Are there any flag that control client finished hash verification

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Are there any flag that control client finished hash verification

OpenSSL - User mailing list

Hello,

 

Specific to OpenSSL v1.0.2p and TLS1.2 are there any flags or options like, SSL_CERT_FLAG_TLS_STRICT, that set whether or not the client handshake finished hash is verified by the server?  Or is this always performed regardless of configuration?

 

During some of our testing, it seems that even if the last byte of the client handshake finished hash gets modified, the server will still accept and complete the handshake and the TLS connection.

 

Thanks

Reply | Threaded
Open this post in threaded view
|

Re: Are there any flag that control client finished hash verification

OpenSSL - User mailing list
On Mon, Jun 08, 2020 at 06:53:32PM +0000, Neil Proctor via openssl-users wrote:
> Hello,
>
> Specific to OpenSSL v1.0.2p and TLS1.2 are there any flags or options like, SSL_CERT_FLAG_TLS_STRICT, that set whether or not the client handshake finished hash is verified by the server?  Or is this always performed regardless of configuration?
>
> During some of our testing, it seems that even if the last byte of the client handshake finished hash gets modified, the server will still accept and complete the handshake and the TLS connection.

Full validation of the Finished is supposed to be done always.
Please try to write up some discussion of your test cases; probably a github
issue is best (though mail to this list is okay too).

Thanks,

Ben