On Thursday, 5 July 2018 02:06:45 CEST Martin Thomson wrote: > On Wed, Jul 4, 2018 at 7:55 PM Hubert Kario <hka...@redhat.com> wrote: > > Despite this, is it correct to terminate a connection with > > "illegal_parameter" upon receiving a Finished handshake message with a > > 100 byte payload? or a 20 byte payload? My opinion is that it is not, > > "decode_error" is more specific so it should be used instead. > > When there are multiple problems with a message, why do we need to > accept just one of the possible alerts? That assumes either a very > particular order of processing, or a strict precedence order for > errors. Like Rich says, there is a degree of imprecision in our error > reporting, but - for me - that's OK.
but there are no multiple problems with the message in question no part of the TLS standards states that the implementation should check if the length of the handshake message lies within expected bounds but there *is* a section that explicitly calls out that the implementation needs to verify if the handshake message matches the header, *after* parsing -- Regards, Hubert Kario Senior Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 115, 612 00 Brno, Czech Republic
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
