Re: [TLS] RFC7301 ALPN conflicting objectives about app-specific server certificates
Viktor Dukhovni <ietf-dane@dukhovni.org> Tue, 30 June 2015 23:53 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 15EC31B2A82 for <tls@ietfa.amsl.com>; Tue, 30 Jun 2015 16:53:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4GmYQReZ1RZB for <tls@ietfa.amsl.com>; Tue, 30 Jun 2015 16:53:42 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C8CC31B2BA7 for <tls@ietf.org>; Tue, 30 Jun 2015 16:53:41 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 9AAED284D2C; Tue, 30 Jun 2015 23:53:40 +0000 (UTC)
Date: Tue, 30 Jun 2015 23:53:40 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: tls@ietf.org
Message-ID: <20150630235340.GI14121@mournblade.imrryr.org>
References: <20150630202613.D07251A1AD@ld9781.wdf.sap.corp>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20150630202613.D07251A1AD@ld9781.wdf.sap.corp>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/3e-2NO1ZaLWkso50nQFDugVzK_g>
Subject: Re: [TLS] RFC7301 ALPN conflicting objectives about app-specific server certificates
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tls@ietf.org
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Jun 2015 23:53:44 -0000
On Tue, Jun 30, 2015 at 10:26:13PM +0200, Martin Rex wrote: > I'm currently implementing support for ALPN in our middlware, > and I'm wondering how to account for ALPN in the client side session caching > management, because rfc7301 describes two mutually exclusive objectives > and the ALPN protocol does not provide a means for the server to > disambiguate the desired semantics in the ServerHello response. > > rfc7301, > https://tools.ietf.org/html/rfc7301#section-1 > > Section 1. last sentence of paragraph 2 (end of page 2): > > Further, it would be > advantageous to allow certificate selection based on the negotiated > application protocol. > > Section 1, last sentence of paragraph 4 (last paragraph): > > The application protocol negotiation can thus > be accomplished within the TLS handshake, without adding network > round-trips, and allows the server to associate a different > certificate with each application protocol, if desired. > > is in conflict with > > Section 3.1, last paragraph > https://tools.ietf.org/html/rfc7301#page-5 > > Unlike many other TLS extensions, this extension does not establish > properties of the session, only of the connection. When session > resumption or session tickets [RFC5077] are used, the previous > contents of this extension are irrelevant, and only the values in the > new handshake messages are considered. I don't think there's a conflict here. All that's said is that ALPN is not a session property, and its value for a previous connection is not directly relevant for a new connection. Each connection signals its own ALPN value. Now to the extent that a new connection elects a different protocol and thus a different server certificate chain, or the server's configuration has changed and the same ALPN protocol is now associated with a new certificate chain, the server needs to perform a full handshake, so that the client sees the correct certificate chain. > Currently, my client-side session cache management, and the decision whether > to propose a TLS session to the server for resumption, is based on a match > of the application supplied "target name" which is usually an fqdn hostname, > but could also be an abbreviated hostname or an IP address. Postfix has had solved a similar issue some time ago, because multiple SMTP destination domains can use the same MX host, but the sending MTA administrator TLS policy may differ between domains and these domains might use distinct "transports" (instances of SMTP delivery channels, roughly analogous to a Sendmail "mailer"), where each transport has different trust-anchors or other relevant TLS settings. Therefore, the client cache is indexed by multiple properties that extract the enough detail from the security policy to make sure we are reaching the right server at the right security level. The relevant attributes are: * Postfix "transport name". Different transports have potentially very different base TLS settings, and it is simplest to not mix session caches accross "transports" * Nexthop domain (with port), MX hostname and target IP address. Some MX hosts that appear to be a single multi-homed host are in fact multiple hosts with separate caches, so each IP address gets a different parallel cache. * The EHLO name of the remote SMTP server, this detects split caches (multiple SMTP servers) behind a load balancer. C: EHLO client-name S: 250-<server-name> ... 250 STARTTLS Google's pool of MX hosts at any given IP address, has a shared session cache, and a common EHLO name, so session caching works well across the load balancer. Some providers have shared caches, but fail to return a common HELO name, and the client cache is then not nearly as effective. * ... > Essentially, I believe that tagging of the session with the ALPN > negotiated protocol to result in more "predictable" behaviour, because > it will not interfere with client-side session cache management > and not result in occasional confusion should other server implementors > ever make their servers use different server certificates for > different ALPN-negotiated protocols. So, yes include all TLS security-relevant attributes in some manner in the client cache lookup key to avoid mixing cached sessions with incompatible security requirements. -- Viktor.
- [TLS] RFC7301 ALPN conflicting objectives about a… Martin Rex
- Re: [TLS] RFC7301 ALPN conflicting objectives abo… Andrei Popov
- Re: [TLS] RFC7301 ALPN conflicting objectives abo… Martin Rex
- Re: [TLS] RFC7301 ALPN conflicting objectives abo… Viktor Dukhovni
- Re: [TLS] RFC7301 ALPN conflicting objectives abo… Martin Rex
- Re: [TLS] RFC7301 ALPN conflicting objectives abo… Viktor Dukhovni
- Re: [TLS] RFC7301 ALPN conflicting objectives abo… Andrei Popov
- Re: [TLS] RFC7301 ALPN conflicting objectives abo… Martin Rex
- Re: [TLS] RFC7301 ALPN conflicting objectives abo… Viktor Dukhovni