Re: [TLS] Fwd: Clarification on interleaving app data and handshake records
Hubert Kario <hkario@redhat.com> Sun, 06 December 2015 15:50 UTC
Return-Path: <hkario@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 303691ACEDE for <tls@ietfa.amsl.com>; Sun, 6 Dec 2015 07:50:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.911
X-Spam-Level:
X-Spam-Status: No, score=-6.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GCc68M4cXemi for <tls@ietfa.amsl.com>; Sun, 6 Dec 2015 07:50:39 -0800 (PST)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D97381ACED8 for <tls@ietf.org>; Sun, 6 Dec 2015 07:50:39 -0800 (PST)
Received: from int-mx11.intmail.prod.int.phx2.redhat.com (int-mx11.intmail.prod.int.phx2.redhat.com [10.5.11.24]) by mx1.redhat.com (Postfix) with ESMTPS id 2125DC0A8047; Sun, 6 Dec 2015 15:50:39 +0000 (UTC)
Received: from pintsize.usersys.redhat.com (ovpn-112-27.ams2.redhat.com [10.36.112.27]) by int-mx11.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id tB6FoYMZ012222 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 6 Dec 2015 10:50:38 -0500
From: Hubert Kario <hkario@redhat.com>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
Date: Sun, 06 Dec 2015 16:50:28 +0100
Message-ID: <2024935.xrVgKcrptC@pintsize.usersys.redhat.com>
User-Agent: KMail/4.14.10 (Linux/4.2.6-201.fc22.x86_64; KDE/4.14.14; x86_64; ; )
In-Reply-To: <9A043F3CF02CD34C8E74AC1594475C73F4B9B3DA@uxcn10-5.UoA.auckland.ac.nz>
References: <20151015130040.9F1BB1A2EF@ld9781.wdf.sap.corp> <2348468.lpGyMim7ub@pintsize.usersys.redhat.com> <9A043F3CF02CD34C8E74AC1594475C73F4B9B3DA@uxcn10-5.UoA.auckland.ac.nz>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="nextPart1617483.uhfFOxBrrD"; micalg="pgp-sha512"; protocol="application/pgp-signature"
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.24
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/3LSC-NhES3HEl99K3CJkGMyBsnI>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Fwd: Clarification on interleaving app data and handshake records
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 06 Dec 2015 15:50:41 -0000
On Saturday 05 December 2015 23:54:25 Peter Gutmann wrote: > Hubert Kario <hkario@redhat.com> writes: > >miTLS does accept Application Data when it is send between Client > >Hello and Client Key Exchange and rejects it when it is sent between > >Change Cipher Spec and Finished. > > Given that miTLS is a formally verified implementation, would this > imply that there's a problem with the verification? "Beware of bugs > in the above code; I have only proved it correct, not tried it"? This behaviour is dictated by the TLS 1.2 RFC, although partially indirectly: - the acceptance of application data during subsequent handshakes is explicit - the no application data between CCS and Finished is implicit, as it is only stated that the Finished MUST be the next message directly following CCS. And since CCS and Finished have different content types, that means that the limitation is cross-content type, unlike for other handshake messages So on the face of it, behaviour of miTLS is correct. Now, as we've discussed on the OpenSSL bug tracker. This does cause problems if we have certificate based client authentication and the TLS library returns client authentication data from *new* handshake while it still has not received and processed Finished message. If that is the case, then the attacker may force the server to process messages under authority it still didn't verify. -- Regards, Hubert Kario Senior Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
- [TLS] Fwd: Clarification on interleaving app data… Matt Caswell
- Re: [TLS] Fwd: Clarification on interleaving app … Matt Caswell
- Re: [TLS] Fwd: Clarification on interleaving app … Ilari Liusvaara
- Re: [TLS] Fwd: Clarification on interleaving app … Watson Ladd
- Re: [TLS] Fwd: Clarification on interleaving app … Martin Rex
- Re: [TLS] Fwd: Clarification on interleaving app … Matt Caswell
- Re: [TLS] Fwd: Clarification on interleaving app … David Benjamin
- Re: [TLS] Fwd: Clarification on interleaving app … Martin Thomson
- Re: [TLS] Fwd: Clarification on interleaving app … David Benjamin
- Re: [TLS] Fwd: Clarification on interleaving app … Matt Caswell
- Re: [TLS] Fwd: Clarification on interleaving app … Martin Thomson
- Re: [TLS] Fwd: Clarification on interleaving app … Matt Caswell
- Re: [TLS] Fwd: Clarification on interleaving app … Matt Caswell
- Re: [TLS] Fwd: Clarification on interleaving app … Martin Rex
- Re: [TLS] Fwd: Clarification on interleaving app … Matt Caswell
- Re: [TLS] Fwd: Clarification on interleaving app … Hubert Kario
- Re: [TLS] Fwd: Clarification on interleaving app … Watson Ladd
- Re: [TLS] Fwd: Clarification on interleaving app … Hubert Kario
- Re: [TLS] Clarification on interleaving app data … Short, Todd
- Re: [TLS] Fwd: Clarification on interleaving app … Kurt Roeckx
- Re: [TLS] Fwd: Clarification on interleaving app … Hubert Kario
- Re: [TLS] Fwd: Clarification on interleaving app … Peter Gutmann
- Re: [TLS] Fwd: Clarification on interleaving app … Watson Ladd
- Re: [TLS] Fwd: Clarification on interleaving app … Peter Gutmann
- Re: [TLS] Fwd: Clarification on interleaving app … Watson Ladd
- Re: [TLS] Fwd: Clarification on interleaving app … Peter Gutmann
- Re: [TLS] Fwd: Clarification on interleaving app … Watson Ladd
- Re: [TLS] Fwd: Clarification on interleaving app … Peter Gutmann
- Re: [TLS] Fwd: Clarification on interleaving app … Watson Ladd
- Re: [TLS] Fwd: Clarification on interleaving app … Yoav Nir
- Re: [TLS] Fwd: Clarification on interleaving app … Watson Ladd
- Re: [TLS] Fwd: Clarification on interleaving app … Kurt Roeckx
- Re: [TLS] Fwd: Clarification on interleaving app … Hubert Kario
- Re: [TLS] Fwd: Clarification on interleaving app … Hubert Kario
- Re: [TLS] Fwd: Clarification on interleaving app … Karthikeyan Bhargavan
- Re: [TLS] Fwd: Clarification on interleaving app … Hubert Kario
- Re: [TLS] Fwd: Clarification on interleaving app … Hubert Kario