[TLS] DTLS implementation questions

To: <tls at ietf.org>
Subject: [TLS] DTLS implementation questions
From: "Joseph Salowey \(jsalowey\)" <jsalowey at cisco.com>
Date: Fri, 21 Sep 2007 16:02:09 -0700
Authentication-results: sj-dkim-3; header.From=jsalowey@cisco.com; dkim=pass ( sig from cisco.com/sjdkim3002 verified; );
Cc: "Abhijit Choudhury \(achoudhu\)" <achoudhu at cisco.com>
Dkim-signature: v=0.5; a=rsa-sha256; q=dns/txt; l=1490; t=1190415724; x=1191279724; c=relaxed/simple; s=sjdkim3002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=jsalowey@cisco.com; z=From:=20=22Joseph=20Salowey=20\(jsalowey\)=22=20<jsalowey@cisco.com> |Subject:=20DTLS=20implementation=20questions |Sender:=20; bh=O09CrpFwo7faUIjwKvRqF5WxnTZ+0x6pROns4jRrsAc=; b=gO9yV8a4uLlkMvgqbHrN2PuUmgQPSf9qW1Vmx1g4ZyNNO3gUEE3BWeNH9zzTtdDHVVUAG7C9 NDctZlgaWT/3niDVsogBYF4678DvUEzrDqJNeXQXrTpbOs4AIY2ZWuX2;
List-archive: <http://www1.ietf.org/pipermail/tls>
List-help: <mailto:tls-request@lists.ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-post: <mailto:tls@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
Thread-index: Acf8o2/p8JOClxb0QfqQS/tgWiHDwg==
Thread-topic: DTLS implementation questions

We have noticed some inconsistencies between RFC 4347 and DTLS
implementations (in particular implementations based on OpenSSL).  There
may be some areas where the specification is not clear so we wanted to
make sure we understood the intention of the spec in these areas.

1. We notice that some implementations include the initial ClientHello
and the HelloVerifyRequest in the Finished message hash and
CertificateVerify message hash. Section 4.2.1 of RFC 4347 indicates that
the initial ClientHello and the HelloVerifyRequest should be excluded
from the Finished message hash, however it does not mention excluding
these messages from the CertificateVerify message hash.  We believe that
these messages should be excluded from both hashes in order to achieve
the intended DOS protection.  

2. We notice that the handshake "headers" are omitted in the hash
computation for the CertificateVerify and the Finished message in some
implementations.  Although the spec does not explicitly specify how the
hashes are constructed we believe it should be consistent with RFC 4346
and use the complete handshake message.  

Do these interpretations make sense? 

We have found other implementation issues that do not appear to derive
from specification interpretation.  They detailed here
http://groups.google.com/group/mailing.openssl.dev/browse_thread/thread/
84c7c55752393dd/fcbb1734be44c72b?lnk=gst&q=dtls&rnum=1#fcbb1734be44c72b.


Thanks,

Joe

_______________________________________________
TLS mailing list
TLS at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls

Follow-Ups:
- Re: [TLS] DTLS implementation questions
  - From: Rob Dugal

Prev by Date: [TLS] I-D ACTION:draft-ietf-tls-rfc4346-bis-05.txt
Next by Date: Re: [TLS] DTLS implementation questions
Previous by thread: [TLS] I-D ACTION:draft-ietf-tls-rfc4346-bis-05.txt
Next by thread: Re: [TLS] DTLS implementation questions
Index(es):
- Date
- Thread

[TLS] DTLS implementation questions

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.