... is broken in 1.1. We negotiate it, then don't actually *do* it. https://github.com/openssl/openssl/pull/1705 contains a patch to disable it unconditionally for DTLS, on both server and client.
In that same PR there's also a patch to actually implement EtM for DTLS — so that if it ever *stops* being disabled, it would actually work. That second patch is tested (by reverting the first) against a GnuTLS server both with and without EtM. What remains is to have a conversation about how, if ever, we can turn EtM back on again. There are a few mitigating factors: • OpenSSL 1.1 is the only version which has this problem. • OpenSSL 1.1 supports DTLSv1.2 and AEAD ciphers, which disable EtM. However, the problem still exists for applications using OpenSSL 1.1 with DTLSv1.0, where they *will* end up using a CBC cipher. I don't think it makes much sense just to leave EtM disabled — depending on how you look at things, that's either not necessary (who cares about OpenSSL 1.1.0[ab]; just upgrade to 1.1.0c!), or not sufficient (1.1.0[ab] are still broken when talking to e.g. GnuTLS anyway, and *everyone* would need to stop doing DTLS+EtM). So I think in the process of typing this mail, I've persuaded at least *myself* that the PR above should be refactored to include *only* the second patch; to *fix* EtM without disabling it. Any dissenting opinions? It really would be nice to have a way to disable EtM voluntarily though; especially for the DTLS_get_data_mtu() test cases that I've added in PR#1666. -- dwmw2
Description: S/MIME cryptographic signature
-- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev