The following flaw was reported by OpenSSL upstream:
During a renegotiation handshake if the Encrypt-Then-Mac (ETM) extension is negotiated where it was not in the original handshake (or vice-versa) then this
can cause OpenSSL to crash (dependant on ciphersuite). Both clients and servers are affected.
The problem was caused by changing the flag indicating whether to use ETM or not immediately on negotiation of ETM, rather than at CCS. Therefore, during a renegotiation, if the ETM state is changing (usually due to a change of ciphersuite), then an error/crash will occur. Due to the fact that there are separate CCS messages for read and write we actually now need two flags to determine whether to use ETM or not.
This issue affects OpenSSL 1.1.0 only, and is fixed in 1.1.0e. This issue does not affect OpenSSL version 1.0.2.
Name: the OpenSSL project
Upstream: Joe Orton (Red Hat)
Created attachment 1249850 [details]