[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

SKIP: TLS bug in gnu/javax/net/ssl/provider

From: Karthikeyan Bhargavan
Subject: SKIP: TLS bug in gnu/javax/net/ssl/provider
Date: Fri, 6 Mar 2015 07:40:39 +0100


We’ve been testing TLS implementations for state machine violations and found a 
number of unexpected behaviours.
See: http://www.smacktls.com
I am writing to report a bug in classpath’s TLS implementation at 

Both the client and server in classpath’s TLS library allow the peer to skip 
the ChangeCipherSpec message, hence disabling encryption.
That is, they will accept a Finished message in the handshake even if they have 
not received a ChangeCipherSpec message.
The easy fix is to require CCS before finished, *and* to ensure that no 
messages are received between CCS and Finished.

The bug allows the peer to downgrade any TLS connection to plaintext.
This is worrying in itself, but also opens up more serious attacks.
For example, see the attacks on Java in http://http://www.smacktls.com/smack.pdf

I’d be happy to discuss this bug in more details with whoever’s working on that 
bit of the code.
We have tests and demos and would be happy to help test patches.


Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

reply via email to

[Prev in Thread] Current Thread [Next in Thread]