TLS Record Layer Bugs

bubblesradiographerΔιακομιστές

4 Δεκ 2013 (πριν από 3 χρόνια και 10 μήνες)

104 εμφανίσεις

TLS Record Layer Bugs

Pasi.Eronen@nokia.com

IETF67 TLS WG

Background


Testing inspired by Yngve’s draft


No illegal inputs (overflows etc.)

Fragmentation



“multiple client messages of the same
ContentType MAY be coalesced into a
single TLSPlaintext record, or a single
message MAY be fragmented across
several records”

Fragmentation: test results


OpenSSL

fail


Microsoft IIS

fail


Mozilla NSS

OK


Certicom


OK


GnuTLS


OK


Sun JSSE

OK


Cryptlib


fail


PureTLS


fail


TLSLite


fail


MatrixSSL

fail

Fragmentation: proposal


MUST NOT fragment Handshake, Alert,
and CCS messages


Unless larger than max. fragment size


…At least when using
TLS_NULL_WITH_NULL_NULL?

Empty fragments: test results


OpenSSL

fail


Microsoft IIS

fail


Mozilla NSS

fail


Certicom


OK


GnuTLS


OK


Sun JSSE

fail


Cryptlib


fail


PureTLS


fail


TLSLite


fail


MatrixSSL

fail

Empty fragments: proposal


MUST NOT send empty fragments


… with Handshake/Alert/CCS content
type only?

Large padding


“padding MAY be any length up to 255
bytes, as long as it results in the
TLSCiphertext.length being an integral
multiple of the block length”

Large padding: test results


OpenSSL

OK


Microsoft IIS

OK


Mozilla NSS

OK


Certicom


OK


GnuTLS


OK


Sun JSSE

OK


Cryptlib


OK


PureTLS


OK


TLSLite


OK


MatrixSSL

fail


Unknown content types



“If a TLS implementation receives a
record type it does not understand, it
SHOULD just ignore it.”

Unknown content: test results


OpenSSL

OK


Microsoft IIS

fail


Mozilla NSS

fail


Certicom


fail


GnuTLS


fail


Sun JSSE

OK


Cryptlib


fail


PureTLS


fail


TLSLite


fail


MatrixSSL

fail


Unknown content: proposal


MUST NOT send other content types
except when negotiated using a TLS
extension

Summary


I have some more tests…


Anyone interested in more testing?


SSL accelerator boxes?


Lotus Domino?