On Wednesday 14 October 2015 16:06:00 Martin Thomson wrote: > On 14 October 2015 at 15:43, Matt Caswell <fr...@baggins.org> wrote: > > "highly dangerous idea" > > Wrong Martin. I agree that there is a need for caution, but in > reality, it's not like you can use renegotiation to hand-off to > someone else entirely. The person you are talking to hasn't changed. > What is dangerous is making assertions about *new* things that the > renegotiation introduces.
Also, we're talking with a peer that does implement RFC 5746, so we can be *sure* that we're talking to the same peer still. So the problem happens when application is querying the library for connection information (certificates mainly) and getting info from new connection while still actually receiving application data from the old context. The problem is, that we can verify the handshake only after we receive Finished message, until then, the server can present any certificate it wants and client has no way of verifying if it (for *DH it can even receive information sent by client after its Finished message). For server it's nicer, as the certificate can be verified much quicker (in the same flight), but the window still exists. That makes it dangerous when going from low to high security context, not so much other way round. -- Regards, Hubert Kario Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
