On 04/17/2014 04:46 PM, james brown wrote: > Hi > > I'm a little bit confused about the differences in implementation of SSL v3 > and TLS 1.2 > > In Firefox when you visit a website with SSL v3 the data sent through > PR_Write is in plaintext and later to be encrypted in Ssl_Write (as far as > I know) > > But on a TLS 1.2 site when PR_Write is called the data is already encrypted > > Could someone help me understand what's going on here? What you are describing doesn't sound right. I suspect the issue isn't an SSL v3 versus TLS but something else. Without knowing what data you are talking about it's now clear what you are seeing, so the following are pure guesses:
1) First, there is no basic difference in SSL v3 and TLS in how the handshake works with respect to switching to an encrypted connection. In both the handshake starts out unencrypted because there is no history of keys between the two sides. Once a handshake has completed, the data is now encrypted. No data from the initial write is sent unencrypted. If you later want to renegotiate (say change from SSLv3 to TLS) on the same connection, that entire handshake will happen using the previous (say SSLv3) SSL cipher and then change to the new one before any additional data is sent. If you are snooping the packets, you will first see the unencrypted handshake messages, and then the always encrypted messages. 2) If you create a connection to a server, then create a connection to a second connection to the same server, the second connection will usually have use the same master key and derive new session keys in an abbreviated handshake. It is possible you are making your first connection to the server using SSL v3 and a second using TLS 1.2 (though doing this would require an unusual set of circumstances). The second is a restart handshake, which is shorter and may look encrypted at first look, but it's actually not encrypted. 3) Your SSL3 server is doing something different than your TLS server. For instance, you may be connecting to it using http:// and it's redirecting using https://. The entire http:// portion will be unencrypted because that is what http:// means. You could also be connecting using starttls. We don't typically use starttls for http/https (I don't actually think it works there), but imap and ldap use starttls. In that case the connection starts completely unencrypted until the starttls message is sent and then the SSL handshake and then the data is encrypted. This is not an exhaustive list, but the important point here is if you are seeing unencrypted data followwed by encrypted data, it's not a SSL v3 versus TLS 1.2 issue, it's some other SSL/TLS/HTTP thing going on. Also, you shouldn't have any cases where the data you actually send in PR_Write is sent unencrypted. > > Why is the data not encrypted after PR_Write like with SSL v3?
smime.p7s
Description: S/MIME Cryptographic Signature
-- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
