On Saturday 05 December 2015 19:20:11 Watson Ladd wrote: > On Sat, Dec 5, 2015 at 6:54 PM, Peter Gutmann <pgut...@cs.auckland.ac.nz> wrote: > > Hubert Kario <hka...@redhat.com> writes: > >>miTLS does accept Application Data when it is send between Client > >>Hello and Client Key Exchange and rejects it when it is sent > >>between Change Cipher Spec and Finished. > >> > > Given that miTLS is a formally verified implementation, would this > > imply that there's a problem with the verification? "Beware of > > bugs in the above code; I have only proved it correct, not tried > > it"? > > Are you saying there is a security flaw with the behavior described? > Because I don't believe there is after one adopts Extended Master > Secret. (Someone more familiar with the security should check this)
Extended Master Secret doesn't come into play here at all. The attack requires just a passive observation of a legitimate exchange for the attacker to have enough information to fake its identity, provided that TLS library returns data to application from a new handshake in renegotiation before the renegotiation finished. -- Regards, Hubert Kario Senior Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
