RE: [TLS] Record layer corner cases

[pgut001 at cs.auckland.ac.nz (Peter Gutmann)]

Peter Williams <home_pw at msn.com> writes:

>Out of interest Peter and Martin, how well do your software and hardward
>modules handle the following change from SSL v2 to SSL v3, including fallback
>handling as specified by SSL3, and then the TLS fallback mechanisms?
>
>"SSL Version 3 supports the transmission and reception of "out of band data".
>Out of band data is normally defined at the TCP/IP protocol level, but
>because of SSL's privacy enhancements and support for block ciphers, this
>becomes difficult to support.

I don't handle it at all, if my code sees OOB data in the middle of a TLS
stream it flags it as a network-level error (my security model is default-
deny).  I've never seen OOB data used and can't imagine why it'd ever be used
except as a potential attack vector targetting corner cases in TLS
implementations.

Peter.

_______________________________________________
TLS mailing list
TLS at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls