Re: [TLS] Quest for Unified Solution to TLS Renegotiation

Martin Rex <mrex@sap.com> Thu, 26 November 2009 18:53 UTC

From: Martin Rex <mrex@sap.com>
Message-Id: <200911261853.nAQIrRjP018552@fs4113.wdf.sap.corp>
To: mike-list@pobox.com
Date: Thu, 26 Nov 2009 19:53:27 +0100
In-Reply-To: <4B0ECAC0.6080609@pobox.com> from "Michael D'Errico" at Nov 26, 9 10:36:48 am
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
Cc: tls@ietf.org
Subject: Re: [TLS] Quest for Unified Solution to TLS Renegotiation
Precedence: list
Reply-To: mrex@sap.com

Michael D'Errico wrote:
> 
> David-Sarah Hopwood wrote:
> > 
> > The TLS spec doesn't seem to be very clear on whether handshake messages
> > with an unrecognized HandshakeType must cause an error (section 7.4).
> > Does anyone know what implementations actually do?
> 
> My code will send a fatal unexpected_message alert.  This seems
> like something that should be a MUST in the spec.

Well.  I remember that a few years back when ASN.1 parsers were
attacked with random garbage, there was something called "asn1brute.c"
that would blindly send a ClientHello directly by a crafted
Certificate message and a lot of Servers would choke on the
ASN.1 of the certificate, including those who had not even
requested a client certificate with CertificateRequest.

There may be some unexpected slack in what kind of handshake
messages individual TLS implementations might process or
even accept in specific situations, where the protocol
doesn't define them to be valid.

An attitude "the finished message will split the good guys from
the bad ones" would not be advisable.

-Martin

[TLS] Quest for Unified Solution to TLS Renegotia… Michael D'Errico
Re: [TLS] Quest for Unified Solution to TLS Reneg… Marsh Ray
Re: [TLS] Quest for Unified Solution to TLS Reneg… Martin Rex
Re: [TLS] Quest for Unified Solution to TLS Reneg… Stefan Santesson
Re: [TLS] Quest for Unified Solution to TLS Reneg… Eric Rescorla
Re: [TLS] Quest for Unified Solution to TLS Reneg… Hovav Shacham
Re: [TLS] Quest for Unified Solution to TLS Reneg… Michael D'Errico
Re: [TLS] Quest for Unified Solution to TLS Reneg… Eric Rescorla
Re: [TLS] Quest for Unified Solution to TLS Reneg… Martin Rex
Re: [TLS] Quest for Unified Solution to TLS Reneg… Michael D'Errico
Re: [TLS] Quest for Unified Solution to TLS Reneg… Martin Rex
Re: [TLS] Quest for Unified Solution to TLS Reneg… Martin Rex
Re: [TLS] Quest for Unified Solution to TLS Reneg… Michael D'Errico
Re: [TLS] Quest for Unified Solution to TLS Reneg… David-Sarah Hopwood
Re: [TLS] Quest for Unified Solution to TLS Reneg… David-Sarah Hopwood
Re: [TLS] Quest for Unified Solution to TLS Reneg… David-Sarah Hopwood
Re: [TLS] Quest for Unified Solution to TLS Reneg… Martin Rex
Re: [TLS] Quest for Unified Solution to TLS Reneg… Martin Rex
Re: [TLS] Quest for Unified Solution to TLS Reneg… Yoav Nir
Re: [TLS] Quest for Unified Solution to TLS Reneg… David-Sarah Hopwood
Re: [TLS] Quest for Unified Solution to TLS Reneg… Martin Rex
Re: [TLS] Quest for Unified Solution to TLS Reneg… Blumenthal, Uri - 0662 - MITLL
Re: [TLS] Quest for Unified Solution to TLS Reneg… Blumenthal, Uri - 0662 - MITLL
Re: [TLS] Quest for Unified Solution to TLS Reneg… Martin Rex
Re: [TLS] Quest for Unified Solution to TLS Reneg… Blumenthal, Uri - 0662 - MITLL
Re: [TLS] Quest for Unified Solution to TLS Reneg… Marsh Ray
Re: [TLS] Quest for Unified Solution to TLS Reneg… David-Sarah Hopwood
Re: [TLS] Quest for Unified Solution to TLS Reneg… David-Sarah Hopwood
Re: [TLS] Quest for Unified Solution to TLS Reneg… Martin Rex
Re: [TLS] Quest for Unified Solution to TLS Reneg… Michael D'Errico
Re: [TLS] Quest for Unified Solution to TLS Reneg… David-Sarah Hopwood
Re: [TLS] Quest for Unified Solution to TLS Reneg… Martin Rex
Re: [TLS] Quest for Unified Solution to TLS Reneg… Michael D'Errico
Re: [TLS] Quest for Unified Solution to TLS Reneg… Martin Rex
Re: [TLS] Quest for Unified Solution to TLS Reneg… David-Sarah Hopwood
Re: [TLS] Quest for Unified Solution to TLS Reneg… Blumenthal, Uri - 0662 - MITLL
Re: [TLS] Quest for Unified Solution to TLS Reneg… David-Sarah Hopwood
Re: [TLS] Quest for Unified Solution to TLS Reneg… Stephen Farrell
Re: [TLS] Quest for Unified Solution to TLS Reneg… Yoav Nir
Re: [TLS] Quest for Unified Solution to TLS Reneg… Nelson B Bolyard
Re: [TLS] Quest for Unified Solution to TLS Reneg… Nelson B Bolyard
Re: [TLS] Quest for Unified Solution to TLS Reneg… Blumenthal, Uri - 0662 - MITLL
Re: [TLS] Quest for Unified Solution to TLS Reneg… Martin Rex
Re: [TLS] Quest for Unified Solution to TLS Reneg… David-Sarah Hopwood
Re: [TLS] Quest for Unified Solution to TLS Reneg… David-Sarah Hopwood
Re: [TLS] Quest for Unified Solution to TLS Reneg… Kyle Hamilton
Re: [TLS] Quest for Unified Solution to TLS Reneg… Eric Rescorla
Re: [TLS] Quest for Unified Solution to TLS Reneg… Blumenthal, Uri - 0662 - MITLL
Re: [TLS] Quest for Unified Solution to TLS Reneg… David-Sarah Hopwood