Wan-Teh Chang wrote, On 2008-12-08 17:38:
> In NSS's SSL test programs selfserv.c, tstclnt.c, and strsclnt.c, we have
> code like this:
>
> 139 result = SSL_GetChannelInfo(fd, &channel, sizeof channel);
> 140 if (result == SECSuccess &&
> 141 channel.length == sizeof channel &&
> 142 channel.cipherSuite) {
> 143 result = SSL_GetCipherSuiteInfo(channel.cipherSuite,
> 144 &suite, sizeof suite);
>
> Why is the channel.cipherSuite test necessary?
>
> A Chromium developer reported that they see SSL_GetChannelInfo
> return a 0 channel.cipherSuite in their tests. I'm trying to find out
> and document under what conditions SSL_GetChannelInfo may
> return a 0 channel.cipherSuite.
The boolean test of channel.cipherSuite could also be coded as:
channel.cipherSuite == SSL_NULL_WITH_NULL_NULL
SSL_NULL_WITH_NULL_NULL is the name of a pseudo cipher suite which
uses no encryption and no authentication. It is defined as the state
of a connection before any SSL handshake has completed successfully.
Its numeric cipher suite number is zero. SSL in forbidden to ever
negotiate that cipher suite. So, by definition, if the channel is in
that state, it has never successfully completed a handshake.
SSL_GetChannelInfo can return SECSuccess and have channel.cipherSuite == 0
if any of the following are true:
- The SSL layer socket option SSL_SECURITY has been set to false (0),
effectively turning the SSL layer into a no-op layer
- No SSL handshake has completed successfully.
/Nelson
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
