IETF Logo Mail Archive

Re: [Acme] SNI extension for tls-alpn-01 challenge in draft-ietf-acme-ip-05

Corey Bonnell <cbonnell@outlook.com> Fri, 05 July 2019 03:02 UTC

Return-Path: <cbonnell@outlook.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B79691200E7 for <acme@ietfa.amsl.com>; Thu, 4 Jul 2019 20:02:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=outlook.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BePNjXuA1ItM for <acme@ietfa.amsl.com>; Thu, 4 Jul 2019 20:02:10 -0700 (PDT)
Received: from NAM01-BY2-obe.outbound.protection.outlook.com (mail-oln040092001086.outbound.protection.outlook.com [40.92.1.86]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B9DCF1200D7 for <acme@ietf.org>; Thu, 4 Jul 2019 20:02:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outlook.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=7/ppR+WiZT5xBLZax83O+Wf2jCZtCLjll4BTzqjk4G4=; b=VrgNJ+fvHmE2m3AeoSHuBNNB3wRxp7c+Nkn0xVVJGo1J+xkb1TpIdS8eSZw+97y01cW+1+jvBOFkI5IpnWrftmSE+oeXbzIIDW08EZ9o/Ph0e5OwIgDo2OaOEmiIYB89GjcPI4udVtUe+HQOVVDhoRGwWFGkGV5IFkclsjnvtKvroPlhoGU9Va29oQkUvxdADRSTe1O5UpBqaKiiVxDe1VfqOd6HW5rIMO7QdctpMnxJIxBNsQIl5argeLXbWMCdIIZ2LOvxWQM1/qrDKIqVAaPRj2v5Mot4xQnVwsX0Gpn+jNPcF1clY3bJUfq1qeDXTmhJYhlBFih1ll6M/B6zVQ==
Received: from BY2NAM01FT044.eop-nam01.prod.protection.outlook.com (10.152.68.56) by BY2NAM01HT158.eop-nam01.prod.protection.outlook.com (10.152.68.152) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.2032.15; Fri, 5 Jul 2019 03:02:09 +0000
Received: from MN2PR18MB3264.namprd18.prod.outlook.com (10.152.68.57) by BY2NAM01FT044.mail.protection.outlook.com (10.152.68.181) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.2032.15 via Frontend Transport; Fri, 5 Jul 2019 03:02:09 +0000
Received: from MN2PR18MB3264.namprd18.prod.outlook.com ([fe80::e9d2:a50b:cf4e:a6ae]) by MN2PR18MB3264.namprd18.prod.outlook.com ([fe80::e9d2:a50b:cf4e:a6ae%4]) with mapi id 15.20.2052.010; Fri, 5 Jul 2019 03:02:09 +0000
From: Corey Bonnell <cbonnell@outlook.com>
To: Ryan Sleevi <ryan-ietf@sleevi.com>, Ilari Liusvaara <ilariliusvaara@welho.com>
CC: "acme@ietf.org" <acme@ietf.org>
Thread-Topic: [Acme] SNI extension for tls-alpn-01 challenge in draft-ietf-acme-ip-05
Thread-Index: AQHU9L+epzmXNs4yDUG9lMQgYbElSKZLaRaAgAAkaQCAABD+gIAAA9cAgADUIoCAAFWsgIBvA+6b
Date: Fri, 05 Jul 2019 03:02:09 +0000
Message-ID: <MN2PR18MB3264AF4BEEB0EE3CEF64BF1BC3F50@MN2PR18MB3264.namprd18.prod.outlook.com>
References: <MN2PR18MB28457CCBEF6FFE2B70E286FCC3250@MN2PR18MB2845.namprd18.prod.outlook.com> <20190424142331.GA502878@LK-Perkele-VII> <CAErg=HFZSo5XF8x9WtC=5tCcXFN3xweg2ewMZSZwh0ON8kWaNw@mail.gmail.com> <20190424173439.GA503906@LK-Perkele-VII> <CAErg=HF2jF_VXYMf9h7Fwv0kM-7nfA-Z5a98R9BSg1JOxTC8WA@mail.gmail.com> <20190425062739.GA508605@LK-Perkele-VII>, <CAErg=HHO+=oy_jXOJbi+_OU34A+-5du6gtSa3pcqDWdhUOaiYw@mail.gmail.com>
In-Reply-To: <CAErg=HHO+=oy_jXOJbi+_OU34A+-5du6gtSa3pcqDWdhUOaiYw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-incomingtopheadermarker: OriginalChecksum:E046EAB89F7C181F8195379454AA7F31ACF6637B35818974A6219A4AB8D7D2A5; UpperCasedChecksum:41DBEA46BB903F2467060A6667821B2B04A6AB0A0CEF6BFF81E4093EF1F937DE; SizeAsReceived:7289; Count:44
x-ms-exchange-messagesentrepresentingtype: 1
x-tmn: [fuSHU3/diOKZbr3dQFnR0Pyca5WO4w1P]
x-ms-publictraffictype: Email
x-incomingheadercount: 44
x-eopattributedmessage: 0
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(5050001)(7020095)(20181119110)(201702061078)(5061506573)(5061507331)(1603103135)(2017031320274)(2017031322404)(2017031323274)(2017031324274)(1601125500)(1603101475)(1701031045); SRVR:BY2NAM01HT158;
x-ms-traffictypediagnostic: BY2NAM01HT158:
x-ms-exchange-purlcount: 1
x-microsoft-antispam-message-info: 9KCtXwN0gHqUaBolyDIXaI8rspxe5Xehtwc/Xq0cVUw5psmvvu2chupmzmpU4RpRXNbiW2S1araohgm+3XRt4A8k4g8kErKk021WPO2Br6WEfRGedHjKS/9w+/VYLZ0ZHgP1CsWZmCBHWnU7XFqHzyvn6c18F1taH1W4jEdNUq4uswqaQtNGOguQR4JROPSm
Content-Type: multipart/alternative; boundary="_000_MN2PR18MB3264AF4BEEB0EE3CEF64BF1BC3F50MN2PR18MB3264namp_"
MIME-Version: 1.0
X-OriginatorOrg: outlook.com
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-CrossTenant-Network-Message-Id: 6f258155-ea7a-4814-451c-08d700f52b8d
X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Jul 2019 03:02:09.3001 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Internet
X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2NAM01HT158
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/9wQpoUMlGAwTV_QeQPomuAKary4>
Subject: Re: [Acme] SNI extension for tls-alpn-01 challenge in draft-ietf-acme-ip-05
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Jul 2019 03:02:15 -0000

