[openssl-users] Explicit IV in TLS 1.1+

Matt Caswell matt at openssl.org
Tue Feb 13 23:26:15 UTC 2018

On 13/02/18 22:02, Curt Johansson wrote:
> Hi all, 
> I'm developing support for TLS 1.1 and 1.2 in a radius-server that until now only handles TLS 1.0. I'm testing with a testtool that the vendor says is
> using OpenSSL to implement the TLS support. It all seems to work except for the following: 
> When all key exchange messages are sent from the server and back from the client the client sends the "Finished" message which 
> is the first encrypted with the negotiated symmetric cipher suite. I use AES-128 in block mode and according to the spec (RFC4346 for TLS 1.1) 
> the IV is prepended to the encrypted message (containing the payload, MAC and padding). The message size i right and when (in the server) I use the first 16 bytes 
> of the message received from the client as IV the decryption fails but when I use the mechanism from TLS 1.0 to pick up the IV from 
> the key_block the decryption is successful. I understand that this is one way to generate the IV that I suppose you use which is fine but 
> shouldn't this 16 byte vector be prepended, unecrypted, to the encrypted data that is sent to the server? In TLS 1.2 there is not IV material generated 
> at all in the key_block so in that case I don't even know where to find it. 
> The simple question is, shouldn't the first 16 bytes (assuming AES) of the message (after the 5 byte header) be the unencrypted IV to be used in the decryption of the rest of the message?

Yes, assuming you have negotiated an AES CBC ciphersuite in TLSv1.1 or
TLSv1.2, then that is what happens. You don't say what version of
OpenSSL you are using. Here is the code that does it for 1.1.1 (i.e.
master branch):


As can be seen on line 969 we just fill the IV with random bytes.

Perhaps you could provide a wireshark trace of the handshake which might
provide some enlightenment as to what is happening.


> I tried to dig in to the OpenSSL source but it's far too long ago I did some serious C coding so I hope someone with a working knowledge can enlighten me. I might have
> misunderstood the spec but in that case I would be grateful if someone could clarify this specific part of it. 
> TIA 
> Curt Johansson

More information about the openssl-users mailing list