Hi Yang,

2012/6/20 Yang Tse <yangsita_at_gmail.com>:
> Code sets several ISC_REQ_* bit flags in order to setup security
> context, and later verifies if the flags of the security context
> actually match those previously set.
>
> The problem is that except for ISC_REQ_ALLOCATE_MEMORY, all other may
> simply be ignored, changed while handshaking and even further changed
> while renegotiating.
>
> I believe the fix is to only warn if returned flags don't match
> requested ones, except for the ISC_REQ_ALLOCATE_MEMORY one which
> should fail hard if it doesn't match and make schannel_connect_step3
> fail.

I am worried that the flags change in your use cases. And I really
don't like the idea of ignoring or just warning about non-matching
flags. ISC_RET_CONFIDENTIALITY, ISC_RET_REPLAY_DETECT and
ISC_RET_SEQUENCE_DETECT are pretty important to make sure that the SSL
connection is actually "secure". Why would you want to communicate
through an SSL connection that is actually not secure? There should be
some other way to fix this.

I am pretty busy with final exams during the following weeks, so I
would like to ask whether you or someone else could spend a little
more research on this issue before simple ignoring the source of the
actual problem. Thanks in advance, I would really appreciate it!

Best regards,
Marc
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2012-06-20