Renegotiation ticket 3712

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Renegotiation ticket 3712

Mody, Darshan (Darshan)
Hi Matt,

Is re-negotiation fixed with openssl 1.1.0 ? https://rt.openssl.org/Ticket/Display.html?id=3712&user=guest&pass=guesthttps://rt.openssl.org/Ticket/Display.html?id=3712&user=guest&pass=guest

From the ticket it seems its marked resolved but your patch is not in the openssl base due to possible vulnerabilities.

Thanks
Darshan

--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Renegotiation ticket 3712

Matt Caswell-2


On 02/04/17 04:50, Mody, Darshan (Darshan) wrote:
> Hi Matt,
>
> Is re-negotiation fixed with openssl 1.1.0
> ? https://rt.openssl.org/Ticket/Display.html?id=3712&user=guest&pass=guesthttps://rt.openssl.org/Ticket/Display.html?id=3712&user=guest&pass=guest
>
> From the ticket it seems its marked resolved but your patch is not in
> the openssl base due to possible vulnerabilities.

No, this issue is not fixed. It would require a major overhaul to
properly fix it, and I don't think it is considered worth it for this issue.

Matt
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Renegotiation ticket 3712

Mody, Darshan (Darshan)
Thanks Matt,

Just another query. Is the issue addressed in the latest openssl 1.1.0?

Regards
Darshan

-----Original Message-----
From: openssl-dev [mailto:[hidden email]] On Behalf Of Matt Caswell
Sent: Monday, April 03, 2017 2:53 PM
To: [hidden email]
Subject: Re: [openssl-dev] Renegotiation ticket 3712



On 02/04/17 04:50, Mody, Darshan (Darshan) wrote:

> Hi Matt,
>
> Is re-negotiation fixed with openssl 1.1.0 ?
> https://urldefense.proofpoint.com/v2/url?u=https-3A__rt.openssl.org_Ti
> cket_Display.html-3Fid-3D3712-26user-3Dguest-26pass-3Dguesthttps-3A__r
> t.openssl.org_Ticket_Display.html-3Fid-3D3712-26user-3Dguest-26pass-3D
> guest&d=DwICAg&c=BFpWQw8bsuKpl1SgiZH64Q&r=bsEULbVnjelD7InzgsegHBEbtXza
> IDagy9EuEhJrKfQ&m=0_oGDu1Nd351FfLBQxFRBsvQxamucuAh4kuC9XC9rng&s=Ni8yD4
> vI9arECJEB4AvTHTPslAIBDOyQYItrnXI8Ho8&e=
>
> From the ticket it seems its marked resolved but your patch is not in
> the openssl base due to possible vulnerabilities.

No, this issue is not fixed. It would require a major overhaul to properly fix it, and I don't think it is considered worth it for this issue.

Matt
--
openssl-dev mailing list
To unsubscribe: https://urldefense.proofpoint.com/v2/url?u=https-3A__mta.openssl.org_mailman_listinfo_openssl-2Ddev&d=DwICAg&c=BFpWQw8bsuKpl1SgiZH64Q&r=bsEULbVnjelD7InzgsegHBEbtXzaIDagy9EuEhJrKfQ&m=0_oGDu1Nd351FfLBQxFRBsvQxamucuAh4kuC9XC9rng&s=u1jQpWruXjaddyFVQW6x3TnRYA3CsHe1XzBwNlHn3p0&e= 
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Renegotiation ticket 3712

Matt Caswell-2


On 03/04/17 11:24, Mody, Darshan (Darshan) wrote:
> Thanks Matt,
>
> Just another query. Is the issue addressed in the latest openssl 1.1.0?

My answer was for 1.1.0 (as was your original question)? In any case it
is not addressed in any OpenSSL version.

Matt

>
> Regards
> Darshan
>
> -----Original Message-----
> From: openssl-dev [mailto:[hidden email]] On Behalf Of Matt Caswell
> Sent: Monday, April 03, 2017 2:53 PM
> To: [hidden email]
> Subject: Re: [openssl-dev] Renegotiation ticket 3712
>
>
>
> On 02/04/17 04:50, Mody, Darshan (Darshan) wrote:
>> Hi Matt,
>>
>> Is re-negotiation fixed with openssl 1.1.0 ?
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__rt.openssl.org_Ti
>> cket_Display.html-3Fid-3D3712-26user-3Dguest-26pass-3Dguesthttps-3A__r
>> t.openssl.org_Ticket_Display.html-3Fid-3D3712-26user-3Dguest-26pass-3D
>> guest&d=DwICAg&c=BFpWQw8bsuKpl1SgiZH64Q&r=bsEULbVnjelD7InzgsegHBEbtXza
>> IDagy9EuEhJrKfQ&m=0_oGDu1Nd351FfLBQxFRBsvQxamucuAh4kuC9XC9rng&s=Ni8yD4
>> vI9arECJEB4AvTHTPslAIBDOyQYItrnXI8Ho8&e=
>>
>> From the ticket it seems its marked resolved but your patch is not in
>> the openssl base due to possible vulnerabilities.
>
> No, this issue is not fixed. It would require a major overhaul to properly fix it, and I don't think it is considered worth it for this issue.
>
> Matt
> --
> openssl-dev mailing list
> To unsubscribe: https://urldefense.proofpoint.com/v2/url?u=https-3A__mta.openssl.org_mailman_listinfo_openssl-2Ddev&d=DwICAg&c=BFpWQw8bsuKpl1SgiZH64Q&r=bsEULbVnjelD7InzgsegHBEbtXzaIDagy9EuEhJrKfQ&m=0_oGDu1Nd351FfLBQxFRBsvQxamucuAh4kuC9XC9rng&s=u1jQpWruXjaddyFVQW6x3TnRYA3CsHe1XzBwNlHn3p0&e= 
>
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Renegotiation ticket 3712

Mody, Darshan (Darshan)
Matt,

I was under impression that issue would have been addressed in latest openssl version 1.1.0.

