[openssl-dev] [openssl.org #3712] TLS Renegotiation with Java is broken

Hubert Kario via RT rt at openssl.org
Fri Sep 25 10:25:34 UTC 2015 

On Friday 25 September 2015 10:47:42 Matt Caswell wrote:
> However, I have some concerns with the wording of the RFC. It seems to
> place no limits whatsoever on when it is valid to receive app data in
> the handshake. By the wording in the RFC it would be valid for app
> data to be received *after* the ChangeCipherSpec has been received
> but *before* the Finished has been processed. This seems dangerous to
> me because it is not until the Finished is processed that we verify
> the handshake data MAC - and yet we could already have acted upon app
> data received. I assume the intent was to allow the interleaved app
> data only up until the point that the CCS is received. I have
> attached a patch for 1.0.2 that implements that logic.

yes, I think the only place in which the handshake protocol and 
application data _can't_ be interleaved is between the CCS and Finished.

Or in other words, the following sections from RFC 5246 apply:

   Application data MUST NOT be sent prior to the
   completion of the first handshake (before a cipher suite other than
   TLS_NULL_WITH_NULL_NULL is established).

and:

      A Finished message is always sent immediately after a change
      cipher spec message to verify that the key exchange and
      authentication processes were successful. 

and:

   It is a fatal error if a Finished message is not preceded by a
   ChangeCipherSpec message at the appropriate point in the handshake.

isn't overruled by:

   Recipients MUST receive and process interleaved
   application layer traffic during handshakes subsequent to the first
   one on a connection.
-- 
Regards,
Hubert Kario
Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150925/83bc6b3f/attachment.sig>

More information about the openssl-dev mailing list