IETF Logo Mail Archive

Re: [TLS] Fwd: Clarification on interleaving app data and handshake records

Martin Thomson <martin.thomson@gmail.com> Wed, 14 October 2015 20:42 UTC

Return-Path: <martin.thomson@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 96D421A882B for <tls@ietfa.amsl.com>; Wed, 14 Oct 2015 13:42:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ScCeQZX887Zc for <tls@ietfa.amsl.com>; Wed, 14 Oct 2015 13:42:50 -0700 (PDT)
Received: from mail-yk0-x236.google.com (mail-yk0-x236.google.com [IPv6:2607:f8b0:4002:c07::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 350451A87F2 for <tls@ietf.org>; Wed, 14 Oct 2015 13:42:50 -0700 (PDT)
Received: by ykoo7 with SMTP id o7so59338206yko.0 for <tls@ietf.org>; Wed, 14 Oct 2015 13:42:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=ccpfbyte+WyxeNtNP8hA5UBTG5wsNdjpbqbl6+xFp34=; b=tqjSfaA/vD60gmM3rgrJ+G45m28XBscaaZ1My00oADjVBRKBlQvS61k0UhX4rfnpMV Hun1KxvWekRp3rMhgSxGD22iWAjZvsA0Z3X5M3INVCncUyqV1RXf2vre2e+Vvdp6yWUC i+erc9V32HT+linL4EDOpKnF7zGDulMO7iIx52ulUOMm3YDBhRLlxs3z2TRwIF2h2s3g vx9KBOy/WMe7Jo17Bntm+JI1BQeQip1TDeu9Sp2Lz+GIoJzpWMlVD9BCaRfAzKYuwMLp 0/r01hKR8VZLJs9aOGIAViD1K/TCtU2hBKzbhOWkWm7O/CwlxjWhYxnf935vVqnD+FpP qcDw==
MIME-Version: 1.0
X-Received: by 10.13.196.196 with SMTP id g187mr4385708ywd.98.1444855369478; Wed, 14 Oct 2015 13:42:49 -0700 (PDT)
Received: by 10.13.230.78 with HTTP; Wed, 14 Oct 2015 13:42:49 -0700 (PDT)
In-Reply-To: <CAF8qwaBZZs-QF98wgJRxWdijHCkM2nj4w7AUZ4tRMaKf6_jFHQ@mail.gmail.com>
References: <20151014154401.DF1401A2E6@ld9781.wdf.sap.corp> <561EB56B.9050308@baggins.org> <CAF8qwaBZZs-QF98wgJRxWdijHCkM2nj4w7AUZ4tRMaKf6_jFHQ@mail.gmail.com>
Date: Wed, 14 Oct 2015 13:42:49 -0700
Message-ID: <CABkgnnWG6aPnwwK5KyJLG4NgsyOKT0=gj2TDPWoeEhejrH4iZw@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
To: David Benjamin <davidben@chromium.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/450Zcz-iFGU9OF3XfkwABgW_AwY>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Fwd: Clarification on interleaving app data and handshake records
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Oct 2015 20:42:51 -0000

On 14 October 2015 at 13:29, David Benjamin <davidben@chromium.org> wrote:
> If you really absolutely must support interleave and can't avoid it, I think
> it being allowed everywhere except between CCS and Finished is probably the
> closest you can get to coherent semantics. "Coherent" here is, of course,
> all relative since renego is involved.

I think that it needs to be more than that.  I would say:

1. You should not interleave data with handshake messages from the same flight.
2. You should not report any change to handshake status until the
renegotiation is complete.  That means no callbacks/events about new
peer certificates, or anything of that nature until you have received
and validated the Finished.  You would have to exercise caution here
for the callbacks that are necessary during the process, like the
"please choose a certificate and private key to use" callback on
either side.

If you can somehow manage to do all of that, then you might be able
get away with not halting progress entirely.  Because - as far as the
application is concerned - application data is sent as though it were
before the renegotiation.  In essence, you are keeping the application
ignorant of any changes until the whole process is over.

I've heard it recommended that you add other stipulations, such as

3. The server cannot change certificate.

I'm ambivalent on that because I don't believe it to materially change
the security properties (assuming that we have a good handshake, i.e.,
at least R-I and session hash).  I don't have proof of that, of
course.

v2.23.0 | Report a Bug | By Email