I appear to have run across an implementation that does not appear to violate the specification, but which in my opinion is just plain wrong.
I am doing a handshake with PSK. On the second flight from the client it sends [ChangeCipherSpec] Finished The server sees that the ChangeCipherSpec occurs and moves to use the keys. It then attempts to validate the MAC on the Finished message and silently ignores the Finish message because the MAC is incorrect and the text says that it is legal to ignore packets which have a bad MAC. This means that my client re-sends the same flight to the server on and on because it never gets a response and assumes that the packet must be getting lost in transit. The document does not say that ignoring of bad MACs does not apply until the Finished message is received and processed. I am not sure, but I believe the document needs to say that one cannot ignore a failed MAC on the first block of data in any epoch and must error on those messages. I have not looked to see if this is an issue for DTLS 1.3, but it could easily be. Jim _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
