[openssl-dev] Renegotiation ticket 3712

[Mody, Darshan (Darshan)]

Matt,

I was under impression that issue would have been addressed in latest openssl version 1.1.0. 

In case of high traffic and high secure networks, one of the best way to validate the long-lived connection is to do renegotiation (unless negotiated protocol is TLS 1.3 still in draft phase). Since the traffic cannot be stopped and as mentioned in the RFC the app data and renegotiation can be interleaved there is a good chance that openssl would encounter app data instead of handshake message. This makes openssl to throw unexpected record error for which the application has to take an action (mostly closing the connection due to an error encountered) , thus leading to traffic disruption. 

The issue is fairly time sensitive and leads to non-deterministic outcome. 

Hence I was expecting the issue to be addressed with openssl version 1.1.0 due to major overhaul of state machine and internals.

Thanks
Darshan

-----Original Message-----
From: openssl-dev [mailto:openssl-dev-bounces at openssl.org] On Behalf Of Matt Caswell
Sent: Monday, April 03, 2017 3:59 PM
To: openssl-dev at openssl.org
Subject: Re: [openssl-dev] Renegotiation ticket 3712



On 03/04/17 11:24, Mody, Darshan (Darshan) wrote:
> Thanks Matt,
> 
> Just another query. Is the issue addressed in the latest openssl 1.1.0?

My answer was for 1.1.0 (as was your original question)? In any case it is not addressed in any OpenSSL version.

Matt

> 
> Regards
> Darshan
> 
> -----Original Message-----
> From: openssl-dev [mailto:openssl-dev-bounces at openssl.org] On Behalf 
> Of Matt Caswell
> Sent: Monday, April 03, 2017 2:53 PM
> To: openssl-dev at openssl.org
> Subject: Re: [openssl-dev] Renegotiation ticket 3712
> 
> 
> 
> On 02/04/17 04:50, Mody, Darshan (Darshan) wrote:
>> Hi Matt,
>>
>> Is re-negotiation fixed with openssl 1.1.0 ? 
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__rt.openssl.org_T
>> i 
>> cket_Display.html-3Fid-3D3712-26user-3Dguest-26pass-3Dguesthttps-3A__
>> r 
>> t.openssl.org_Ticket_Display.html-3Fid-3D3712-26user-3Dguest-26pass-3
>> D 
>> guest&d=DwICAg&c=BFpWQw8bsuKpl1SgiZH64Q&r=bsEULbVnjelD7InzgsegHBEbtXz
>> a
>> IDagy9EuEhJrKfQ&m=0_oGDu1Nd351FfLBQxFRBsvQxamucuAh4kuC9XC9rng&s=Ni8yD
>> 4 vI9arECJEB4AvTHTPslAIBDOyQYItrnXI8Ho8&e=
>>
>> From the ticket it seems its marked resolved but your patch is not in 
>> the openssl base due to possible vulnerabilities.
> 
> No, this issue is not fixed. It would require a major overhaul to properly fix it, and I don't think it is considered worth it for this issue.
> 
> Matt
> --
> openssl-dev mailing list
> To unsubscribe: 
> https://urldefense.proofpoint.com/v2/url?u=https-3A__mta.openssl.org_m
> ailman_listinfo_openssl-2Ddev&d=DwICAg&c=BFpWQw8bsuKpl1SgiZH64Q&r=bsEU
> LbVnjelD7InzgsegHBEbtXzaIDagy9EuEhJrKfQ&m=0_oGDu1Nd351FfLBQxFRBsvQxamu
> cuAh4kuC9XC9rng&s=u1jQpWruXjaddyFVQW6x3TnRYA3CsHe1XzBwNlHn3p0&e=
> 
--
openssl-dev mailing list
To unsubscribe: https://urldefense.proofpoint.com/v2/url?u=https-3A__mta.openssl.org_mailman_listinfo_openssl-2Ddev&d=DwICAg&c=BFpWQw8bsuKpl1SgiZH64Q&r=bsEULbVnjelD7InzgsegHBEbtXzaIDagy9EuEhJrKfQ&m=5fscKGrpSiVuD-o67_AL7je6ixVNP8R_ABJUSL0DuPc&s=KRpeak_T_gjRwyOpNMqprUNfS_1ay9lISTgdkYdm28Y&e=