One last question on ClientFinished

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

One last question on ClientFinished

Suchindra Chandrahas
Hi All,
          ClientFinished message has 2 hashes (md5 and
sha1) of "All Handshake Messages" till that but not
including ClientFinished message itself. In a
Handshake message, i notice that there are two
sections:

1. Record Layer Header (16 03 00...)
2. Handshake Protocol (<handshake type>, <length of
handshake message> <ssl version> <handshake message>)

In the RFC for ssl v3, i notice that we should not use
the record layer headers in calculating ClientFinished
message Hashes. So should i take the second one
mentioned above (with Handshake Type, Length, SSL
Version and the message) or should i consider only the
Handshake Message (the last part of 2. above)?


Thanks a lot and Regards,
Suchindra Chandrahas


      ____________________________________________________________________________________
Be a better friend, newshound, and
know-it-all with Yahoo! Mobile.  Try it now.  http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ 

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: One last question on ClientFinished

Marek.Marcola
On Fri, 2007-12-21 at 22:23 -0800, Suchindra Chandrahas wrote:

> Hi All,
>           ClientFinished message has 2 hashes (md5 and
> sha1) of "All Handshake Messages" till that but not
> including ClientFinished message itself. In a
> Handshake message, i notice that there are two
> sections:
>
> 1. Record Layer Header (16 03 00...)
> 2. Handshake Protocol (<handshake type>, <length of
> handshake message> <ssl version> <handshake message>)
>
> In the RFC for ssl v3, i notice that we should not use
> the record layer headers in calculating ClientFinished
> message Hashes. So should i take the second one
> mentioned above (with Handshake Type, Length, SSL
> Version and the message) or should i consider only the
> Handshake Message (the last part of 2. above)?
You should use all handshake data (type,len,version,msg)
in calculation of Finished digests.
You should not include in this calculation ChangeCipherSpec
packet because this packet is not part of handshake protocol
(this packet is protocol itself).

Best regards,
--
Marek Marcola <[hidden email]>

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: One last question on ClientFinished

Suchindra Chandrahas
Thanks Mererk. Will implement the same!

Thanks and Regards,
Suchindra Chandrahas





Marek Marcola <[hidden email]> wrote:
On Fri, 2007-12-21 at 22:23 -0800, Suchindra Chandrahas wrote:

> Hi All,
> ClientFinished message has 2 hashes (md5 and
> sha1) of "All Handshake Messages" till that but not
> including ClientFinished message itself. In a
> Handshake message, i notice that there are two
> sections:
>
> 1. Record Layer Header (16 03 00...)
> 2. Handshake Protocol (,
> handshake message> )
>
> In the RFC for ssl v3, i notice that we should not use
> the record layer headers in calculating ClientFinished
> message Hashes. So should i take the second one
> mentioned above (with Handshake Type, Length, SSL
> Version and the message) or should i consider only the
> Handshake Message (the last part of 2. above)?
You should use all handshake data (type,len,version,msg)
in calculation of Finished digests.
You should not include in this calculation ChangeCipherSpec
packet because this packet is not part of handshake protocol
(this packet is protocol itself).

Best regards,
--
Marek Marcola

______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [hidden email]
Automated List Manager [hidden email]


Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now.