In case of high traffic and high secure networks, one of the best way to validate the long-lived connection is to do renegotiation (unless negotiated protocol is TLS 1.3 still in draft phase). Since the traffic cannot be stopped and as mentioned in the RFC the app data and renegotiation can be interleaved there is a good chance that openssl would encounter app data instead of handshake message. This makes openssl to throw unexpected record error for which the application has to take an action (mostly closing the connection due to an error encountered) , thus leading to traffic disruption.

The issue is fairly time sensitive and leads to non-deterministic outcome.

Hence I was expecting the issue to be addressed with openssl version 1.1.0 due to major overhaul of state machine and internals.

Thanks
Darshan

-----Original Message-----
From: openssl-dev [mailto:[hidden email]] On Behalf Of Matt Caswell
Sent: Monday, April 03, 2017 3:59 PM
To: [hidden email]
Subject: Re: [openssl-dev] Renegotiation ticket 3712



On 03/04/17 11:24, Mody, Darshan (Darshan) wrote:
> Thanks Matt,
>
> Just another query. Is the issue addressed in the latest openssl 1.1.0?

My answer was for 1.1.0 (as was your original question)? In any case it is not addressed in any OpenSSL version.

Matt

>
> Regards
> Darshan
>
> -----Original Message-----
> From: openssl-dev [mailto:[hidden email]] On Behalf
> Of Matt Caswell
> Sent: Monday, April 03, 2017 2:53 PM
> To: [hidden email]
> Subject: Re: [openssl-dev] Renegotiation ticket 3712
>
>
>
> On 02/04/17 04:50, Mody, Darshan (Darshan) wrote:
>> Hi Matt,
>>
>> Is re-negotiation fixed with openssl 1.1.0 ?
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__rt.openssl.org_T
>> i
>> cket_Display.html-3Fid-3D3712-26user-3Dguest-26pass-3Dguesthttps-3A__
>> r
>> t.openssl.org_Ticket_Display.html-3Fid-3D3712-26user-3Dguest-26pass-3
>> D
>> guest&d=DwICAg&c=BFpWQw8bsuKpl1SgiZH64Q&r=bsEULbVnjelD7InzgsegHBEbtXz
>> a
>> IDagy9EuEhJrKfQ&m=0_oGDu1Nd351FfLBQxFRBsvQxamucuAh4kuC9XC9rng&s=Ni8yD
>> 4 vI9arECJEB4AvTHTPslAIBDOyQYItrnXI8Ho8&e=
>>
>> From the ticket it seems its marked resolved but your patch is not in
>> the openssl base due to possible vulnerabilities.
>
> No, this issue is not fixed. It would require a major overhaul to properly fix it, and I don't think it is considered worth it for this issue.
>
> Matt
> --
> openssl-dev mailing list
> To unsubscribe:
> https://urldefense.proofpoint.com/v2/url?u=https-3A__mta.openssl.org_m
> ailman_listinfo_openssl-2Ddev&d=DwICAg&c=BFpWQw8bsuKpl1SgiZH64Q&r=bsEU
> LbVnjelD7InzgsegHBEbtXzaIDagy9EuEhJrKfQ&m=0_oGDu1Nd351FfLBQxFRBsvQxamu
> cuAh4kuC9XC9rng&s=u1jQpWruXjaddyFVQW6x3TnRYA3CsHe1XzBwNlHn3p0&e=
>
--
openssl-dev mailing list
To unsubscribe: https://urldefense.proofpoint.com/v2/url?u=https-3A__mta.openssl.org_mailman_listinfo_openssl-2Ddev&d=DwICAg&c=BFpWQw8bsuKpl1SgiZH64Q&r=bsEULbVnjelD7InzgsegHBEbtXzaIDagy9EuEhJrKfQ&m=5fscKGrpSiVuD-o67_AL7je6ixVNP8R_ABJUSL0DuPc&s=KRpeak_T_gjRwyOpNMqprUNfS_1ay9lISTgdkYdm28Y&e= 
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Renegotiation ticket 3712

OpenSSL - Dev mailing list
> The issue is fairly time sensitive and leads to non-deterministic outcome.
>
> Hence I was expecting the issue to be addressed with openssl version 1.1.0
> due to major overhaul of state machine and internals.

Perhaps a more accurate way to say it is "I was hoping ..." :)

 If this is important to you -- and Matt has said that it's not important to (some of) the OpenSSL team -- then you will have to fix it yourself.  If you do, I hope you will make a PR to feed it back to the open source community.
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Loading...