IETF Logo Mail Archive

Re: [TLS] Session resumption ticket reuse considered harmful

Nico Williams <nico@cryptonector.com> Thu, 05 March 2020 23:25 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 012D43A0E40 for <tls@ietfa.amsl.com>; Thu, 5 Mar 2020 15:25:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cryptonector.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BB3XWxzY7CF9 for <tls@ietfa.amsl.com>; Thu, 5 Mar 2020 15:25:03 -0800 (PST)
Received: from fossa.birch.relay.mailchannels.net (fossa.birch.relay.mailchannels.net [23.83.209.62]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D38FF3A0E36 for <tls@ietf.org>; Thu, 5 Mar 2020 15:25:02 -0800 (PST)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 3E6BC34119D; Thu, 5 Mar 2020 23:25:02 +0000 (UTC)
Received: from pdx1-sub0-mail-a85.g.dreamhost.com (100-96-54-11.trex.outbound.svc.cluster.local [100.96.54.11]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id C7D113411E1; Thu, 5 Mar 2020 23:25:01 +0000 (UTC)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from pdx1-sub0-mail-a85.g.dreamhost.com ([TEMPUNAVAIL]. [64.90.62.162]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384) by 0.0.0.0:2500 (trex/5.18.5); Thu, 05 Mar 2020 23:25:02 +0000
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|nico@cryptonector.com
X-MailChannels-Auth-Id: dreamhost
X-Harbor-Blushing: 6f86d25f66f35985_1583450702041_3163913388
X-MC-Loop-Signature: 1583450702041:2420546518
X-MC-Ingress-Time: 1583450702041
Received: from pdx1-sub0-mail-a85.g.dreamhost.com (localhost [127.0.0.1]) by pdx1-sub0-mail-a85.g.dreamhost.com (Postfix) with ESMTP id 51C6880B1D; Thu, 5 Mar 2020 15:25:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:subject:message-id:references:mime-version:content-type :in-reply-to; s=cryptonector.com; bh=zWRHdocv3I2vvUkafnIMwCuZbQU =; b=Ey+RlPOjaPrlLSgv/nU7K35y5LcV2ROAcKlRidg/OrHdO9AAVIg/clYlEWm cF8Z0punKMA7V+AOSbM/Vlv0wLB8puj9q0qvTHgnnqDZw79nSjQ7Tbf9GuPRs02A FpCEk/k4M4BtBJo5JyC8Eyrhx94vKmMlmzC1FUqOAioYDQxE=
Received: from localhost (unknown [24.28.108.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by pdx1-sub0-mail-a85.g.dreamhost.com (Postfix) with ESMTPSA id 503A880B19; Thu, 5 Mar 2020 15:24:58 -0800 (PST)
Date: Thu, 05 Mar 2020 17:24:56 -0600
X-DH-BACKEND: pdx1-sub0-mail-a85
From: Nico Williams <nico@cryptonector.com>
To: tls@ietf.org
Message-ID: <20200305232455.GV18021@localhost>
References: <20200305205524.GR18021@localhost> <CAN2QdAGja9JoXsSSnmdkjHk7kNbDpEiMVkPpA6VDCfRjo9DRVw@mail.gmail.com> <20200305231526.GC7977@straasha.imrryr.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20200305231526.GC7977@straasha.imrryr.org>
User-Agent: Mutt/1.9.4 (2018-02-28)
X-VR-OUT-STATUS: OK
X-VR-OUT-SCORE: 0
X-VR-OUT-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgedugedrudduuddgtdelucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuggftfghnshhusghstghrihgsvgdpffftgfetoffjqffuvfenuceurghilhhouhhtmecufedttdenucenucfjughrpeffhffvuffkfhggtggujggfsehttdertddtredvnecuhfhrohhmpefpihgtohcuhghilhhlihgrmhhsuceonhhitghosegtrhihphhtohhnvggtthhorhdrtghomheqnecukfhppedvgedrvdekrddutdekrddukeefnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmohguvgepshhmthhppdhhvghloheplhhotggrlhhhohhsthdpihhnvghtpedvgedrvdekrddutdekrddukeefpdhrvghtuhhrnhdqphgrthhhpefpihgtohcuhghilhhlihgrmhhsuceonhhitghosegtrhihphhtohhnvggtthhorhdrtghomheqpdhmrghilhhfrhhomhepnhhitghosegtrhihphhtohhnvggtthhorhdrtghomhdpnhhrtghpthhtohepnhhitghosegtrhihphhtohhnvggtthhorhdrtghomh
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/4X4dZQK1yEkb1Gu57j8CAYVm0cM>
Subject: Re: [TLS] Session resumption ticket reuse considered harmful
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Mar 2020 23:25:04 -0000

On Thu, Mar 05, 2020 at 06:15:26PM -0500, Viktor Dukhovni wrote:
> It isn't just the impact on client ticket cache processing, whatever it
> might be.  Tickets can be quite large when client certs are in use,
> because various TLS APIs promise server applications the ability to
> return the client cert (or full chain) at the completion of the
> handshake, which means recording the client cert or chain in 
> the ticket.

FYI, I accept that this is so, but IMO APIs should allow apps to, and
apps should, specify what to save in the tickets, so that we can have a
useful compression of the client certificate and chain.

> And with PQ certs about to get substantially bigger than RSA certs, I
> don't see why carefully designed servers and clients need to engage in
> wasteful network traffic, CPU and I/O costs.

See above.

> In the case of Postfix, the new ticket has to be generated, encrypted
> and transmitted by the server, received and decrypted by the client,
> then base64 encoded and transmitted to the tlsmgr(8) process, which
> stores it an LMDB or Berkeley DB database, incurring I/O costs to
> store it (likely also an fsync).

Well, users should configure the ticket DB to land on tmpfs, or you
should force it to be so, since the DB is ephemeral.  Or just use an
in-memory DB if you don't need to share it.

> With spinning rust the MTA's throughput is largely limited by the number
> of synchronous writes to disk per second, and additional synchronous
> writes degrade overall throughput.

Meh.  It's the wire bandwidth and server cycle waste issues that
convince me.

Nico
--

v2.23.0 | Report a Bug | By Email