On 13/10/16 11:45, David Woodhouse wrote: > ... is broken in 1.1. We negotiate it, then don't actually *do* it. > > https://github.com/openssl/openssl/pull/1705 contains a patch to > disable it unconditionally for DTLS, on both server and client. > > In that same PR there's also a patch to actually implement EtM for DTLS > — so that if it ever *stops* being disabled, it would actually work. > That second patch is tested (by reverting the first) against a GnuTLS > server both with and without EtM. > > What remains is to have a conversation about how, if ever, we can turn > EtM back on again. > > There are a few mitigating factors: > • OpenSSL 1.1 is the only version which has this problem. > • OpenSSL 1.1 supports DTLSv1.2 and AEAD ciphers, which disable EtM. > > However, the problem still exists for applications using OpenSSL 1.1 > with DTLSv1.0, where they *will* end up using a CBC cipher. > > I don't think it makes much sense just to leave EtM disabled — > depending on how you look at things, that's either not necessary (who > cares about OpenSSL 1.1.0[ab]; just upgrade to 1.1.0c!), or not > sufficient (1.1.0[ab] are still broken when talking to e.g. GnuTLS > anyway, and *everyone* would need to stop doing DTLS+EtM). > > So I think in the process of typing this mail, I've persuaded at least > *myself* that the PR above should be refactored to include *only* the > second patch; to *fix* EtM without disabling it. > > Any dissenting opinions?
Not from me. It's broken. Lets fix it. Matt > > It really would be nice to have a way to disable EtM voluntarily > though; especially for the DTLS_get_data_mtu() test cases that I've > added in PR#1666. > > > -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev