Re: [openssl-dev] [openssl.org #3712] TLS Renegotiation with Java is broken

Mon, 19 Oct 2015 03:20:02 -0700 

Hubert Kario wrote:
>> Fixing this sort of problem is going to be *hard* and probably require
>> quite a lot of non-trivial changes - definitely not the sort of the
>> thing I want to be doing in a stable branch. Fixing this is an
>> example of what I meant by "onerous mitigations", but I now realise
>> it is absolutely necessary if we wanted to pursue this.
>>
>> I think we should be marking this as a "won't fix" for all released
>> versions. The question is whether we should even attempt to fix it for
>> 1.1.0 or not.
> 
> we may actually be able to patch this up partially in 1.0.x
> 
> the original problem description mentions server being unable to process
> application data before Certificate/Client Key Exchange, not in any
> place what so ever
> 
> (Albe, please double check if you didn't saw Java sending app data at
> any different point)

I ran my test with the patched version of OpenSSL 1.0.2, PostgreSQL 9.4.5 and
Java 1.7.0_71 which completes without errors, and this is a Wireshark trace:

      4 0.002744000    10.155.6.40           10.153.93.229         TLSv1    62  
   Ignored Unknown Record
      6 0.003135000    10.153.93.229         10.155.6.40           TLSv1    60  
   Ignored Unknown Record
      7 0.189902000    10.155.6.40           10.153.93.229         TLSv1    259 
   Client Hello
      8 0.192699000    10.153.93.229         10.155.6.40           TLSv1    
1485   Server Hello, Certificate, Server Key Exchange, Server Hello Done
      9 0.201141000    10.155.6.40           10.153.93.229         TLSv1    129 
   Client Key Exchange
     10 0.208975000    10.155.6.40           10.153.93.229         TLSv1    60  
   Change Cipher Spec
     12 0.210346000    10.155.6.40           10.153.93.229         TLSv1    107 
   Encrypted Handshake Message
     13 0.210739000    10.153.93.229         10.155.6.40           TLSv1    113 
   Change Cipher Spec, Encrypted Handshake Message
     14 0.211317000    10.155.6.40           10.153.93.229         TLSv1    187 
   Application Data
     15 0.212242000    10.153.93.229         10.155.6.40           TLSv1    144 
   Application Data, Application Data
     16 0.212865000    10.155.6.40           10.153.93.229         TLSv1    91  
   Application Data
     17 0.212932000    10.155.6.40           10.153.93.229         TLSv1    123 
   Application Data
     19 0.216170000    10.153.93.229         10.155.6.40           TLSv1    448 
   Application Data, Application Data
     20 0.223596000    10.155.6.40           10.153.93.229         TLSv1    91  
   Application Data
     21 0.223671000    10.155.6.40           10.153.93.229         TLSv1    155 
   Application Data
     23 0.224256000    10.153.93.229         10.155.6.40           TLSv1    144 
   Application Data, Application Data
     24 0.235175000    10.155.6.40           10.153.93.229         TLSv1    91  
   Application Data
     25 0.235258000    10.155.6.40           10.153.93.229         TLSv1    171 
   Application Data
     27 0.235622000    10.153.93.229         10.155.6.40           TLSv1    160 
   Application Data, Application Data
     28 0.236106000    10.155.6.40           10.153.93.229         TLSv1    91  
   Application Data
     29 0.236175000    10.155.6.40           10.153.93.229         TLSv1    155 
   Application Data
     31 0.237038000    10.153.93.229         10.155.6.40           TLSv1    
1514   Application Data
     37 0.237265000    10.153.93.229         10.155.6.40           TLSv1    
1020   Application Data
     38 0.237265000    10.153.93.229         10.155.6.40           TLSv1    91  
   Encrypted Handshake Message
     39 0.237265000    10.153.93.229         10.155.6.40           TLSv1    
1008   Application Data, Application Data
     41 0.241914000    10.155.6.40           10.153.93.229         TLSv1    331 
   Encrypted Handshake Message
     42 0.244284000    10.153.93.229         10.155.6.40           TLSv1    
1514   Encrypted Handshake Message, Encrypted Handshake Message
     43 0.244285000    10.153.93.229         10.155.6.40           TLSv1    150 
   Encrypted Handshake Message
     45 0.248419000    10.155.6.40           10.153.93.229         TLSv1    91  
   Application Data
     46 0.248492000    10.155.6.40           10.153.93.229         TLSv1    155 
   Application Data
     48 0.253568000    10.155.6.40           10.153.93.229         TLSv1    155 
   Encrypted Handshake Message
     49 0.257257000    10.155.6.40           10.153.93.229         TLSv1    91  
   Change Cipher Spec
     50 0.257494000    10.155.6.40           10.153.93.229         TLSv1    107 
   Encrypted Handshake Message
     52 0.257939000    10.153.93.229         10.155.6.40           TLSv1    144 
   Change Cipher Spec, Encrypted Handshake Message
     53 0.258048000    10.153.93.229         10.155.6.40           TLSv1    
1514   Application Data
     59 0.258282000    10.153.93.229         10.155.6.40           TLSv1    
1020   Application Data
     60 0.258283000    10.153.93.229         10.155.6.40           TLSv1    91  
   Encrypted Handshake Message
     61 0.258283000    10.153.93.229         10.155.6.40           TLSv1    
1008   Application Data, Application Data
     63 0.265872000    10.155.6.40           10.153.93.229         TLSv1    331 
   Encrypted Handshake Message
     64 0.266324000    10.155.6.40           10.153.93.229         TLSv1    91  
   Application Data
     65 0.266431000    10.155.6.40           10.153.93.229         TLSv1    91  
   Encrypted Alert
     67 0.267282000    10.153.93.229         10.155.6.40           TLSv1    293 
   Encrypted Handshake Message, Change Cipher Spec, Encrypted Handshake Message

Ist that good enough? Can you infer from context which "Encrypted Handshake 
Message" is what?

Yours,
Laurenz Albe

_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Reply via email to