On 30/01/2019 17:20, Kurt Roeckx wrote:
> On Wed, Jan 30, 2019 at 10:44:12AM +0000, Matt Caswell wrote:
>> On 29/01/2019 19:27, David Benjamin wrote:
>>> On Tue, Jan 29, 2019 at 11:31 AM Kurt Roeckx <k...@roeckx.be
>>> <mailto:k...@roeckx.be>> wrote:
>>>     On Tue, Jan 29, 2019 at 02:07:09PM +0000, Matt Caswell wrote:
>>>     > So I plan to start the vote soon for merging PR#8096 and backporting 
>>> it to
>>>     > 1.1.1. This is a breaking change as previously discussed.
>>>     >
>>>     > My proposed vote text is as follows. Please let me know asap of any 
>>> feedback.
>>>     > Otherwise I will start the vote soon.
>>>     >
>>>     > "master and 1.1.1 will be updated to use SSL_CB_POST_HANDSHAKE_START 
>>> and
>>>     > SSL_CB_POST_HANDSHAKE_END to signal the start and end of a post 
>>> handshake
>>>     > message exchange in the info callback (replacing 
>>> What exactly is a post-handshake message exchange? Do the NewSessionTicket 
>>> sent
>>> by the server at the beginning count as the part of the handshake? Are they 
>>> each
>>> separate post-handshake exchanges? Are all of them together one exchange?
>>> Conversely, what happens when you receive that NewSessionTicket as a client?
>> They are each separate post-handshake exchanges. Both on the server and on 
>> the
>> client.
>>> When you send a KeyUpdate with key_update_requested, is the reply you expect
>>> part of the exchange or separate? What if the peer coalesced them to avoid 
>>> DoS
>>> problems? Conversely, if you receive a KeyUpdate with key_update_requested, 
>>> is
>>> your reply part of the exchange? What if you coalesced them to avoid DoS 
>>> problems?
>>> What if I send a CertificateRequest, but the other side sends me a KeyUpdate
>>> with key_update_requested before responding with Certificate, so I respond 
>>> with
>>> my own KeyUpdate? What and how many exchanges are there?
>>> Is it important that both sides agree what an "exchange" is?
>> The answers all depend on how the OpenSSL state machine views them. At the
>> moment the peer sending a KeyUpdate sees that as a single standalone 
>> exchange.
>> If an update has been requested then the receiving peer sees the receiving 
>> and
>> subsequent sending of the next KeyUpdate as a single exchange.
> This "at the moment" sounds a lot like "we can change this at any
> time, for whatever reason".

No, it means that is how it currently coded. We are discussing a PR to change
how this works so we have the opportunity to make it work differently if we so
wish. However since this is a breaking change I'm of the view that we should be
making the minimal change necessary. IMO that is the change that I have proposed
in PR 8096 and as described in the vote text at the beginning of this thread.

I don't think we should be looking at this as a wholesale redesign of how the
info callback works and its relative merits an disadvantages. Like it or not we
have an info callback, and it does what it does. It is in our API and we cannot
remove it (at least not any time soon - see
https://github.com/openssl/web/pull/82). We implemented it in a particular way
for TLSv1.3 and if we wanted something else then the time to debate that was
prior to the release of 1.1.1. The *only* reason that this is being discussed
now is because of the specific issue with KeyUpdates. PR8096 fixes that in the
simplest way I could think of.

> I can actually see a use case for wanting to know if a key update
> has been received and sent. Maybe the application wants to make
> sure that at regular intervals this is done. I just doubt that
> this is the most useful interface for that. The way to do that is
> to tell OpenSSL to do that instead.
>> Certificate requests are similar, i.e. the server sees the sending of the
>> certificate request as a single standalone exchange, and the receipt of the
>> subsequent Certificate/Finished as a separate exchange. The client sees the
>> receipt of the request and its response as one single exchange.
> I think the server really only cares that it's been received, and
> you can argue that it should be 1 exchange.

I'm not entirely sure what you mean by "1 exchange", but if you mean the sending
of the request and the subsequent receipt of the certificate/finished should be
1 exchange as far as the info callback is concerned then I don't think that
would work. There may be intervening messages and application data transfer.


openssl-project mailing list

Reply via email to