IETF Logo Mail Archive

Re: HTTP/2 and TLS 1.3 post-handshake authenication

David Benjamin <davidben@chromium.org> Tue, 02 April 2019 15:29 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 20B3B1200E3 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 2 Apr 2019 08:29:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.999
X-Spam-Level:
X-Spam-Status: No, score=-2.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1LJ1UhXh-ogh for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 2 Apr 2019 08:29:38 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [IPv6:2603:400a:ffff:804:801e:34:0:38]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1E6CB1200B6 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Tue, 2 Apr 2019 08:29:37 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.89) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1hBLJU-0006PW-1u for ietf-http-wg-dist@listhub.w3.org; Tue, 02 Apr 2019 15:27:00 +0000
Resent-Date: Tue, 02 Apr 2019 15:27:00 +0000
Resent-Message-Id: <E1hBLJU-0006PW-1u@frink.w3.org>
Received: from titan.w3.org ([2603:400a:ffff:804:801e:34:0:4c]) by frink.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from <davidben@google.com>) id 1hBLJS-0006On-DJ for ietf-http-wg@listhub.w3.org; Tue, 02 Apr 2019 15:26:58 +0000
Received: from mail-wm1-x335.google.com ([2a00:1450:4864:20::335]) by titan.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.89) (envelope-from <davidben@google.com>) id 1hBLJP-0000rc-0Z for ietf-http-wg@w3.org; Tue, 02 Apr 2019 15:26:58 +0000
Received: by mail-wm1-x335.google.com with SMTP id z11so3922013wmi.0 for <ietf-http-wg@w3.org>; Tue, 02 Apr 2019 08:26:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=DmFLBe+AhjoCABVs0sI0mDzmuIs1SVcioqwLnLnWLyM=; b=eMqUd+bbHFgbkdbJJeDJCRBgrouysIucKE+tpM9o1ohFL9ejnWnFuFVD/Qeith7bO5 QHoNrv/HnCEGFPH40WAe84mQqoIDAy4kvZdPoGVgdJXWiDLzeUqaDXjVnJgTQHVlx7li HV8ns9XDiAflgGoD4CP1T04Ai6xCR+t7S7uho=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=DmFLBe+AhjoCABVs0sI0mDzmuIs1SVcioqwLnLnWLyM=; b=J4GEp3awJAqdbh3fkkwVPIxKI4OvIVDBvt3dMl9kXTg0S7AvPaT3K5E99YigxBAKYw s7XbPsA0yfYm8hQwUVRGP9LeeZVxy5gCelJfVkyzrPpPg1cGpbTq8F/x4Nnc8YJT8S41 db4nrQli4fNihm5tSV7Lihf6bJ+XOpbXABseBIP+Lqp+C/wTBZbnbzLvKp9aVjKwRkr4 PSXTaLT386uvECBQ20N/vnJNoqME1lcIap/pzGGk6WZAQHHxjfsF8pGuP+L4XGUMlO5n tdcSIC055SM+yFY8UQNlC7t8ZAyHA7AwHKZJbZWBbAZoLL/oGDOeOMP0hkR0x6RiVep3 B+Mg==
X-Gm-Message-State: APjAAAVnDIrzsv6PzfGxwT3JXvk0MJ48rYR7Mnw0P3O9y9eSX8eTslDG itOjOU69ckdZhmkS0HpxU2JD+bcKO9UlX4zjHceQ79KTPg==
X-Google-Smtp-Source: APXvYqwgNfDsWDXMnUff36SZBP4U1bKU/869rJSlNzQ0lsPtjNSuov2jenN1w8S5XQ72GMf6ciQG7i+u9eWlSj+waik=
X-Received: by 2002:a7b:cf2b:: with SMTP id m11mr3749499wmg.56.1554218793374; Tue, 02 Apr 2019 08:26:33 -0700 (PDT)
MIME-Version: 1.0
References: <CAF8qwaCB6jsa03jtL+9W06s+Aqh1+ftwZaM+PH-b=5Omq5KG_w@mail.gmail.com> <36b4ac76-05b2-4ec6-a35c-db6a5057d798@www.fastmail.com>
In-Reply-To: <36b4ac76-05b2-4ec6-a35c-db6a5057d798@www.fastmail.com>
From: David Benjamin <davidben@chromium.org>
Date: Tue, 02 Apr 2019 10:26:15 -0500
Message-ID: <CAF8qwaAwZs_rvDMaGysrvo8Gp25koMfUmsOtpf=pEeQAGWhbcw@mail.gmail.com>
To: Martin Thomson <mt@lowentropy.net>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: multipart/alternative; boundary="00000000000015920405858dc32f"
Received-SPF: pass client-ip=2a00:1450:4864:20::335; envelope-from=davidben@google.com; helo=mail-wm1-x335.google.com
X-W3C-Hub-Spam-Status: No, score=-11.5
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, USER_IN_DEF_SPF_WL=-7.5, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: titan.w3.org 1hBLJP-0000rc-0Z 75ddfbe24dc6fdeed7712eb31c70a7df
X-Original-To: ietf-http-wg@w3.org
Subject: Re: HTTP/2 and TLS 1.3 post-handshake authenication
Archived-At: <https://www.w3.org/mid/CAF8qwaAwZs_rvDMaGysrvo8Gp25koMfUmsOtpf=pEeQAGWhbcw@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/36497
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On Tue, Apr 2, 2019 at 8:36 AM Martin Thomson <mt@lowentropy.net> wrote:

