1 / 13

Testing TLS Record Layer Bugs: Insights and Proposals from IETF67

This document presents the results of testing various implementations of the TLS record layer, highlighting significant issues such as fragmentation handling, empty fragments, large padding, and unknown content types. The testing inspired by Yngve’s draft shows diverse outcomes across different implementations. Notably, OpenSSL, Microsoft IIS, and others experienced failures while Mozilla NSS and GnuTLS passed certain tests. Proposals to improve protocol handling are discussed, including avoiding fragmentation of critical messages and minimizing the risk of sending empty fragments. Further testing interest is solicited.

chelsa
Télécharger la présentation

Testing TLS Record Layer Bugs: Insights and Proposals from IETF67

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. TLS Record Layer Bugs Pasi.Eronen@nokia.comIETF67 TLS WG

  2. Background • Testing inspired by Yngve’s draft • No illegal inputs (overflows etc.)

  3. Fragmentation “multiple client messages of the same ContentType MAY be coalesced into a single TLSPlaintext record, or a single message MAY be fragmented across several records”

  4. Fragmentation: test results • OpenSSL fail • Microsoft IIS fail • Mozilla NSS OK • Certicom OK • GnuTLS OK • Sun JSSE OK • Cryptlib fail • PureTLS fail • TLSLite fail • MatrixSSL fail

  5. Fragmentation: proposal • MUST NOT fragment Handshake, Alert, and CCS messages • Unless larger than max. fragment size • …At least when using TLS_NULL_WITH_NULL_NULL?

  6. Empty fragments: test results • OpenSSL fail • Microsoft IIS fail • Mozilla NSS fail • Certicom OK • GnuTLS OK • Sun JSSE fail • Cryptlib fail • PureTLS fail • TLSLite fail • MatrixSSL fail

  7. Empty fragments: proposal • MUST NOT send empty fragments • … with Handshake/Alert/CCS content type only?

  8. Large padding “padding MAY be any length up to 255 bytes, as long as it results in the TLSCiphertext.length being an integral multiple of the block length”

  9. Large padding: test results • OpenSSL OK • Microsoft IIS OK • Mozilla NSS OK • Certicom OK • GnuTLS OK • Sun JSSE OK • Cryptlib OK • PureTLS OK • TLSLite OK • MatrixSSL fail

  10. Unknown content types “If a TLS implementation receives a record type it does not understand, it SHOULD just ignore it.”

  11. Unknown content: test results • OpenSSL OK • Microsoft IIS fail • Mozilla NSS fail • Certicom fail • GnuTLS fail • Sun JSSE OK • Cryptlib fail • PureTLS fail • TLSLite fail • MatrixSSL fail

  12. Unknown content: proposal • MUST NOT send other content types except when negotiated using a TLS extension

  13. Summary • I have some more tests… • Anyone interested in more testing? • SSL accelerator boxes? • Lotus Domino?

More Related