Re: [TLS] DTLS Handshake race condition (Martin Rex) Mon, 12 August 2013 18:08 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 244C821F9E0A for <>; Mon, 12 Aug 2013 11:08:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -10.249
X-Spam-Status: No, score=-10.249 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id yToxsf1sbbY7 for <>; Mon, 12 Aug 2013 11:08:20 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 45FC521F9D8D for <>; Mon, 12 Aug 2013 11:08:17 -0700 (PDT)
Received: from by (26) with ESMTP id r7CI8B5W029453 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Mon, 12 Aug 2013 20:08:11 +0200 (MEST)
In-Reply-To: <>
To: Michael Tuexen <>
Date: Mon, 12 Aug 2013 20:08:11 +0200 (CEST)
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <>
From: (Martin Rex)
X-SAP: out
Subject: Re: [TLS] DTLS Handshake race condition
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 12 Aug 2013 18:08:29 -0000

Michael Tuexen wrote:
> I think the RFC does not cover the race condition I'm referring to...
> What if the HelloRequest(message_seq=0) is lost and the client sends
> a ClientHello(message_seq=0) on its own (since the local user initates
> a re-handshake). The server accepts the ClientHello and responds with
> a ServerHello(message_seq=1). The client however expects a
> ServerHello(message_seq=0), since it never saw the HelloRequest.
> The HelloRequest is also not retransmitted, since the server considers
> it acked by the ClientHello.
> It is only the collision case I'm considering and I think which is
> not covered by the RFC.

Your observation seems correct.

The original TLS handshake is only half duplex.  Properly dealing
with renegotiation is therefore non-trivial.  The original TLS spec
addresses the overlapping of the renegotiation handshake by

  - omitting HelloRequests from the Handshake message hash computation.

  - require the TLS client to ignore any HelloRequests that
    are be received during the handshake (which includes the one
    received after the client has already requested a new handshake
    by sending a ClientHello from your scenario.

Another "grey" area, that may not work particularly well with
some TLS implementations, is what happens if one side requests
a renegotiation while the other is still sending application data.

While the TLS spec itself this should be OK when renegotiation handshake
messages are interleaved with application data, it may not actually
work with all implementations.  Taken to the extreme, with TLS APIs
that perform peer certificate validation in an event-based fashion,
it may open a potential vulnerability (for servers doing delayed
client authentication) when the client starts the renegotiation
handshake, but stops sending handshake messages after the
client's certificate handshake message and then continues sending
application data under the original/enclosing TLS session.