv1 1514 Application Data
37 0.237265000 10.153.93.229 10.155.6.40 TLSv1 1020 Application Data
38 0.237265000 10.153.93.229 10.155.6.40 TLSv1 91 Encrypted Handshake Message
39 0.237265000 10.153.93.229 10.155.6.40 TLSv1 1008 Application Data, Application Data
41 0.241914000 10.155.6.40 10.153.93.229 TLSv1 331 Encrypted Handshake Message
42 0.244284000 10.153.93.229 10.155.6.40 TLSv1 1514 Encrypted Handshake Message, Encrypted Handshake Message
43 0.244285000 10.153.93.229 10.155.6.40 TLSv1 150 Encrypted Handshake Message
45 0.248419000 10.155.6.40 10.153.93.229 TLSv1 91 Application Data
46 0.248492000 10.155.6.40 10.153.93.229 TLSv1 155 Application Data
48 0.253568000 10.155.6.40 10.153.93.229 TLSv1 155 Encrypted Handshake Message
49 0.257257000 10.155.6.40 10.153.93.229 TLSv1 91 Change Cipher Spec
50 0.257494000 10.155.6.40 10.153.93.229 TLSv1 107 Encrypted Handshake Message
52 0.257939000 10.153.93.229 10.155.6.40 TLSv1 144 Change Cipher Spec, Encrypted Handshake Message
53 0.258048000 10.153.93.229 10.155.6.40 TLSv1 1514 Application Data
59 0.258282000 10.153.93.229 10.155.6.40 TLSv1 1020 Application Data
60 0.258283000 10.153.93.229 10.155.6.40 TLSv1 91 Encrypted Handshake Message
61 0.258283000 10.153.93.229 10.155.6.40 TLSv1 1008 Application Data, Application Data
63 0.265872000 10.155.6.40 10.153.93.229 TLSv1 331 Encrypted Handshake Message
64 0.266324000 10.155.6.40 10.153.93.229 TLSv1 91 Application Data
65 0.266431000 10.155.6.40 10.153.93.229 TLSv1 91 Encrypted Alert
67 0.267282000 10.153.93.229 10.155.6.40 TLSv1 293 Encrypted Handshake Message, Change Cipher Spec, Encrypted Handshake Message
Ist that good enough? Can you infer from context which "Encrypted Handshake Message" is what?
Yours,
Laurenz Albe
More information about the openssl-dev
mailing list