Open WernerWenz opened 5 years ago
@ekr - Is this is a spec compliance issue or a feature request?
Assuming i am reading the report correctly, it's spec compliance. I think it's probably in one of the existing PRs though
On Mon, Feb 11, 2019 at 2:03 PM Richard Barnes notifications@github.com wrote:
@ekr https://github.com/ekr - Is this is a spec compliance issue or a feature request?
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/bifurcation/mint/issues/200#issuecomment-462512908, or mute the thread https://github.com/notifications/unsubscribe-auth/ABD1oelgOSgEmtj6C0brzGLRP-xHfoL_ks5vMeidgaJpZM4azDZK .
As per RFC an arbitrary number of (empty, unencrypted) change_cipher_spec records may be send during the handshake. Most clients will most likeley use this feature in order to increase chances for successfully establishing a TLS connection over the Internet. OpenSSL s_client and TLS-tris for example do so and thus currently are not compatible.
Fixing might be possible at https://github.com/bifurcation/mint/blob/83ba9bc2ead9cdf8b0c8bd94e8a41243e5f6ed88/record-layer.go#L383
However, while enabling connections from OpenSSL/tris, a simple
would not be sufficient as these records must only occur unencrypted during the handshake (before the client finished).