Re: Expectations for TLS session reuse

Martin Thomson <> Thu, 22 December 2016 22:34 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 3B83C1298A0 for <>; Thu, 22 Dec 2016 14:34:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -9.6
X-Spam-Status: No, score=-9.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_SORBS_SPAM=0.5, RP_MATCHES_RCVD=-3.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id lGD0xhEJB6lm for <>; Thu, 22 Dec 2016 14:34:31 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id D8DC61295EA for <>; Thu, 22 Dec 2016 14:34:31 -0800 (PST)
Received: from lists by with local (Exim 4.80) (envelope-from <>) id 1cKBtj-0008Tg-5R for; Thu, 22 Dec 2016 22:31:39 +0000
Resent-Date: Thu, 22 Dec 2016 22:31:39 +0000
Resent-Message-Id: <>
Received: from ([]) by with esmtps (TLS1.2:RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <>) id 1cKBtL-0008G9-UN for; Thu, 22 Dec 2016 22:31:15 +0000
Received: from ([]) by with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84_2) (envelope-from <>) id 1cKBtK-0007FY-UE for; Thu, 22 Dec 2016 22:31:15 +0000
Received: by with SMTP id k15so7832891qtg.3 for <>; Thu, 22 Dec 2016 14:30:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=+j/cI/9hRh9mfijnHzwnyULdrAiSClVH49ppHJ7zdmM=; b=YYZaFSzGDGwWP63z1EhZ3R0DSdu28pEt8SsCJMtjngVpS2a+R47dJYxY0fYz2BImLd zATU6KXqE0PDcnk9iiPpB73QWgzQSEL2lxZxZ03EudOyX1Hz02bvjXbPD6ts1dMUM1J8 vYEUiHrT910meLXtm9Z0aUS7eG00imW8p4gOWmkHOnFKLRgC9PQfzau5e6FtSsuaNBJJ eQzElRxW3FzM7xpTgRa3OjfHE+RFeKAN4Nb3+Q8N1DJ4CtIKnXSTJZ5DlZSPHuXM3kNf Z5FvqfQEnCreJsaQopmHzymsiyLeP1L3fr1WkMzWKGr4ZH+8c7mTQ55FD+Xf7YJ16f0z v7PQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=+j/cI/9hRh9mfijnHzwnyULdrAiSClVH49ppHJ7zdmM=; b=U32Pt8ZeoTR3IKEya9mXm62ToQ/SfW7uNVDSQtgFk31J5BhxfDQBJj3y565hUo5s/5 DjtgzUGYQ9WH0IYjwwr8Decr3r1ckzZrWcVBTjFPwpA9oPu1enhZvIwBTtngHcUhn3qn slICseMMf8jp+F8DrhVF2VPMjCcdMuZo3cfYsqlpAz3b5cQ4tvZp/x2kT+XRDzo4kc3W +3iJquWOe8AiZ1EG6fB0Sf66GvBVtebDyalqH8Q+PINjWAvQWmkHXVUgY9fHd4RRS9NW UWur1WPjgnO8BQEeTaYDKGCsYDiDDr7tacjE/fYSikAytBznUtCmAELnjxivQEiZpykH KUhA==
X-Gm-Message-State: AIkVDXLq12oRU+ACfOZTRb/b3RSVKz3FQykgPhlFLFE7fM2auv8rq36S5TpVY1SPe/IA7/nVVOso2+N70eRi7A==
X-Received: by with SMTP id f28mr13343910qte.247.1482445848947; Thu, 22 Dec 2016 14:30:48 -0800 (PST)
MIME-Version: 1.0
Received: by with HTTP; Thu, 22 Dec 2016 14:30:48 -0800 (PST)
Received: by with HTTP; Thu, 22 Dec 2016 14:30:48 -0800 (PST)
In-Reply-To: <>
References: <7CF7F94CB496BF4FAB1676F375F9666A376AAB1E@bgb01xud1012> <> <> <7CF7F94CB496BF4FAB1676F375F9666A376B04C7@bgb01xud1012> <> <> <> <> <> <> <> <> <>
From: Martin Thomson <>
Date: Fri, 23 Dec 2016 09:30:48 +1100
Message-ID: <>
To: Richard Bradbury <>
Cc: Lucas Pardue <>, Mike Bishop <>, "" <>, Patrick McManus <>, Eric Rescorla <>
Content-Type: multipart/alternative; boundary=001a113a353239aff4054446d2b3
Received-SPF: pass client-ip=;;
X-W3C-Hub-Spam-Status: No, score=-5.8
X-W3C-Hub-Spam-Report: AWL=-0.242, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_SORBS_SPAM=0.5, SPF_PASS=-0.001, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_WL=-1
X-W3C-Scan-Sig: 1cKBtK-0007FY-UE 792c4ae01001235c74933242c601caaa
Subject: Re: Expectations for TLS session reuse
Archived-At: <>
X-Mailing-List: <> archive/latest/33226
Precedence: list
List-Id: <>
List-Help: <>
List-Post: <>
List-Unsubscribe: <>

On 23 Dec 2016 5:04 AM, "Richard Bradbury" <>

Hmm... The statement in the above quotation seems inconclusive to me.
Surely a client could verify the server's identity simply by checking that
the target authority appears in the server's certificate (and that the
certificate is valid too, of course...). Wouldn't that satisfy the security
consideration on establishing authority described in section 9.1?

Yes[1], if the cert is good and the name is right, that is enough.

Except... We still require that the IP address matches.  But only for

> For TCP connections without TLS, this depends on the host having resolved
to the same IP address.
> For https resources, connection reuse additionally depends on having a
certificate that is valid for the host in the URI.

It seems like the requirements for the initial connection are the only ones
that are ambiguous :)  ah the joys of dealing with specs.

Maybe I need to do a writeup. That isn't going to happen soon though. Keep
up the good work, and maybe you can write this up.

[1] The part that you might have been missing is how the valid certificate
is linked to a trust anchor.  That is where is gets much, much more
complicated.  (You might have meant to include that by saying  "valid", but
I wanted to be explicit.)