----- Original Message ----- > Hi, > > We’ve been testing TLS implementations for state machine violations and found > a number of unexpected behaviours. > See: http://www.smacktls.com > I am writing to report a bug in classpath’s TLS implementation at > gnu/javax/net/ssl/provider > > Both the client and server in classpath’s TLS library allow the peer to skip > the ChangeCipherSpec message, hence disabling encryption. > That is, they will accept a Finished message in the handshake even if they > have not received a ChangeCipherSpec message. > The easy fix is to require CCS before finished, *and* to ensure that no > messages are received between CCS and Finished. > > The bug allows the peer to downgrade any TLS connection to plaintext. > This is worrying in itself, but also opens up more serious attacks. > For example, see the attacks on Java in > http://http://www.smacktls.com/smack.pdf > > I’d be happy to discuss this bug in more details with whoever’s working on > that bit of the code. > We have tests and demos and would be happy to help test patches. > > Best, > Karthik > > > > _______________________________________________ > Bug-classpath mailing list > Bug-classpath@xxxxxxx > https://lists.gnu.org/mailman/listinfo/bug-classpath > Funnily enough, I was just reading the site this morning and realising that we'd patched this in OpenJDK in January. I'll take a look at fixing this in the GNU Classpath code and would be interested in any tests/demos you have to help. Is the web server mentioned on smacktls.com still operational? Thanks, -- Andrew :) Free Java Software Engineer Red Hat, Inc. (http://www.redhat.com) PGP Key: ed25519/35964222 (hkp://keys.gnupg.net) Fingerprint = 5132 579D D154 0ED2 3E04 C5A0 CFDA 0F9B 3596 4222 PGP Key: rsa4096/248BDC07 (hkp://keys.gnupg.net) Fingerprint = EC5A 1F5E C0AD 1D15 8F1F 8F91 3B96 A578 248B DC07
