Re: [Acme] SNI extension for tls-alpn-01 challenge in draft-ietf-acme-ip-05
Ryan Sleevi <ryan-ietf@sleevi.com> Wed, 24 April 2019 16:34 UTC
Return-Path: <ryan.sleevi@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4ECB212008C for <acme@ietfa.amsl.com>; Wed, 24 Apr 2019 09:34:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.648
X-Spam-Level:
X-Spam-Status: No, score=-1.648 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6xgzopy1vZYI for <acme@ietfa.amsl.com>; Wed, 24 Apr 2019 09:34:07 -0700 (PDT)
Received: from mail-ed1-f50.google.com (mail-ed1-f50.google.com [209.85.208.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A79F912010E for <acme@ietf.org>; Wed, 24 Apr 2019 09:34:04 -0700 (PDT)
Received: by mail-ed1-f50.google.com with SMTP id k92so16479133edc.12 for <acme@ietf.org>; Wed, 24 Apr 2019 09:34:04 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=l+Rbu6s0fBv539Vj8ZS+O1I1wr2O4bZdwgIXWCG1qKg=; b=hFnS7Y3HrPVZ5UfdxFpTSfF6wKFOibW+Wvs1ivllzXDCY+SRabvcG3axKBxp9KbK3Y zqOmV9BhKIE++7/+lNTk/3fiv5tvGQ/d9YMEU8MRilk/WX48r/3F5acr0prcYgUj+ofD p4xWjC4HWiIU0reA/Ilb8WrtUiB+dUSyp63F2QiI/zB1fS6p23X1MXYMjPhyZkj5L/e9 MD+BWVu4VXOIzwff8C6H3LhIwVA9nEbyi/7pCyuDdbVAQWPjm+7B8txEje/ekgt+DoO4 gEN8Otz+THgBJlTNcTYy8YMzQK72b3RCs+o/sagkrZoVEmF36a9hnhVShTn95BZ3soj8 yBIw==
X-Gm-Message-State: APjAAAUTICEnUAhiv0eSRvQ9hoGZGo0IGMR4lFv4YtYZhx3ESCK0ecM3 OS3VGeFdHpJoeSxM5HJDlp+lV1p4
X-Google-Smtp-Source: APXvYqxw1PfVbjKkA1MKRW4hdRkXqT8vVEjuEqx/cSqbfQCheJgXi8qBlP9sziGODb/UT7j1/bNkVw==
X-Received: by 2002:a17:906:bce2:: with SMTP id op2mr8608280ejb.105.1556123642783; Wed, 24 Apr 2019 09:34:02 -0700 (PDT)
Received: from mail-wr1-f46.google.com (mail-wr1-f46.google.com. [209.85.221.46]) by smtp.gmail.com with ESMTPSA id l22sm3651061eja.67.2019.04.24.09.34.02 for <acme@ietf.org> (version=TLS1_3 cipher=AEAD-AES128-GCM-SHA256 bits=128/128); Wed, 24 Apr 2019 09:34:02 -0700 (PDT)
Received: by mail-wr1-f46.google.com with SMTP id f14so25474467wrj.5 for <acme@ietf.org>; Wed, 24 Apr 2019 09:34:02 -0700 (PDT)
X-Received: by 2002:adf:eb89:: with SMTP id t9mr23406685wrn.109.1556123642065; Wed, 24 Apr 2019 09:34:02 -0700 (PDT)
MIME-Version: 1.0
References: <MN2PR18MB28457CCBEF6FFE2B70E286FCC3250@MN2PR18MB2845.namprd18.prod.outlook.com> <20190424142331.GA502878@LK-Perkele-VII>
In-Reply-To: <20190424142331.GA502878@LK-Perkele-VII>
From: Ryan Sleevi <ryan-ietf@sleevi.com>
Date: Wed, 24 Apr 2019 12:33:50 -0400
X-Gmail-Original-Message-ID: <CAErg=HFZSo5XF8x9WtC=5tCcXFN3xweg2ewMZSZwh0ON8kWaNw@mail.gmail.com>
Message-ID: <CAErg=HFZSo5XF8x9WtC=5tCcXFN3xweg2ewMZSZwh0ON8kWaNw@mail.gmail.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Cc: Corey Bonnell <cbonnell@outlook.com>, "acme@ietf.org" <acme@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000e97c4e058749445a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/q7tFLHNGvEanvWiJzX3oB9W4EgY>
Subject: Re: [Acme] SNI extension for tls-alpn-01 challenge in draft-ietf-acme-ip-05
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Apr 2019 16:34:09 -0000
