From e94a6c0ede623960728415b68650a595e48f5a43 Mon Sep 17 00:00:00 2001 From: Emilia Kasper Date: Wed, 19 Nov 2014 17:01:36 +0100 Subject: Ensure SSL3_FLAGS_CCS_OK (or d1->change_cipher_spec_ok for DTLS) is reset once the ChangeCipherSpec message is received. Previously, the server would set the flag once at SSL3_ST_SR_CERT_VRFY and again at SSL3_ST_SR_FINISHED. This would allow a second CCS to arrive and would corrupt the server state. (Because the first CCS would latch the correct keys and subsequent CCS messages would have to be encrypted, a MitM attacker cannot exploit this, though.) Thanks to Joeri de Ruiter for reporting this issue. Reviewed-by: Matt Caswell --- CHANGES | 10 ++++++++++ 1 file changed, 10 insertions(+) (limited to 'CHANGES') diff --git a/CHANGES b/CHANGES index 0d9bd505c3..aa07cc09c6 100644 --- a/CHANGES +++ b/CHANGES @@ -305,6 +305,11 @@ Changes between 1.0.1j and 1.0.2 [xx XXX xxxx] + *) Tighten handling of the ChangeCipherSpec (CCS) message: reject + early CCS messages during renegotiation. (Note that because + renegotiation is encrypted, this early CCS was not exploitable.) + [Emilia Käsper] + *) Tighten client-side session ticket handling during renegotiation: ensure that the client only accepts a session ticket if the server sends the extension anew in the ServerHello. Previously, a TLS client would @@ -638,6 +643,11 @@ Changes between 1.0.1j and 1.0.1k [xx XXX xxxx] + *) Tighten handling of the ChangeCipherSpec (CCS) message: reject + early CCS messages during renegotiation. (Note that because + renegotiation is encrypted, this early CCS was not exploitable.) + [Emilia Käsper] + *) Tighten client-side session ticket handling during renegotiation: ensure that the client only accepts a session ticket if the server sends the extension anew in the ServerHello. Previously, a TLS client would -- cgit v1.2.3