Quite some time has elapsed since the last message of this discussion was sent, and I don’t think there was any resolution to the concerns raised. If I’m understanding Ilari correctly, there are networking appliances (such as HAProxy, as described here: https://stuff-things.net/2016/11/30/haproxy-sni/)  that sniff the SNI value in the ClientHello to determine the destination TLS server but do not otherwise decrypt/re-encrypt the flow. If a hosting provider uses a frontend such as HAProxy, an attacker could register the .arpa hostname and configure a TLS server to respond to the ALPN challenge request.

I believe this can be mitigated by not including the SNI extension in the challenge ClientHello. Not including any SNI value would mean that the ALPN challenge flow would be routed in the same manner as normal TLS flows to the IP address being validated, thus eliminating any possibility of an attacker exploiting any differences in the routing/address information in the challenge flow vs. normal flows to fraudulently obtain certificates. In addition, including the ALPN extension and omitting the SNI extension means that the security issues surrounding http-01 validation via HTTPS and default virtual hosts are effectively mitigated, as the server presumably will not respond to the unknown ALPN value. As such, I believe omitting the SNI value is a reasonable mitigation.

I don’t quite understand the need for embedding the IP address being validated in the TLS ClientHello, as that information is already available in the destination IP address field of the IP header. If any packets of the challenge request are NATted before being received at the final TLS server, then implementations can transmit the IP address being validated in some implementation-specific manner that need not be explicitly defined in the specification. Nonetheless, if the IP address is deemed necessary to include in the ClientHello, it would probably be best to include it in a new TLS extension.


