TLS Record Layer Bugs

Pasi.Eronen@nokia.comIETF67 TLS WG

Background

• Testing inspired by Yngve’s draft

• No illegal inputs (overflows etc.)

Fragmentation

“multiple client messages of the same ContentType MAY be coalesced into a single TLSPlaintext record, or a single message MAY be fragmented across several records”

Fragmentation: test results

• OpenSSL fail• Microsoft IIS fail• Mozilla NSS OK• Certicom OK• GnuTLS OK• Sun JSSE OK• Cryptlib fail• PureTLS fail• TLSLite fail• MatrixSSL fail

Fragmentation: proposal

• MUST NOT fragment Handshake, Alert, and CCS messages

• Unless larger than max. fragment size

• …At least when using TLS_NULL_WITH_NULL_NULL?

Empty fragments: test results

• OpenSSL fail• Microsoft IIS fail• Mozilla NSS fail• Certicom OK• GnuTLS OK• Sun JSSE fail• Cryptlib fail• PureTLS fail• TLSLite fail• MatrixSSL fail

Empty fragments: proposal

• MUST NOT send empty fragments

• … with Handshake/Alert/CCS content type only?

Large padding

“padding MAY be any length up to 255 bytes, as long as it results in the TLSCiphertext.length being an integral multiple of the block length”

Large padding: test results

• OpenSSL OK• Microsoft IIS OK• Mozilla NSS OK• Certicom OK• GnuTLS OK• Sun JSSE OK• Cryptlib OK• PureTLS OK• TLSLite OK• MatrixSSL fail

Unknown content types

“If a TLS implementation receives a record type it does not understand, it SHOULD just ignore it.”

Unknown content: test results

• OpenSSL OK• Microsoft IIS fail• Mozilla NSS fail• Certicom fail• GnuTLS fail• Sun JSSE OK• Cryptlib fail• PureTLS fail• TLSLite fail• MatrixSSL fail

Unknown content: proposal

• MUST NOT send other content types except when negotiated using a TLS extension

Summary

• I have some more tests…

• Anyone interested in more testing?– SSL accelerator boxes?– Lotus Domino?