Hello Michael, Thanks for your input.
Sorry for being unclear in my first post. The main reason for my question was to get input from someone with detail information about how OpenSSL handles handshake message fragmentation and the finished MAC. Not to adapt my implementation. I will do as you suggest and send a question to [email protected] about this. I will send a mail to this mailing list if my findings affect OpenSSL and the handling of handshake message fragmentation. Best regards, /Bojan -----Ursprungligt meddelande----- Från: [email protected] [mailto:[email protected]] För Michael Tuexen Skickat: den 1 november 2012 15:25 Till: [email protected] Ämne: Re: DTLS finished MAC calculation and handshake message fragmentation On Nov 1, 2012, at 2:14 PM, Bojan Pisler wrote: > Hello, > > Im doing interop testing with our DTLS server and OpenSSL. Im using OpenSSL version OpenSSL 1.0.1c 10 May 2012 with the following command line. > > openssl s_client -msg -debug -connect 127.0.0.1:9683 -dtls1 -cert > client.pem -certform PEM -key client.key -keyform PEM -CAfile root.crt > state > > Our server and OpenSSL handshake successfully when I run our server without client authentication turned on. In this test there are no fragmented handshake messages. The Finished signatures are calculated in the same way in both ends since the handshake is successful. > > But when I turn on client authentication the handshake fails. Both the CertificateVerify and Finished signatures are different which makes the handshake fail. I suspect that the reason for this is that OpenSSL sends its certificate to the server split into 3 fragments. The server reassembles the Certificate handshake message successfully. But it seems like the signatures are calculated differently. > > I have read this mailing list and tried several suggestions for handling fragmentation but with no success. Also both RFC 4347 and 6347 are unclear on how the signatures should be computed with regard to handshake fragmentation. So I would like to ask for a description of how this is done in OpenSSL so I can adapt our implementation and make it interoperable with OpenSSL? If you think RFC 6347 is unclear how the computation should be done, please send a message to [email protected] to discuss this. I think just doing something because OpenSSL does it, is not the right way. If the issue can be resolved on [email protected], the implementations can be fixed if needed. Best regards Michael > > Best regards, > > /Bojan ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected] ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
