On Sat, Dec 5, 2015 at 9:33 PM, Peter Gutmann <pgut...@cs.auckland.ac.nz> wrote: > Watson Ladd <watsonbl...@gmail.com> writes: > >>miTLS did not claim to be consistent with the RFC. Rather it claimed to be >>secure, and to interoperate with most other implementations in circumstances >>tested. The informal nature of the RFC makes it impossible to carry out >>formal verification against it. > > By that argument, you could start accepting SSH messages in the middle of the > TLS handshake. No matter how you colour it, accepting Application Data after > a Client Hello is wrong. Is there any random, non-formally-verified > implementation that would do that?
Any implementation where the record layer state is maintained separately from the handshake state will do this automatically. The only security issue is when data is intermingled across authentication boundaries, but once the record layer is told to encrypt at all that doesn't happen. If you disagree, please cite the sentence of the TLS RFC which prohibits accepting application data records during the handshake. > > Peter. -- "Man is born free, but everywhere he is in chains". --Rousseau. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
