[openssl-dev] [openssl.org #3712] TLS Renegotiation with Java is broken

Matt Caswell via RT rt at openssl.org
Mon Sep 28 14:49:39 UTC 2015 


On 28/09/15 12:35, Albe Laurenz via RT wrote:
> Matt Caswell wrote:
>> I've been looking into this issue. The reason this fails is because at
>> some point in the past there has been an explicit design decision to
>> disallow it.
> 
> Thank you for your work!
> I agree with your analysis.
> 
>> However, I have some concerns with the wording of the RFC. It seems to
>> place no limits whatsoever on when it is valid to receive app data in
>> the handshake. By the wording in the RFC it would be valid for app data
>> to be received *after* the ChangeCipherSpec has been received but
>> *before* the Finished has been processed. This seems dangerous to me
>> because it is not until the Finished is processed that we verify the
>> handshake data MAC - and yet we could already have acted upon app data
>> received. I assume the intent was to allow the interleaved app data only
>> up until the point that the CCS is received. I have attached a patch for
>> 1.0.2 that implements that logic.
> 
> The RFC writes:
> 
>    Note: If a rehandshake occurs while data is flowing on a connection,
>    the communicating parties may continue to send data using the old
>    CipherSpec.  However, once the ChangeCipherSpec has been sent, the
>    new CipherSpec MUST be used.  The first side to send the
>    ChangeCipherSpec does not know that the other side has finished
>    computing the new keying material (e.g., if it has to perform a
>    time-consuming public key operation).  Thus, a small window of time,
>    during which the recipient must buffer the data, MAY exist.  In
>    practice, with modern machines this interval is likely to be fairly
>    short.
> 
> Could that be interpreted to mean that the recepient should buffer
> all incoming Application Data messages that are sent between
> ChangeCipherSpec and Finished?

Thanks. I had missed that wording. I think this means that as soon as
the first party sends a CCS, they must not send any app data until they
have received a CCS back (they must buffer it until the CCS is seen). So
the second party should never expect to see app data between CCS and
Finished. It doesn't tell you anything about what the first party can
expect though, i.e. is the second party allowed to send app data between
the CCS and Finished?

> 
> However that may be, I tested your patch with PostgreSQL 9.4.4 and 
> OpenJDK 1.7.0_85 and it solves my problem, so it seems like Java does not
> try to send Application Data between ChangeCipherSpec and Finished.
> 
> If that patch gets applied, I expect it will make it into all active
> branches, right?

Well, that depends what you mean be active. 1.0.0 and 0.9.8 are only
receiving security fixes at the moment so this patch would not be
applied to those branches. It should be applied to master, 1.0.2 and
1.0.1. The patch is currently awaiting internal review.

> 
> If this bug gets closed, #2481 should probably get closed too.

I just closed it with a message pointing at this ticket. No point in
having both open.

Matt

More information about the openssl-dev mailing list