Re: [TLS] TLS Handshake message length too long

Hubert Kario <> Mon, 17 August 2015 14:20 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id B13CC1A03E1 for <>; Mon, 17 Aug 2015 07:20:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.911
X-Spam-Status: No, score=-6.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id K01T2zeR6N6o for <>; Mon, 17 Aug 2015 07:20:20 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id EB08F1A1A57 for <>; Mon, 17 Aug 2015 07:20:19 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTPS id 90CBE19C300; Mon, 17 Aug 2015 14:20:19 +0000 (UTC)
Received: from ( []) by (8.14.4/8.14.4) with ESMTP id t7HEKEf2014641 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 17 Aug 2015 10:20:18 -0400
From: Hubert Kario <>
Date: Mon, 17 Aug 2015 16:20:06 +0200
Message-ID: <>
User-Agent: KMail/4.14.9 (Linux/4.1.4-200.fc22.x86_64; KDE/4.14.9; x86_64; ; )
In-Reply-To: <>
References: <>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="nextPart6131060.RchrRLDOKc"; micalg="pgp-sha512"; protocol="application/pgp-signature"
X-Scanned-By: MIMEDefang 2.68 on
Archived-At: <>
Cc: "" <>
Subject: Re: [TLS] TLS Handshake message length too long
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 17 Aug 2015 14:20:21 -0000

On Sunday 09 August 2015 16:41:19 wrote:
> I have a question regarding the handshake message length.
> The 'decode_error' alert in TLS 1.2 is defined as:
>    decode_error
>       A message could not be decoded because some field was out of the
>       specified range or the length of the message was incorrect. (...)
> It says that the message "could not be decoded". What should happen
> if the specified message length is longer than needed? I.e. the message
> was successfully decoded, but the length of the message was incorrect:
> there is still some unknown data after the defined structure.

that is definitely error for the case of a "length of a field is longer than 
expected" or "there's more data in message than the length specifies"
> For example, a Finished message has a length of 40 bytes,
> but the 'verify_data' array has 32 bytes and there are 8 unknown bytes
> remaining in the received message. The 40 bytes I talk about here
> is the length specified in the Handshake message header.
> Is this also a fatal error?

yes, always

> Should the implementation just drop those bytes and proceed?

definitely not, it should send a fatal alert, close connection and mark 
session as non resumable

> On the other hand, there is the 'illegal_parameter' alert:
>    illegal_parameter
>       A field in the handshake was out of range or inconsistent with
>       other fields.  This message is always fatal.
> Is this alert suitable for the described scenario?

no, it's for values that are explicitly bound to some specific range (e.g. 
client_random length tag always needs to be 32)

verify_data has no range specified (it's opaque data), the negotiatied 
ciphersuite defines what length it has
Hubert Kario
Quality Engineer, QE BaseOS Security team
Red Hat Czech s.r.o., Purky┼łova 99/71, 612 45, Brno, Czech Republic