[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
SKIP: TLS bug in gnu/javax/net/ssl/provider
From: |
Karthikeyan Bhargavan |
Subject: |
SKIP: TLS bug in gnu/javax/net/ssl/provider |
Date: |
Fri, 6 Mar 2015 07:40:39 +0100 |
Hi,
We’ve been testing TLS implementations for state machine violations and found a
number of unexpected behaviours.
See: http://www.smacktls.com
I am writing to report a bug in classpath’s TLS implementation at
gnu/javax/net/ssl/provider
Both the client and server in classpath’s TLS library allow the peer to skip
the ChangeCipherSpec message, hence disabling encryption.
That is, they will accept a Finished message in the handshake even if they have
not received a ChangeCipherSpec message.
The easy fix is to require CCS before finished, *and* to ensure that no
messages are received between CCS and Finished.
The bug allows the peer to downgrade any TLS connection to plaintext.
This is worrying in itself, but also opens up more serious attacks.
For example, see the attacks on Java in http://http://www.smacktls.com/smack.pdf
I’d be happy to discuss this bug in more details with whoever’s working on that
bit of the code.
We have tests and demos and would be happy to help test patches.
Best,
Karthik
signature.asc
Description: Message signed with OpenPGP using GPGMail
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- SKIP: TLS bug in gnu/javax/net/ssl/provider,
Karthikeyan Bhargavan <=