Re: [openssl-dev] DTLS encrypt-then-mac
On Thu, 2016-10-13 at 23:48 +0100, Matt Caswell wrote: > > > Any dissenting opinions? > > Not from me. It's broken. Lets fix it. Thanks. https://github.com/openssl/openssl/pull/1705 updated accordingly. With that fixed, I think https://github.com/openssl/openssl/pull/1666 is now ready to be merged too (it contains the fixes from #1705, which it depends on). The only bit I wasn't sure about in #1666 was the addition of the DTLS cipher tests to ssl_test_old — which is redundant now I've written a completely new test to do an MTU torture test on every cipher suite (both with an without EtM, for CBC suites). So I took it out. But I've submitted that part separately anyway, since part of it might be useful — in order for the test recipe to *get* the list of DTLS ciphersuites, I had to make 'openssl ciphers DTLSv1' work. Which might be worth keeping, although it wants careful review: https://github.com/openssl/openssl/pull/1710 -- dwmw2 smime.p7s Description: S/MIME cryptographic signature -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] DTLS encrypt-then-mac
On 13/10/16 11:45, David Woodhouse wrote: > ... is broken in 1.1. We negotiate it, then don't actually *do* it. > > https://github.com/openssl/openssl/pull/1705 contains a patch to > disable it unconditionally for DTLS, on both server and client. > > In that same PR there's also a patch to actually implement EtM for DTLS > — so that if it ever *stops* being disabled, it would actually work. > That second patch is tested (by reverting the first) against a GnuTLS > server both with and without EtM. > > What remains is to have a conversation about how, if ever, we can turn > EtM back on again. > > There are a few mitigating factors: > • OpenSSL 1.1 is the only version which has this problem. > • OpenSSL 1.1 supports DTLSv1.2 and AEAD ciphers, which disable EtM. > > However, the problem still exists for applications using OpenSSL 1.1 > with DTLSv1.0, where they *will* end up using a CBC cipher. > > I don't think it makes much sense just to leave EtM disabled — > depending on how you look at things, that's either not necessary (who > cares about OpenSSL 1.1.0[ab]; just upgrade to 1.1.0c!), or not > sufficient (1.1.0[ab] are still broken when talking to e.g. GnuTLS > anyway, and *everyone* would need to stop doing DTLS+EtM). > > So I think in the process of typing this mail, I've persuaded at least > *myself* that the PR above should be refactored to include *only* the > second patch; to *fix* EtM without disabling it. > > Any dissenting opinions? Not from me. It's broken. Lets fix it. Matt > > It really would be nice to have a way to disable EtM voluntarily > though; especially for the DTLS_get_data_mtu() test cases that I've > added in PR#1666. > > > -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] DTLS encrypt-then-mac
... is broken in 1.1. We negotiate it, then don't actually *do* it. https://github.com/openssl/openssl/pull/1705 contains a patch to disable it unconditionally for DTLS, on both server and client. In that same PR there's also a patch to actually implement EtM for DTLS — so that if it ever *stops* being disabled, it would actually work. That second patch is tested (by reverting the first) against a GnuTLS server both with and without EtM. What remains is to have a conversation about how, if ever, we can turn EtM back on again. There are a few mitigating factors: • OpenSSL 1.1 is the only version which has this problem. • OpenSSL 1.1 supports DTLSv1.2 and AEAD ciphers, which disable EtM. However, the problem still exists for applications using OpenSSL 1.1 with DTLSv1.0, where they *will* end up using a CBC cipher. I don't think it makes much sense just to leave EtM disabled — depending on how you look at things, that's either not necessary (who cares about OpenSSL 1.1.0[ab]; just upgrade to 1.1.0c!), or not sufficient (1.1.0[ab] are still broken when talking to e.g. GnuTLS anyway, and *everyone* would need to stop doing DTLS+EtM). So I think in the process of typing this mail, I've persuaded at least *myself* that the PR above should be refactored to include *only* the second patch; to *fix* EtM without disabling it. Any dissenting opinions? It really would be nice to have a way to disable EtM voluntarily though; especially for the DTLS_get_data_mtu() test cases that I've added in PR#1666. -- dwmw2 smime.p7s Description: S/MIME cryptographic signature -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
