RE: Expectations for TLS session reuse

Mike Bishop <Michael.Bishop@microsoft.com> Thu, 22 December 2016 18:00 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ACBF2129784 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 22 Dec 2016 10:00:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.1
X-Spam-Level:
X-Spam-Status: No, score=-10.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-3.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sAXqTQOFiGbV for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 22 Dec 2016 10:00:03 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A9B88129621 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Thu, 22 Dec 2016 10:00:03 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1cK7c4-0001Cp-6F for ietf-http-wg-dist@listhub.w3.org; Thu, 22 Dec 2016 17:57:08 +0000
Resent-Date: Thu, 22 Dec 2016 17:57:08 +0000
Resent-Message-Id: <E1cK7c4-0001Cp-6F@frink.w3.org>
Received: from mimas.w3.org ([128.30.52.79]) by frink.w3.org with esmtps (TLS1.2:RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <Michael.Bishop@microsoft.com>) id 1cK7bu-0001BJ-E2 for ietf-http-wg@listhub.w3.org; Thu, 22 Dec 2016 17:56:58 +0000
Received: from mail-dm3nam03on0125.outbound.protection.outlook.com ([104.47.41.125] helo=NAM03-DM3-obe.outbound.protection.outlook.com) by mimas.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA384:256) (Exim 4.84_2) (envelope-from <Michael.Bishop@microsoft.com>) id 1cK7bs-0003Vk-VN for ietf-http-wg@w3.org; Thu, 22 Dec 2016 17:56:58 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=vQDxHyyqm+fNAcISt7M0P40ZY2qzpmakgCPstLxqG5c=; b=aQwTDcpQvWOO5Ri7Q9mi3J0naLY+POWc+cYLmBMrQ0t8rnAhaTZEfzNjzOGgkVXsAA1IjcXE1KXJhpd+y/WJLTTaHxFWBc0JkA0Kuq51bBacIP2WK+ViAv4/ugMjUOZP6UEf5LvSWJ3kRRc3l24c5lugvb8TQe6ngtmEdAHq1D8=
Received: from BN6PR03MB2708.namprd03.prod.outlook.com (10.173.144.15) by BN6PR03MB2705.namprd03.prod.outlook.com (10.173.144.12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.803.11; Thu, 22 Dec 2016 17:56:29 +0000
Received: from BN6PR03MB2708.namprd03.prod.outlook.com ([10.173.144.15]) by BN6PR03MB2708.namprd03.prod.outlook.com ([10.173.144.15]) with mapi id 15.01.0803.013; Thu, 22 Dec 2016 17:56:29 +0000
From: Mike Bishop <Michael.Bishop@microsoft.com>
To: Patrick McManus <mcmanus@ducksong.com>, Richard Bradbury <richard.bradbury@rd.bbc.co.uk>
CC: Martin Thomson <martin.thomson@gmail.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>, Eric Rescorla <ekr@rtfm.com>, Lucas Pardue <Lucas.Pardue@bbc.co.uk>
Thread-Topic: Expectations for TLS session reuse
Thread-Index: AdJSDroZqRm1YmE/R2CVfE2vNJEU+AAQnYAAAAeekAAAhcMcwAAGRhSAAAmlvgAAJ7tjUAGI4cWAABRj5PAAAKAGgAAcYYKAAAbFKAAABLeN4A==
Date: Thu, 22 Dec 2016 17:56:29 +0000
Message-ID: <BN6PR03MB27082667DCC8A6DE50FD830187920@BN6PR03MB2708.namprd03.prod.outlook.com>
References: <7CF7F94CB496BF4FAB1676F375F9666A376AAB1E@bgb01xud1012> <CABkgnnWOrphhWpjuhRC5apydWb2t=qWvMSb1D9uo8Eb_4JHzqQ@mail.gmail.com> <CAOdDvNo2OgdkuDCjeVZBRnB+JPg0eFtPcm_UXQPhrEuiaGKGaw@mail.gmail.com> <7CF7F94CB496BF4FAB1676F375F9666A376B04C7@bgb01xud1012> <BN6PR03MB2708F28F1828C5278E71938087980@BN6PR03MB2708.namprd03.prod.outlook.com> <CABcZeBMssBzM67iLGtKQgS0KgSj6q9tZX7hG0GNfSK=VvatuWw@mail.gmail.com> <BN6PR03MB270885404C2F1E029F54AABE879B0@BN6PR03MB2708.namprd03.prod.outlook.com> <97158afb-d80a-443c-b59a-209ffe3d34d9@rd.bbc.co.uk> <BN6PR03MB2708A286DF303E6524EF9F4D87930@BN6PR03MB2708.namprd03.prod.outlook.com> <CABkgnnXAaX4+6CbWQGFm_0bk82WZNq9d=UBmaq22u2q7yP+pUQ@mail.gmail.com> <e508d3c7-c81d-91d8-7b6d-3e2b74d15bd9@rd.bbc.co.uk> <CAOdDvNqPDssNmSscgk3chbPg+Uw53_nqFrv+OzhTHWA=hTvwLg@mail.gmail.com>
In-Reply-To: <CAOdDvNqPDssNmSscgk3chbPg+Uw53_nqFrv+OzhTHWA=hTvwLg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Bishop@microsoft.com;
x-originating-ip: [2601:600:8300:3b9a:7404:4073:b8ce:562d]
x-ms-office365-filtering-correlation-id: 1845c5cc-e86a-4a0a-1879-08d42a93db3a
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(22001);SRVR:BN6PR03MB2705;
x-microsoft-exchange-diagnostics: 1; BN6PR03MB2705; 7:8MwJv4QlItF6X+3s04S/xTJOtOyQpO9WD38B9II5camVf34Ct3hWH1P7HA01017tC667N2Iq4kMPcZpy0PSpPYOi5nyYecCy9QReQdHQeC8aEhcfssBH9AvzcDjKzm364jZ5v8YfZe7pVI228d9Ujni9pdW174yJ/q4vgKswxjmKOxyBCd6OvV6MSVDbqGvduITNC+hphAwJA5eoogw8wX54yYVEDFaj2jr68iPDluG5/94fd86jhmCSkKUhJiHHIB8dTj++hdA0ifLEubaeS0oKHagCjFwNGL4PvY8ACRJWROIEMnr8ojPIlzj0Qz02HBx8Psb6bA6raFQ+Fa00FJCEsTd9gFJGYbsvadB7HD24xYFdA5JbdZJKPDCVKvMmv5L/SitvIXsmWfcB0HmrOP2jBeYNKjzm8cuQ8OhondjE1vcTivQWjbN3hHsUBSmxM4DjDnoOiHNWXvIAdqK9HmsNA90EJHDjnpLPgAU27L4=
x-microsoft-antispam-prvs: <BN6PR03MB2705D08345B017422A47900887920@BN6PR03MB2705.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863)(127952516941037)(21748063052155);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040375)(601004)(2401047)(5005006)(8121501046)(3002001)(10201501046)(6055026)(61426038)(61427038)(6041248)(20161123558021)(20161123562025)(20161123555025)(20161123560025)(20161123564025)(6072148)(6047074); SRVR:BN6PR03MB2705; BCL:0; PCL:0; RULEID:; SRVR:BN6PR03MB2705;
x-forefront-prvs: 01644DCF4A
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(7916002)(39850400002)(39860400002)(39840400002)(39450400003)(39410400002)(189002)(24454002)(199003)(377454003)(9686002)(19609705001)(8990500004)(10090500001)(97736004)(5660300001)(74316002)(10290500002)(5005710100001)(8936002)(33656002)(5001770100001)(68736007)(606005)(6436002)(81166006)(81156014)(8676002)(7906003)(86362001)(122556002)(7736002)(2906002)(93886004)(86612001)(3660700001)(3280700002)(77096006)(38730400001)(6506006)(189998001)(4326007)(76576001)(39060400001)(7696004)(25786008)(229853002)(105586002)(99286002)(106356001)(54356999)(101416001)(2900100001)(2950100002)(6116002)(102836003)(92566002)(790700001)(50986999)(76176999); DIR:OUT; SFP:1102; SCL:1; SRVR:BN6PR03MB2705; H:BN6PR03MB2708.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_BN6PR03MB27082667DCC8A6DE50FD830187920BN6PR03MB2708namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 22 Dec 2016 17:56:29.0877 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR03MB2705
Received-SPF: pass client-ip=104.47.41.125; envelope-from=Michael.Bishop@microsoft.com; helo=NAM03-DM3-obe.outbound.protection.outlook.com
X-W3C-Hub-Spam-Status: No, score=-4.3
X-W3C-Hub-Spam-Report: AWL=-2.749, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, W3C_NW=0.5
X-W3C-Scan-Sig: mimas.w3.org 1cK7bs-0003Vk-VN dc1b3155b5d9d70f444f0b4557eb98aa
X-Original-To: ietf-http-wg@w3.org
Subject: RE: Expectations for TLS session reuse
Archived-At: <http://www.w3.org/mid/BN6PR03MB27082667DCC8A6DE50FD830187920@BN6PR03MB2708.namprd03.prod.outlook.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/33223
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