Thanks,

Corey

________________________________
From: Ryan Sleevi <ryan-ietf@sleevi.com>
Sent: Thursday, April 25, 2019 7:34 AM
To: Ilari Liusvaara
Cc: Corey Bonnell; Ryan Sleevi; acme@ietf.org
Subject: Re: [Acme] SNI extension for tls-alpn-01 challenge in draft-ietf-acme-ip-05



On Thu, Apr 25, 2019 at 2:27 AM Ilari Liusvaara <ilariliusvaara@welho.com<mailto:ilariliusvaara@welho.com>> wrote:
On Wed, Apr 24, 2019 at 01:48:24PM -0400, Ryan Sleevi wrote:
> On Wed, Apr 24, 2019 at 1:34 PM Ilari Liusvaara <ilariliusvaara@welho.com<mailto:ilariliusvaara@welho.com>>
> wrote:
>
> > > If that's roughly correct, would you agree a possible mitigation
> > > (notwithstanding complexity concerns) 'could' be the use of a client
> > hello
> > > extension, echo'd by the server (thus confirming it understands the
> > > protocol, and is not merely 'dumb' parsing but an active participant in
> > the
> > > TLS handshake), that indicates the IP being verified?
> >
> > The server must already acknowledge the IP address being verified.
> >
>
> I'm not sure how this conclusion is reached. Could you help me understand
> more?

The validation certificate contains the IP address being verified
in the SAN extension.

> > And that mitigation does not work. If the NAT does not know about
> > TLS-ALPN, it will not know about whatever extension that would be,
> > and thus just copy it through straight to attacker, who can then
> > freely reply.
>
>
> I'm not sure why you say this. Your original threat model was that the TLS
> SNI NAT box does something 'sensible' in the absence of SNI - and that the
> attacker would not be able to terminate the handshake if SNI were absent.
> If the proposal were to omit the SNI, while still making sure it's bound to
> the request (via a separate extension), then as long as the TLS SNI NAT box
> does the sensible thing for an SNI-less request, there's no additional
> privilege.

What are the consequences if the server just takes that address without
checking (echoing the extension, with whatever is in it)?

TLS-ALPN with domain names is pretty robust security-wise against
servers and middleboxes doing wrong (but sensible) things.

I’m still struggling to build up a cohesive threat model for your concerns. Perhaps you can try writing one up, for folks who haven’t read this thread - and this might help folks like me who have read this thread.

Where I struggle is that the threats seem to continually shift through each message, but perhaps  I’m not understanding. For example, a middlebox that blindly echoes TLS extensions means it is terminating TLS, not merely dispatching on it. The security model of TLS-ALPN is, as discussed during that process, fundamentally undermined if the server starts echoing the ALPN - which is why the ALPN draft warns against it.

I’m trying to understand what “bad but legitimate” behaviors you see, because I doubt we can, will, or should solve for “bad and violating existing TLS invariant” behaviours. We should be careful to balance how many hypotheticals here, as unless we have a concrete threat model, we’re making protocol authors do unreasonable and undocumented dances.

And in CABForum BRs, fradulent IP address certificate is quite bad, as
it allows (at least in rules) getting fradulent DNS certificates for
any domain pointing to that name (due to existence of method 8).

I think that is largely orthogonal to this discussion. There is no need for a certificate - any “technical control” over the IP is sufficient for that purpose. If we’re countenancing servers that don’t do something sensible for SNI-less requests, then that’s already an issue, since CAs also aren’t required to use TLS-ALPN.

> If the issue is that the TLS SNI NAT box is *only* secure in the context of
> DNS - and maybe it does something sensible absent an SNI, and maybe it's
> terrible and fundamentally insecure absent an SNI - then what we're saying
> is middleboxes are evil and fundamentally insecure ;)

The reason for distinction between DNS and IP here is because of the
difference in how TLS-ALPN works with DNS and IP versus how clients
works with DNS and IP.

Consider TLS-SNI. That difference in behavior renders it insecure
w.r.t. such middleboxes for both DNS and IP. Yet I do not think anybody
would blame the middleboxes for this issue, they blame TLS-SNI instead.

I’m still not confident I have a clear understanding of your concerns, and that’s concerning if only because it sounds like you believe there are critical, unaddressed security issues with the draft, and it’s unclear how to move forward or address them. It appears the concerns are shifting in the messages, but it’s entirely likely I’m missing some metapoint you’re making.

Do you have suggestions on how to address the issues you see? That might also help make it clearer.

v2.23.0 | Report a Bug | By Email