[openssl-dev] [openssl.org #3712] TLS Renegotiation with Java is broken

Albe Laurenz via RT rt at openssl.org
Mon Sep 28 11:35:15 UTC 2015 

Matt Caswell wrote:
> I've been looking into this issue. The reason this fails is because at
> some point in the past there has been an explicit design decision to
> disallow it.

Thank you for your work!
I agree with your analysis.

> However, I have some concerns with the wording of the RFC. It seems to
> place no limits whatsoever on when it is valid to receive app data in
> the handshake. By the wording in the RFC it would be valid for app data
> to be received *after* the ChangeCipherSpec has been received but
> *before* the Finished has been processed. This seems dangerous to me
> because it is not until the Finished is processed that we verify the
> handshake data MAC - and yet we could already have acted upon app data
> received. I assume the intent was to allow the interleaved app data only
> up until the point that the CCS is received. I have attached a patch for
> 1.0.2 that implements that logic.

The RFC writes:

   Note: If a rehandshake occurs while data is flowing on a connection,
   the communicating parties may continue to send data using the old
   CipherSpec.  However, once the ChangeCipherSpec has been sent, the
   new CipherSpec MUST be used.  The first side to send the
   ChangeCipherSpec does not know that the other side has finished
   computing the new keying material (e.g., if it has to perform a
   time-consuming public key operation).  Thus, a small window of time,
   during which the recipient must buffer the data, MAY exist.  In
   practice, with modern machines this interval is likely to be fairly
   short.

Could that be interpreted to mean that the recepient should buffer
all incoming Application Data messages that are sent between
ChangeCipherSpec and Finished?

However that may be, I tested your patch with PostgreSQL 9.4.4 and 
OpenJDK 1.7.0_85 and it solves my problem, so it seems like Java does not
try to send Application Data between ChangeCipherSpec and Finished.

If that patch gets applied, I expect it will make it into all active
branches, right?

If this bug gets closed, #2481 should probably get closed too.

Yours,
Laurenz Albe

More information about the openssl-dev mailing list