In theory, Richard is correct – “verif[y] that the communicating server’s identity matches the target URI’s authority component” could be considered satisfied if the cert were valid for the target name, even if it’s not the name the connection was originally opened to.

However, I don’t know of any HTTP/1.1 clients that actually implement it that way, and as I said before, I know of HTTP/1.1 servers that will refuse a request in that circumstance.  So as a practical matter, Patrick is correct too.

From: Patrick McManus [mailto:mcmanus@ducksong.com]
Sent: Thursday, December 22, 2016 7:39 AM
To: Richard Bradbury <richard.bradbury@rd.bbc.co.uk>
Cc: Martin Thomson <martin.thomson@gmail.com>; Mike Bishop <Michael.Bishop@microsoft.com>; ietf-http-wg@w3.org; Eric Rescorla <ekr@rtfm.com>; Lucas Pardue <Lucas.Pardue@bbc.co.uk>; Patrick McManus <mcmanus@ducksong.com>
Subject: Re: Expectations for TLS session reuse


On Thu, Dec 22, 2016 at 7:25 AM, Richard Bradbury <richard.bradbury@rd.bbc.co.uk<mailto:richard.bradbury@rd.bbc.co.uk>> wrote:
the position is the same for HTTP/1.1 as it is for HTTP/2

I don't think this is true. H1 is governed by 7230 section 9.. in practice it is a connection per origin:

 The "https" scheme (Section 2.7.2<https://tools.ietf.org/html/rfc7230#section-2.7.2>) is intended to prevent (or at

   least reveal) many of these potential attacks on establishing

   authority, provided that the negotiated TLS connection is secured and

   the client properly verifies that the communicating server's identity

   matches the target URI's authority component (see [RFC2818<https://tools.ietf.org/html/rfc2818>]).

whereas H2 loosens that a little bit for coalescing in 7540.