[openssl-dev] [openssl.org #3712] TLS Renegotiation with Java is broken
Matt Caswell
matt at openssl.org
Fri Sep 25 10:40:27 UTC 2015
On 25/09/15 11:25, Hubert Kario via RT wrote:
> On Friday 25 September 2015 10:47:42 Matt Caswell wrote:
>> However, I have some concerns with the wording of the RFC. It seems to
>> place no limits whatsoever on when it is valid to receive app data in
>> the handshake. By the wording in the RFC it would be valid for app
>> data to be received *after* the ChangeCipherSpec has been received
>> but *before* the Finished has been processed. This seems dangerous to
>> me because it is not until the Finished is processed that we verify
>> the handshake data MAC - and yet we could already have acted upon app
>> data received. I assume the intent was to allow the interleaved app
>> data only up until the point that the CCS is received. I have
>> attached a patch for 1.0.2 that implements that logic.
>
> yes, I think the only place in which the handshake protocol and
> application data _can't_ be interleaved is between the CCS and Finished.
It would be nice to have a test for that wouldn't it ;-)
Matt
More information about the openssl-dev
mailing list