Not honoring D.4. Middlebox Compatibility Mode

[WernerWenz]

As per RFC an arbitrary number of (empty, unencrypted) change_cipher_spec records may be send during the handshake.
Most clients will most likeley use this feature in order to increase chances for successfully establishing a TLS connection over the Internet.
OpenSSL s_client and TLS-tris for example do so and thus currently are not compatible.

Fixing might be possible at

mint/record-layer.go

Line 383 in 83ba9bc

switch RecordType(header[0]) {

However, while enabling connections from OpenSSL/tris, a simple

func (r *DefaultRecordLayer) nextRecord(allowOldEpoch bool) (*TLSPlaintext, error) {
again:
....
case RecordTypeChangeCipherSpec:
   goto again

would not be sufficient as these records must only occur unencrypted during the handshake (before the client finished).

[bifurcation]

@ekr - Is this is a spec compliance issue or a feature request?

[ekr]

Assuming i am reading the report correctly, it's spec compliance. I think it's probably in one of the existing PRs though

…

On Mon, Feb 11, 2019 at 2:03 PM Richard Barnes ***@***.***> wrote: @ekr <https://github.com/ekr> - Is this is a spec compliance issue or a feature request? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#200 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABD1oelgOSgEmtj6C0brzGLRP-xHfoL_ks5vMeidgaJpZM4azDZK> .