On Wed, Apr 24, 2019 at 10:23 AM Ilari Liusvaara <ilariliusvaara@welho.com> wrote: > I am not sure ALPN extension prevents exploitation. > > > Consider TLS SNI NAT (yes, such things exist) with: > > - Connections without SNI are handled in some safe way. > - Loose registration practices (which made TLS-SNI-01/02 insecure) > - No TLS termination (or customer can disable termination for their > name). > - No support for TLS-ALPN. > > > Now, attacker claims the RDNS name of the IP address of the host > and sets up TLS-ALPN responder (this fails with DNS-type names). > > > Then attacker requests certificate for the IP address. The NAT then > sees the SNI, ignores ALPN and sends the connection to the attacker, > which can then respond with validation certificate. The authorization > passes and CA issues fradulent certificate. > > > The attack exploits the different SNI in requests client would send > and what validation uses (TLS-ALPN with DNS names uses the same name, > so the attack will not work). The attack against TLS-SNI also exploited > this difference (but could work even if TLS termination could not be > disabled). > Thanks Ilari! Just to make sure - these are TLS SNI NAT based on inspecting the TLS handshake, without actually terminating it, right? That is, it's doing the "middlebox" thing that introduced huge amounts of complexity to deploying TLS 1.3, and we're wanting to make sure the IP validation similarly works around it. The further assumption here is that these products are 'safe by default' when omitting SNI, but are otherwise ignorant of ALPN and its semantics. If that's roughly correct, would you agree a possible mitigation (notwithstanding complexity concerns) 'could' be the use of a client hello extension, echo'd by the server (thus confirming it understands the protocol, and is not merely 'dumb' parsing but an active participant in the TLS handshake), that indicates the IP being verified?
- [Acme] SNI extension for tls-alpn-01 challenge in… Corey Bonnell
- Re: [Acme] SNI extension for tls-alpn-01 challeng… Ryan Sleevi
- Re: [Acme] SNI extension for tls-alpn-01 challeng… Corey Bonnell
- Re: [Acme] SNI extension for tls-alpn-01 challeng… Ryan Sleevi
- Re: [Acme] SNI extension for tls-alpn-01 challeng… Michael Richardson
- Re: [Acme] SNI extension for tls-alpn-01 challeng… Salz, Rich
- Re: [Acme] SNI extension for tls-alpn-01 challeng… Ryan Sleevi
- Re: [Acme] SNI extension for tls-alpn-01 challeng… Michael Richardson
- Re: [Acme] SNI extension for tls-alpn-01 challeng… Michael Richardson
- Re: [Acme] SNI extension for tls-alpn-01 challeng… Ryan Sleevi
- Re: [Acme] SNI extension for tls-alpn-01 challeng… Michael Richardson
- Re: [Acme] SNI extension for tls-alpn-01 challeng… Ryan Sleevi
- Re: [Acme] SNI extension for tls-alpn-01 challeng… Michael Richardson
- Re: [Acme] SNI extension for tls-alpn-01 challeng… Ryan Sleevi
- Re: [Acme] SNI extension for tls-alpn-01 challeng… Ilari Liusvaara
- Re: [Acme] SNI extension for tls-alpn-01 challeng… Ryan Sleevi
- Re: [Acme] SNI extension for tls-alpn-01 challeng… Ilari Liusvaara
- Re: [Acme] SNI extension for tls-alpn-01 challeng… Ryan Sleevi
- Re: [Acme] SNI extension for tls-alpn-01 challeng… Ilari Liusvaara
- Re: [Acme] SNI extension for tls-alpn-01 challeng… Ryan Sleevi
- Re: [Acme] SNI extension for tls-alpn-01 challeng… Corey Bonnell
- Re: [Acme] SNI extension for tls-alpn-01 challeng… Ilari Liusvaara