[openssl-dev] [openssl.org #3712] TLS Renegotiation with Java is broken
Karthikeyan Bhargavan
karthik.bhargavan at gmail.com
Fri Sep 25 10:42:14 UTC 2015
During renegotiation, app data should not appear between CCS and finished, but some implementations (e.g. NSS) do allow this.
I would consider it a state machine bug, although finding a serious exploit is not so easy.
> On 25 Sep 2015, at 12:40, Matt Caswell <matt at openssl.org> wrote:
>
>
>
> On 25/09/15 11:25, Hubert Kario via RT wrote:
>> On Friday 25 September 2015 10:47:42 Matt Caswell wrote:
>>> However, I have some concerns with the wording of the RFC. It seems to
>>> place no limits whatsoever on when it is valid to receive app data in
>>> the handshake. By the wording in the RFC it would be valid for app
>>> data to be received *after* the ChangeCipherSpec has been received
>>> but *before* the Finished has been processed. This seems dangerous to
>>> me because it is not until the Finished is processed that we verify
>>> the handshake data MAC - and yet we could already have acted upon app
>>> data received. I assume the intent was to allow the interleaved app
>>> data only up until the point that the CCS is received. I have
>>> attached a patch for 1.0.2 that implements that logic.
>>
>> yes, I think the only place in which the handshake protocol and
>> application data _can't_ be interleaved is between the CCS and Finished.
>
> It would be nice to have a test for that wouldn't it ;-)
>
> Matt
>
> _______________________________________________
> openssl-dev mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
More information about the openssl-dev
mailing list