> LGTM.  A simple fix for a known problem that no one really got around to
> documenting.  This was always the intent, but it never got written down.
> Thanks for doing that.
>
> Nit:
>
> The use of "this" in "incompatible with this" is a little unclear.
>

I've replaced that clause in my local copy with "which is incompatible with
the mechanism above".


> On Tue, Apr 2, 2019, at 01:23, David Benjamin wrote:
> > Hi all,
> >
> > HTTP/2 and TLS 1.3 have a minor incompatibility around post-handshake
> > authentication. Mike Bishop suggested that, rather than add some text
> > in the secondary certs draft, it would better to make a separate
> > document that actually updates HTTP/2. I've done so and uploaded a
> > draft.
> > https://tools.ietf.org/html/draft-davidben-http2-tls13-00
> > https://www.ietf.org/id/draft-davidben-http2-tls13-00.txt
> >
> > HTTP/2 was specified against TLS 1.2, which had a renegotiation
> > mechanism to rekey the connection. It additionally changed parameters,
> > so in HTTP/1.1, this is often used in a hack to implement reactive
> > client auth
> > <
> https://tools.ietf.org/html/draft-ietf-httpbis-http2-secondary-certs-03#section-1.2.1>.
> This hack doesn't work in a multiplexed protocol like HTTP/2, because the
> client cannot tell which request triggered the authentication request.
> Thus, HTTP/2 forbids renegotiation <
> https://tools.ietf.org/html/rfc7540#section-9.2.1>.
> >
> > TLS 1.3 removed renegotiation and replaced it with two features: a
> > lightweight key update, and post-handshake client authentication. The
> > former is meant to be transparent and is compatible with HTTP/2. The
> > latter reintroduces renegotiation's multiplexing problems. There is no
> > spec text which says how to interpret HTTP/2's existing renegotiation
> > ban in TLS 1.3.
> >
> > The draft fixes it by documenting the status quo. KeyUpdate is fine. It
> > is internal to the TLS stack and works just fine in existing
> > servers[*]. Post-handshake auth is forbidden. No existing servers
> > request it because they already do not request renegotiation, and no
> > existing clients accept it because they cannot usefully interpret it.
> > Instead, the reactive client auth use case for HTTP/2 is instead being
> > covered by draft-ietf-httpbis-http2-secondary-certs.
> >
> > Note it's not sufficient to lean on the TLS 1.3 post_handshake_auth
> > extension because that extension is not correlated with ALPN. A client
> > may wish to support post-handshake auth with HTTP/1.1, for continuity
> > with the TLS 1.2 renego hack, while still supporting HTTP/2.
> >
> > David
> >
> > [*] Aside from an OpenSSL bug
> > <https://mailarchive.ietf.org/arch/msg/tls/Aw1WY5gBAifAZXowgx5Ym82RIKI>
> > which, pertinently, made some applications misinterpret it as a
> > renegotiation to be blocked. That bug has been fixed in OpenSSL 1.1.1b
> > <https://www.openssl.org/news/changelog.html#x1>.
>
>

v2.23.0 | Report a Bug | By Email