On Saturday 05 December 2015 23:54:25 Peter Gutmann wrote: > Hubert Kario <hka...@redhat.com> writes: > >miTLS does accept Application Data when it is send between Client > >Hello and Client Key Exchange and rejects it when it is sent between > >Change Cipher Spec and Finished. > > Given that miTLS is a formally verified implementation, would this > imply that there's a problem with the verification? "Beware of bugs > in the above code; I have only proved it correct, not tried it"?
This behaviour is dictated by the TLS 1.2 RFC, although partially indirectly: - the acceptance of application data during subsequent handshakes is explicit - the no application data between CCS and Finished is implicit, as it is only stated that the Finished MUST be the next message directly following CCS. And since CCS and Finished have different content types, that means that the limitation is cross-content type, unlike for other handshake messages So on the face of it, behaviour of miTLS is correct. Now, as we've discussed on the OpenSSL bug tracker. This does cause problems if we have certificate based client authentication and the TLS library returns client authentication data from *new* handshake while it still has not received and processed Finished message. If that is the case, then the attacker may force the server to process messages under authority it still didn't verify. -- Regards, Hubert Kario Senior Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
