SSL_CTX_set_msg_callback does not invoke for received change_cipher_spec

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

SSL_CTX_set_msg_callback does not invoke for received change_cipher_spec

Vakul Garg

Hi

 

I am using openssl s_server and s_client with ‘-msg’ option to track tls1.2 records being exchanged.

I notice that while transmitted change_cipher_spec record gets printed.

But the reception of change_cipher_spec record is not reported.

 

For the received change_cipher_spec record, the callback (registered using SSL_set_msg_callback_arg) gets invoked only for record header, but not for the record content.

So there is no callback for received SSL3_RT_CHANGE_CIPHER_SPEC. For the transmitted change_cipher_spec record, things are fine.

 

Further, message callback invocation is correct for DTLS1.2 case as well.

 

Regards

 

Vakul

 


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: SSL_CTX_set_msg_callback does not invoke for received change_cipher_spec

OpenSSL - User mailing list
On 08/14/2017 11:30 PM, Vakul Garg wrote:

Hi

 

I am using openssl s_server and s_client with ‘-msg’ option to track tls1.2 records being exchanged.

I notice that while transmitted change_cipher_spec record gets printed.

But the reception of change_cipher_spec record is not reported.

 

For the received change_cipher_spec record, the callback (registered using SSL_set_msg_callback_arg) gets invoked only for record header, but not for the record content.

So there is no callback for received SSL3_RT_CHANGE_CIPHER_SPEC. For the transmitted change_cipher_spec record, things are fine.


There is no variable content in a ChangeCipherSpec message -- a single byte of value 1.  Are you trying to argue that the callback still ought to be invoked out of some philosophical sense of consistency? 

In any case, if I remember correctly, ChangeCipherSpec is processed at a very low layer and isn't propagated up to the layer that invokes the message callback, and if one looks at the tradeoff between extra complexity to propagate it up versus not having a message callback event for it, there are some reasonable reasons to prefer the status quo.

 

Further, message callback invocation is correct for DTLS1.2 case as well.



(Just with respect to ChangeCipherSpec?)

-Ben

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users