During renegotiation, app data should not appear between CCS and finished, but some implementations (e.g. NSS) do allow this. I would consider it a state machine bug, although finding a serious exploit is not so easy.
> On 25 Sep 2015, at 12:40, Matt Caswell <m...@openssl.org> wrote: > > > > On 25/09/15 11:25, Hubert Kario via RT wrote: >> On Friday 25 September 2015 10:47:42 Matt Caswell wrote: >>> However, I have some concerns with the wording of the RFC. It seems to >>> place no limits whatsoever on when it is valid to receive app data in >>> the handshake. By the wording in the RFC it would be valid for app >>> data to be received *after* the ChangeCipherSpec has been received >>> but *before* the Finished has been processed. This seems dangerous to >>> me because it is not until the Finished is processed that we verify >>> the handshake data MAC - and yet we could already have acted upon app >>> data received. I assume the intent was to allow the interleaved app >>> data only up until the point that the CCS is received. I have >>> attached a patch for 1.0.2 that implements that logic. >> >> yes, I think the only place in which the handshake protocol and >> application data _can't_ be interleaved is between the CCS and Finished. > > It would be nice to have a test for that wouldn't it ;-) > > Matt > > _______________________________________________ > openssl-dev mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev _______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
