Gayathri Sundar wrote:
Thanks Richard..but I was thinking only SSL RECORDS with Record Type "APP
DATA"
Contain application data!!! If I can ensure that only complete SSL Records
of Type
Handshake, Change cipher spec, and Alerts are given to OpenSSL, it can
process it rite?
This way how can openssl know that app data records have been removed..?
Hope I am making sense here..
If you are inserting, modifying or deleting any record of any type from
the raw socket byte stream the SSL layers have a very high probability
of detecting it.
If you are performing a proper SSL shutdown at the end of transmission
then the SSL layer will notice missing data as well.
I'm hoping/guessing the MAC for each message is computed successively
with each new record of all types and seeded with the left overs of the
last. This means if a record of any type of inserted, modified or
deleted from the stream it will be detected at the moment of receiving
the new modified data.
If you are performing a proper SSL shutdown it is mandatory to send a
last control record to mark the end of transmission. So even if you
removed records of any type from preceeding it, it will be noticed
because the MAC covering the shutdown close notify alert message will be
corrupted.
But in relation to your renegotiation DoS, maybe its upto the
application to enforce an acceptable use policy for the renegotiation
function. But the protocol and the OpenSSL library dont impose any limits.
Darryl
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
