Re: [Syslog] Fingerprint/handshake
"Joseph Salowey (jsalowey)" <jsalowey@cisco.com> Fri, 23 May 2008 18:19 UTC
Return-Path: <syslog-bounces@ietf.org>
X-Original-To: syslog-archive@megatron.ietf.org
Delivered-To: ietfarch-syslog-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 52E1828C278; Fri, 23 May 2008 11:19:58 -0700 (PDT)
X-Original-To: syslog@core3.amsl.com
Delivered-To: syslog@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2DC2728C2F9 for <syslog@core3.amsl.com>; Fri, 23 May 2008 11:19:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QYS++m0VD6bJ for <syslog@core3.amsl.com>; Fri, 23 May 2008 11:19:51 -0700 (PDT)
Received: from sj-iport-3.cisco.com (sj-iport-3.cisco.com [171.71.176.72]) by core3.amsl.com (Postfix) with ESMTP id 30F4F28C313 for <syslog@ietf.org>; Fri, 23 May 2008 11:19:45 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="4.27,531,1204531200"; d="scan'208";a="71790863"
Received: from sj-dkim-1.cisco.com ([171.71.179.21]) by sj-iport-3.cisco.com with ESMTP; 23 May 2008 11:19:44 -0700
Received: from sj-core-5.cisco.com (sj-core-5.cisco.com [171.71.177.238]) by sj-dkim-1.cisco.com (8.12.11/8.12.11) with ESMTP id m4NIJiOb007228; Fri, 23 May 2008 11:19:44 -0700
Received: from xbh-sjc-211.amer.cisco.com (xbh-sjc-211.cisco.com [171.70.151.144]) by sj-core-5.cisco.com (8.13.8/8.13.8) with ESMTP id m4NIJiZj015476; Fri, 23 May 2008 18:19:44 GMT
Received: from xmb-sjc-225.amer.cisco.com ([128.107.191.38]) by xbh-sjc-211.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Fri, 23 May 2008 11:19:44 -0700
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Date: Fri, 23 May 2008 11:20:30 -0700
Message-ID: <AC1CFD94F59A264488DC2BEC3E890DE505DFD8E5@xmb-sjc-225.amer.cisco.com>
In-Reply-To: <003901c8b9f7$b671959d$060013ac@intern.adiscon.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [Syslog] Fingerprint/handshake
Thread-Index: Aci597ZxZLhWgaMcSke8NLzWgHaUOAABInCQ
References: <003901c8b9f7$b671959d$060013ac@intern.adiscon.com>
From: "Joseph Salowey (jsalowey)" <jsalowey@cisco.com>
To: Rainer Gerhards <rgerhards@hq.adiscon.com>, syslog@ietf.org
X-OriginalArrivalTime: 23 May 2008 18:19:44.0429 (UTC) FILETIME=[9351D5D0:01C8BD01]
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=1172; t=1211566784; x=1212430784; c=relaxed/simple; s=sjdkim1004; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=jsalowey@cisco.com; z=From:=20=22Joseph=20Salowey=20(jsalowey)=22=20<jsalowey@ci sco.com> |Subject:=20RE=3A=20[Syslog]=20Fingerprint/handshake |Sender:=20; bh=tpomNV1A82IxdbiE1f688WQFue+nXqQiB8bRkJNkRHM=; b=X5jQjvhOJrsxEfZylGMSr3YiTz8HmrPzJamxfblV6VIqlKbaFsJdun+WHA 1VQ7AMtIVqI5GQ6f9o+YYNaLREFwsC6hd5AmE7cyanBjtS0suniGky9VR/Sa RrHIuR+PpDlvtAWo/lRxs3nTzipivXS+N0vCT3+sHCWezY2rJiFhU=;
Authentication-Results: sj-dkim-1; header.From=jsalowey@cisco.com; dkim=pass ( sig from cisco.com/sjdkim1004 verified; );
Subject: Re: [Syslog] Fingerprint/handshake
X-BeenThere: syslog@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Issues in Network Event Logging <syslog.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/syslog>
List-Post: <mailto:syslog@ietf.org>
List-Help: <mailto:syslog-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: syslog-bounces@ietf.org
Errors-To: syslog-bounces@ietf.org
The fingerprint check should be done where certificate validation would be done. This is typically done within the handshake itself, because if the validation fails you do not want to send or receive data on the connection. I suppose you could implement the check after the handshake, but you need to make sure you do not send or receive application before successful validation has occurred. Joe > -----Original Message----- > From: syslog-bounces@ietf.org > [mailto:syslog-bounces@ietf.org] On Behalf Of Rainer Gerhards > Sent: Monday, May 19, 2008 2:31 PM > To: syslog@ietf.org > Subject: [Syslog] Fingerprint/handshake > > Quick question: must the fingerprint check be done as part of > the TLS handshake? Or must (can?) it be done after the > handshake completed? > > From the draft i got the impression it must be done inside > the handshake and handshake must fail if fingerprint auth fails. > > A clarification would be most appreciated. > > Thanks, > rainer > _______________________________________________ > Syslog mailing list > Syslog@ietf.org > https://www.ietf.org/mailman/listinfo/syslog > _______________________________________________ Syslog mailing list Syslog@ietf.org https://www.ietf.org/mailman/listinfo/syslog
- [Syslog] Fingerprint/handshake Rainer Gerhards
- Re: [Syslog] Fingerprint/handshake Joseph Salowey (jsalowey)
- Re: [Syslog] Fingerprint/handshake Rainer Gerhards
- Re: [Syslog] Fingerprint/handshake Joseph Salowey (jsalowey)
- Re: [Syslog] Fingerprint/handshake Rainer Gerhards
- Re: [Syslog] Fingerprint/handshake Balazs Scheidler
- Re: [Syslog] Fingerprint/handshake Rainer Gerhards
- Re: [Syslog] Fingerprint/handshake tom.petch
- Re: [Syslog] Fingerprint/handshake Balazs Scheidler