IETF Logo Mail Archive

Re: [TLS] Last Call: draft-ietf-tls-renegotiation (Transport Layer Security (TLS) Renegotiation Indication Extension) to Proposed Standard

Marsh Ray <marsh@extendedsubset.com> Mon, 30 November 2009 16:32 UTC

Return-Path: <marsh@extendedsubset.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E59083A6A9F for <tls@core3.amsl.com>; Mon, 30 Nov 2009 08:32:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.836
X-Spam-Level:
X-Spam-Status: No, score=-1.836 tagged_above=-999 required=5 tests=[AWL=-0.529, BAYES_00=-2.599, MISSING_HEADERS=1.292]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hYu-V8LCAEOD for <tls@core3.amsl.com>; Mon, 30 Nov 2009 08:32:24 -0800 (PST)
Received: from mho-01-ewr.mailhop.org (mho-01-ewr.mailhop.org [204.13.248.71]) by core3.amsl.com (Postfix) with ESMTP id 7AE9B3A692F for <tls@ietf.org>; Mon, 30 Nov 2009 08:31:55 -0800 (PST)
Received: from xs01.extendedsubset.com ([69.164.193.58]) by mho-01-ewr.mailhop.org with esmtpa (Exim 4.68) (envelope-from <marsh@extendedsubset.com>) id 1NF9AC-000A8Z-1T; Mon, 30 Nov 2009 16:31:48 +0000
Received: from [127.0.0.1] (localhost [127.0.0.1]) by xs01.extendedsubset.com (Postfix) with ESMTP id 910F8603C; Mon, 30 Nov 2009 16:31:46 +0000 (UTC)
X-Mail-Handler: MailHop Outbound by DynDNS
X-Originating-IP: 69.164.193.58
X-Report-Abuse-To: abuse@dyndns.com (see http://www.dyndns.com/services/mailhop/outbound_abuse.html for abuse reporting information)
X-MHO-User: U2FsdGVkX19d/MBorSBi4t9XUR18SkFYJELnCwbgepU=
Message-ID: <4B13F367.6040307@extendedsubset.com>
Date: Mon, 30 Nov 2009 10:31:35 -0600
From: Marsh Ray <marsh@extendedsubset.com>
User-Agent: Thunderbird 2.0.0.23 (Windows/20090812)
MIME-Version: 1.0
References: <20091130153734.D44C63A6AA9@core3.amsl.com>
In-Reply-To: <20091130153734.D44C63A6AA9@core3.amsl.com>
X-Enigmail-Version: 0.96.0
OpenPGP: id=1E36DBF2
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Cc: Eric Rescorla <ekr@rtfm.com>, tls@ietf.org
Subject: Re: [TLS] Last Call: draft-ietf-tls-renegotiation (Transport Layer Security (TLS) Renegotiation Indication Extension) to Proposed Standard
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Nov 2009 16:32:26 -0000

A few little suggestions, mostly wording.

The IESG wrote:
> The IESG has received a request from the Transport Layer Security WG 
> (tls) to consider the following document:
> 
> - 'Transport Layer Security (TLS) Renegotiation Indication Extension '
>    <draft-ietf-tls-renegotiation-01.txt> as a Proposed Standard

http://tools.ietf.org/html/draft-ietf-tls-renegotiation-01

[Page 3]
>    renegotiation handshakes to the enclosing TLS channel, thus allowing
>    the server to differentiate renegotiation from initial negotiation,
>    as well as preventing renegotiations from being spliced in between
>    connections.  

"spliced in between sessions."

[Page 5]
>    o  For ClientHellos which are renegotiating, this field contains the

"the renegotiated_connection field contains"

[Page 6]
>    Both the SSLv3 and TLS 1.0/TLS1.1 specifications require
>    implementations to ignore data following the ClientHello (i.e.,
>    extensions) if they do not understand it.  However, some SSLv3 and
>    TLS 1.0 implementations incorrectly fail the handshake in such case.
>    This means that clients which offer "renegotiation_info" may find
>    handshake failures.  In order to enhance compatibility with such
>    servers, this document defines a second signalling mechanism via a
>    special TLS cipher suite "TLS_RENEGO_PROTECTION_REQUEST", with code
>    point 0xNN, 0xMM.  This cipher suite has exactly the same semantics
>    as an empty "renegotiation_info" extension.  Because servers
>    ordinarily ignore unknown cipher suites, this cipher suite can be
>    added safely on any initial handshake, including SSLv2 backward
>    compatibility handshakes.
> 
>    Servers MUST treat receipt of TLS_RENEGO_PROTECTION_REQUEST exactly
>    as if the client had sent an empty "renegotiation_info" extension and
>    respond with their own "renegotiation_info" extension.  This is an
>    explicit exception to the RFC 5246 Section 7.4.1.4 prohibition on the
>    server sending unsolicited extensions and is only allowed because the
>    client is signaling its willingness to receive the extension via the
>    the TLS_RENEGO_PROTECTION_REQUEST cipher suite.  TLS implementations
>    MUST continue to comply with 7.4.1.4 for all other extensions.
>    Servers MUST NOT select this cipher suite in any handshake, as it
>    does not correspond to any valid set of algorithms.
> 
>    Because this cipher suite is equivalent to an empty
>    "renegotiation_info" extension, only renegotiation_info" may be used
>    rehandshakes.
> 
>    Note that a minimal client which does not support renegotiation at
>    all can simply use this cipher suite in all initial handshakes.  Any
>    compliant server will reject any (apparent) attempt at renegotiation
>    by such a client.  Clients which do support renegotiation MUST
>    implement Section 3 as well.

I suggest we replace all uses of "cipher suite" in this section with the
term "cipher suite value", and we add explicit wording "The
TLS_RENEGO_PROTECTION_REQUEST cipher suite value is just a flag, it does
not actually a refer to a set of cryptographic algorithms that could
ever be used for data transmission."

This might seem obvious to all of us, but this wording change could
conceivably speed review and fend off questions by some review board.

>    TLS clients which support this draft MUST generate either the
> 
>    "renegotiation_info" extension or the TLS_RENEGO_PROTECTION_REQUEST
>    cipher suite with every ClientHello.

Can they generate both?

If not, what does the server do if he receives both?

>    Existing implementations which do not support this extension are
>    widely deployed and in general must interoperate with newer
>    implementations which do support it.  This section describes

s/must/need to/ to avoid confusion with MUST.

>    If a client offers the "renegotiation_info" extension or the
>    TLS_RENEGO_PROTECTION_REQUEST cipher suite and the server does not
>    reply with "renegotiation_info" in the ServerHello, then this
>    indicates that the server either does not support secure
>    renegotiation or is unwilling to use it.

Is it allowed for a patched server to be "unwilling"?

If not, drop the "or is unwilling to use it" lest it give the impression
that such behavior is condoned.

>    If the client does not offer the "renegotiation_info" extension or
>    the TLS_RENEGO_PROTECTION_REQUEST cipher suite then this indicates
>    that the client does not support secure renegotiation or is unwilling
>    to use it.  However, because the above attack looks like two

Again, is it allowed for a client to be conformant to this spec and
still not send either the extension or magic cipher suite value?

- Marsh

v2.23.0 | Report a Bug | By Email