Re: [TLS] Collisions (Re: Nico's suggestions - Re: Consensus Call:

Stefan Santesson <> Tue, 11 May 2010 15:46 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 148F53A6995 for <>; Tue, 11 May 2010 08:46:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 0.2
X-Spam-Status: No, score=0.2 tagged_above=-999 required=5 tests=[BAYES_05=-1.11, HELO_EQ_SE=0.35, RCVD_IN_BL_SPAMCOP_NET=1.96, RCVD_IN_DNSWL_LOW=-1]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id bz9K6vpL7dRV for <>; Tue, 11 May 2010 08:46:09 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 111823A68C7 for <>; Tue, 11 May 2010 08:46:08 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id C90F02AC63B for <>; Tue, 11 May 2010 17:46:00 +0200 (CEST)
Received: (qmail 3174 invoked from network); 11 May 2010 15:45:54 -0000
Received: from (HELO []) ([]) (envelope-sender <>) by (qmail-ldap-1.03) with DES-CBC3-SHA encrypted SMTP for <>; 11 May 2010 15:45:54 -0000
User-Agent: Microsoft-Entourage/
Date: Tue, 11 May 2010 16:45:51 +0200
From: Stefan Santesson <>
To: Nicolas Williams <>, Martin Rex <>
Message-ID: <>
Thread-Topic: [TLS] Collisions (Re: Nico's suggestions - Re: Consensus Call:
Thread-Index: AcrxIQhcGLPHIQYwnUSfI4LJh/emKg==
In-Reply-To: <>
Mime-version: 1.0
Content-type: text/plain; charset="US-ASCII"
Content-transfer-encoding: 7bit
Subject: Re: [TLS] Collisions (Re: Nico's suggestions - Re: Consensus Call:
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 11 May 2010 15:46:10 -0000

Wouldn't this be solved automatically if the cache is flushed upon failure?


On 10-05-11 5:21 PM, "Nicolas Williams" <> wrote:

> On Tue, May 11, 2010 at 03:39:50PM +0200, Martin Rex wrote:
>> Nicolas Williams wrote:
>>> Well...  Many applications might not.  Can the handshake be retried
>>> transparently to the application?  Or will the application have to
>>> close() its socket and re-connect()?
>> Re-thinking this scenario, I do not think that is a workable approach.
>> The reason why I originally asked for using a (sha-1) hash value over the
>> replaced data instead of a simple, server-assigned identifier,
>> was robustness.  Going through a handshake failure is _NOT_ an option.
> That's what I expect as well, that handshake failure is not transparent
> to _all_ applications, and that any retry logic will have to be in the
> application.  That makes this protocol a bit problematic -- failures
> will be rare, no doubt, so rare that we might not care, but when they
> happen the application won't know that the failure is not permanent.
> For browsers that may not be a problem (the user will just reload); for
> non-browser apps (and scripts running in the browser!) this could be a
> problem.
>> I wanted to avoid the cache of the server and client to get out-of-sync,
>> and the use of a sha-1 hash value over the real data instead of that
>> data should be sufficiently robust so that the server will send the
>> real data in case the clients cached value differs from what the
>> server would normally send.
> I don't see how to recover from collisions, transparently to apps,
> without either adding round-trips, which is supposed to be a big no-no,
> or making handshakes retriable (I'm assuming they aren't).
>> It is generally impossible to recover from a TLS handshake failure.
> Well, the app can retry.
> Also, StartTLS protocols might be able to retry without the application
> having to disconnect/reconnect.
>> It normally requires closure of the existing connection and opening
>> of a new connection because it is completely unspecified how to
>> recover from a TLS handshake failure on a connection (and how to
>> clear the network pipe from unprocessed data from the previous handshake).
> It's easy to clear the "pipe" since the records have lengths.
>> If a client-side proxy traversal is involved, a full app-level proxy
>> handshake is required.  If proxy traversal requires an OTP authentication,
>> it will be completely impossible without user interaction.
> Is there such a thing as proxies that require OTP for authentication?
> Nico