On Mon, Jun 08, 2020 at 06:53:32PM +0000, Neil Proctor via openssl-users wrote: > Hello, > > Specific to OpenSSL v1.0.2p and TLS1.2 are there any flags or options like, > SSL_CERT_FLAG_TLS_STRICT, that set whether or not the client handshake > finished hash is verified by the server? Or is this always performed > regardless of configuration? > > During some of our testing, it seems that even if the last byte of the client > handshake finished hash gets modified, the server will still accept and > complete the handshake and the TLS connection.
Full validation of the Finished is supposed to be done always. Please try to write up some discussion of your test cases; probably a github issue is best (though mail to this list is okay too). Thanks, Ben
