Le 19/07/2014 17:34, Jeff MAURY a écrit : > No, I don't agree with that because the spec says that the new key materials > should be set current only when the change cipher spec message is received > from the server. So I think we can continue sending messages encrypted with > the old key if the handshake messages are after in the queue.
What I read from the spec (RFC 6101, par 5.5) : "the client sends a client hello message to which the server must respond with a server hello message, or else a fatal error will occur and the connection will fail " suggest the opposite. In other words, if a client sends a CleientHello, anything the server will send but ServerHello will generate an error. By all means, I think that once one peer has initiated a handshake, everything but the SSL Handshake messages are forbidden, on both sides. > The problem is that if we encrypt before sending it's likely that we will > encrypt with the new key if the handshake message has been read processed by > the ssl engine That, I agree. IMO, we should never encrypt before sending.
