Opened 10 years ago
Last modified 22 months ago
#554 new Bug / Defect
Add support for partial TLS record reads (i.e. support 1/n-1 record splitting)
Reported by: | Steffan Karger | Owned by: | |
---|---|---|---|
Priority: | major | Milestone: | release 2.7 |
Component: | Crypto | Version: | OpenVPN git master branch (Community Ed) |
Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | |
Cc: |
Description
This ticket is a follow-up for #524.
OpenVPN assumes that its control channel messages are sent and received unfragmented, which is actually not conforming to the TLS spec. See RFC5246, section 6.2.1:
Client message boundaries are not preserved in the record layer (i.e.,
multiple client messages of the same ContentType? MAY be coalesced
into a single TLSPlaintext record, or a single message MAY be
fragmented across several records).
In practice, this assumption only becomes invalid if 1/n-1 record splitting is enabled in PolarSSL/mbed TLS. As a quick fix for #524, record splitting is explicitly disabled. (That should be fine for openvpn. Record splitting is a counter measure against the BEAST attack, which requires an attacker to influence the data in the records to obtain other data in the same record. But unlike browsers, openvpn does not give an attacker control over the transmitted data.)
Still, I think we should adhere to the spec to be able to support tricks like 1/n-1 splitting. It will make OpenVPN more robust against future changes in SSL libraries.
Change History (5)
comment:1 Changed 9 years ago by
Milestone: | release 2.4 → beta 2.4 |
---|
comment:2 Changed 8 years ago by
comment:3 Changed 8 years ago by
Milestone: | beta 2.4 → release 2.5 |
---|
still relevant, but missed the boat -> 2.5
comment:4 Changed 4 years ago by
Milestone: | release 2.5 → release 2.6 |
---|
still relevant, but missed the boat -> 2.6
le sigh...
comment:5 Changed 22 months ago by
Milestone: | release 2.6 → release 2.7 |
---|
still relevant, but missed the boat -> 2.6
le sigh...
OpenVPN 3 support this now, and would like to be able use this feature to remove some limitations on the protocol. See https://github.com/OpenVPN/openvpn3/commit/2255bab0.