... is broken in 1.1. We negotiate it, then don't actually *do* it.

https://github.com/openssl/openssl/pull/1705 contains a patch to
disable it unconditionally for DTLS, on both server and client.

In that same PR there's also a patch to actually implement EtM for DTLS
— so that if it ever *stops* being disabled, it would actually work.
That second patch is tested (by reverting the first) against a GnuTLS
server both with and without EtM.

What remains is to have a conversation about how, if ever, we can turn
EtM back on again.

There are a few mitigating factors:
 • OpenSSL 1.1 is the only version which has this problem.
 • OpenSSL 1.1 supports DTLSv1.2 and AEAD ciphers, which disable EtM.

However, the problem still exists for applications using OpenSSL 1.1
with DTLSv1.0, where they *will* end up using a CBC cipher.

I don't think it makes much sense just to leave EtM disabled —
depending on how you look at things, that's either not necessary (who
cares about OpenSSL 1.1.0[ab]; just upgrade to 1.1.0c!), or not
sufficient (1.1.0[ab] are still broken when talking to e.g. GnuTLS
anyway, and *everyone* would need to stop doing DTLS+EtM).

So I think in the process of typing this mail, I've persuaded at least
*myself* that the PR above should be refactored to include *only* the
second patch; to *fix* EtM without disabling it.

Any dissenting opinions?

It really would be nice to have a way to disable EtM voluntarily
though; especially for the DTLS_get_data_mtu() test cases that I've
added in PR#1666.


Attachment: smime.p7s
Description: S/MIME cryptographic signature

openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Reply via email to