TLS Handshake: Client Data Before Server Finished

TL;DR

No, a client cannot reliably send application data in TLS 1.2 or earlier before receiving the server’s Finished message. Doing so is a protocol violation and will likely result in connection termination or security vulnerabilities.

Understanding the TLS Handshake

The TLS handshake establishes a secure connection between a client and a server. It involves several steps to negotiate encryption algorithms, exchange keys, and verify identities. The key sequence is:

1. Client Hello: Client proposes supported ciphersuites and TLS versions.
2. Server Hello: Server selects the cipher suite and TLS version.
3. Certificate Exchange: Server sends its certificate (and potentially intermediate certificates).
4. Key Exchange: Both client and server exchange key material.
5. Change Cipher Spec: Client signals it will start encrypting data.
6. Finished: Client sends an encrypted hash of the handshake messages to prove its integrity.
7. Change Cipher Spec (Server): Server signals it will start encrypting data.
8. Finished (Server): Server sends an encrypted hash of the handshake messages to prove its integrity.
9. Application Data: Secure communication begins.

Why You Can’t Send Data Early

The ‘Finished’ message is crucial for security. It confirms that both sides have correctly negotiated the encryption parameters and haven’t been tampered with during the handshake process. Here’s why sending data before receiving the server’s Finished is problematic:

• Cipher Suite Not Finalised: Until the ‘Finished’ message, the cipher suite isn’t definitively agreed upon. Any data sent before this point could be encrypted using an incorrect or insecure algorithm.
• Key Exchange Incomplete: The key exchange might not be fully completed. Sending data without a secure key is obviously dangerous.
• Man-in-the-Middle (MITM) Attacks: A MITM attacker could intercept the handshake and manipulate it. Without verifying the ‘Finished’ message, you can’t be sure you’re communicating with the legitimate server.

What Happens If You Try?

If a client attempts to send application data before receiving the server’s Finished message, one of these scenarios is likely:

• Connection Reset: The server will typically detect this as an error and immediately close the connection.
• Data Discarded: The server might ignore any data received before the ‘Finished’ message.
• Security Vulnerability: In rare cases, a poorly implemented TLS stack could allow the data to be processed insecurely, leading to potential vulnerabilities.

Example Scenario (Illustrative – Don’t Do This!)

Imagine you’re using OpenSSL and attempting to send data after the client ‘Change Cipher Spec’ but before receiving the server ‘Finished’.

// Incorrect: Sending data too early!

How to Ensure Correct Data Transmission

1. Wait for Finished: Always ensure your application waits for and validates the server’s ‘Finished’ message before sending any application data.
2. Use a TLS Library: Rely on well-established TLS libraries (like OpenSSL, BoringSSL, or GnuTLS) to handle the handshake correctly. These libraries will automatically enforce the protocol rules.
3. Check Return Codes: Pay attention to any error codes returned by your TLS library during the handshake process.

TLS 1.3 and Early Data

It’s important to note that TLS 1.3 introduces a feature called ‘Early Data’. This allows clients to send encrypted application data before the full handshake is complete, but it requires specific server support and careful implementation with 0-RTT (Zero Round Trip Time) key exchange. TLS 1.3 Early Data is not available in TLS 1.2 or earlier.