Matt,

I was under impression that issue would have been addressed in latest openssl 
version 1.1.0. 

In case of high traffic and high secure networks, one of the best way to 
validate the long-lived connection is to do renegotiation (unless negotiated 
protocol is TLS 1.3 still in draft phase). Since the traffic cannot be stopped 
and as mentioned in the RFC the app data and renegotiation can be interleaved 
there is a good chance that openssl would encounter app data instead of 
handshake message. This makes openssl to throw unexpected record error for 
which the application has to take an action (mostly closing the connection due 
to an error encountered) , thus leading to traffic disruption. 

The issue is fairly time sensitive and leads to non-deterministic outcome. 

Hence I was expecting the issue to be addressed with openssl version 1.1.0 due 
to major overhaul of state machine and internals.

Thanks
Darshan

-----Original Message-----
From: openssl-dev [mailto:openssl-dev-boun...@openssl.org] On Behalf Of Matt 
Caswell
Sent: Monday, April 03, 2017 3:59 PM
To: openssl-dev@openssl.org
Subject: Re: [openssl-dev] Renegotiation ticket 3712



On 03/04/17 11:24, Mody, Darshan (Darshan) wrote:
> Thanks Matt,
> 
> Just another query. Is the issue addressed in the latest openssl 1.1.0?

My answer was for 1.1.0 (as was your original question)? In any case it is not 
addressed in any OpenSSL version.

Matt

> 
> Regards
> Darshan
> 
> -----Original Message-----
> From: openssl-dev [mailto:openssl-dev-boun...@openssl.org] On Behalf 
> Of Matt Caswell
> Sent: Monday, April 03, 2017 2:53 PM
> To: openssl-dev@openssl.org
> Subject: Re: [openssl-dev] Renegotiation ticket 3712
> 
> 
> 
> On 02/04/17 04:50, Mody, Darshan (Darshan) wrote:
>> Hi Matt,
>>
>> Is re-negotiation fixed with openssl 1.1.0 ? 
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__rt.openssl.org_T
>> i 
>> cket_Display.html-3Fid-3D3712-26user-3Dguest-26pass-3Dguesthttps-3A__
>> r 
>> t.openssl.org_Ticket_Display.html-3Fid-3D3712-26user-3Dguest-26pass-3
>> D 
>> guest&d=DwICAg&c=BFpWQw8bsuKpl1SgiZH64Q&r=bsEULbVnjelD7InzgsegHBEbtXz
>> a
>> IDagy9EuEhJrKfQ&m=0_oGDu1Nd351FfLBQxFRBsvQxamucuAh4kuC9XC9rng&s=Ni8yD
>> 4 vI9arECJEB4AvTHTPslAIBDOyQYItrnXI8Ho8&e=
>>
>> From the ticket it seems its marked resolved but your patch is not in 
>> the openssl base due to possible vulnerabilities.
> 
> No, this issue is not fixed. It would require a major overhaul to properly 
> fix it, and I don't think it is considered worth it for this issue.
> 
> Matt
> --
> openssl-dev mailing list
> To unsubscribe: 
> https://urldefense.proofpoint.com/v2/url?u=https-3A__mta.openssl.org_m
> ailman_listinfo_openssl-2Ddev&d=DwICAg&c=BFpWQw8bsuKpl1SgiZH64Q&r=bsEU
> LbVnjelD7InzgsegHBEbtXzaIDagy9EuEhJrKfQ&m=0_oGDu1Nd351FfLBQxFRBsvQxamu
> cuAh4kuC9XC9rng&s=u1jQpWruXjaddyFVQW6x3TnRYA3CsHe1XzBwNlHn3p0&e=
> 
--
openssl-dev mailing list
To unsubscribe: 
https://urldefense.proofpoint.com/v2/url?u=https-3A__mta.openssl.org_mailman_listinfo_openssl-2Ddev&d=DwICAg&c=BFpWQw8bsuKpl1SgiZH64Q&r=bsEULbVnjelD7InzgsegHBEbtXzaIDagy9EuEhJrKfQ&m=5fscKGrpSiVuD-o67_AL7je6ixVNP8R_ABJUSL0DuPc&s=KRpeak_T_gjRwyOpNMqprUNfS_1ay9lISTgdkYdm28Y&e=
 
-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Reply via email to