On Friday 25 September 2015 10:47:42 Matt Caswell wrote: > However, I have some concerns with the wording of the RFC. It seems to > place no limits whatsoever on when it is valid to receive app data in > the handshake. By the wording in the RFC it would be valid for app > data to be received *after* the ChangeCipherSpec has been received > but *before* the Finished has been processed. This seems dangerous to > me because it is not until the Finished is processed that we verify > the handshake data MAC - and yet we could already have acted upon app > data received. I assume the intent was to allow the interleaved app > data only up until the point that the CCS is received. I have > attached a patch for 1.0.2 that implements that logic.
yes, I think the only place in which the handshake protocol and
application data _can't_ be interleaved is between the CCS and Finished.
Or in other words, the following sections from RFC 5246 apply:
Application data MUST NOT be sent prior to the
completion of the first handshake (before a cipher suite other than
TLS_NULL_WITH_NULL_NULL is established).
and:
A Finished message is always sent immediately after a change
cipher spec message to verify that the key exchange and
authentication processes were successful.
and:
It is a fatal error if a Finished message is not preceded by a
ChangeCipherSpec message at the appropriate point in the handshake.
isn't overruled by:
Recipients MUST receive and process interleaved
application layer traffic during handshakes subsequent to the first
one on a connection.
--
Regards,
Hubert Kario
Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
signature.asc
Description: PGP signature
_______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
