IETF Logo Mail Archive

Re: [TLS] TLS Extensions: Omitting Handshake Messages

Eric Rescorla <ekr@rtfm.com> Tue, 07 November 2017 17:57 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A43C7126B71 for <tls@ietfa.amsl.com>; Tue, 7 Nov 2017 09:57:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 40y8doXysOgN for <tls@ietfa.amsl.com>; Tue, 7 Nov 2017 09:57:30 -0800 (PST)
Received: from mail-yw0-x22c.google.com (mail-yw0-x22c.google.com [IPv6:2607:f8b0:4002:c05::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BE0D9126DFE for <tls@ietf.org>; Tue, 7 Nov 2017 09:57:29 -0800 (PST)
Received: by mail-yw0-x22c.google.com with SMTP id t11so27541ywg.12 for <tls@ietf.org>; Tue, 07 Nov 2017 09:57:29 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=VyRCLC49bp+o26gkX9IrtYAQFqjl5lucTsfcMXvNOtE=; b=dazepYBWxxBc89aTt72SSHO5nBR+OH0x+1M71ubQR8CZpdXW6HBuWMXwo3UzqAfig3 VL77Q5XguPQ2o7e3ULbKIicutACJ51ZQnDYGRDFLzMi1UeXjOB75dA6KazRtzXZupvNU aDakHpkvfk36sGKV5ZZ8KX4wYVWrpSQVOG313UNp+XPksnW0w8IOvIVZv4xNBsebMbx4 hW1MkdjuAJz3Lmahlxq5vygiBLIgNI7mu2GwOlyyrPFRowV3tzCPu8kz6PDkaGhvqv2T gUg2GfqmcySA4phEo5DYP4a9wWq5kYrX1fJLx/QcOyxKJ6uTRgQCDbnzzFyPqK7GULNa rcOA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=VyRCLC49bp+o26gkX9IrtYAQFqjl5lucTsfcMXvNOtE=; b=Wbi/2CH2SYx6ES5Fgg/+AodLvSQo4q5auH+0VYs8WbXFocnSUtKkDrtdiemyIGTXrg Rtvmp/FZ6CPXESoW4ucqdxqpJEP+lBIR7tOkkTqtWF7X3WRy145dXI2iocCLm/JLRvzd LtdqrdWiH7/b7a8qpQOWQxfgjr8petXPHU54Oeov/SBigrheDnncb09WdUBv9UoJ8CpM jX36WCoF0uXVATWTWoon0Hg5/lRT3HvYi3PNmsLCzddrlixmqo3b9CA/PecOek5WTQ+i s30nfi1MBtA607gP3A4KaLSyJoO+PSG32fzCa4H3fWDDYGuGoElxyupXxrREfObX1/dF 8HUw==
X-Gm-Message-State: AMCzsaUztLQUFoKMNsYqrRgO6V/xyQSLTH9HBwC9NPy3/etq0GrpN+g9 7ZkAaBuMk2bdApB+4lmb3l+9ss+UrtBh2bl1tMA0iQ==
X-Google-Smtp-Source: ABhQp+QsmIZLwLVqOomJ3ePH3cSUYVgMoh8lFeQ9pqTQCHPpQDX7yUE7gaOGqPdCRoZO+8FIqadRgCsgE+LzQ0q5jyw=
X-Received: by 10.13.192.196 with SMTP id b187mr12752589ywd.416.1510077448995; Tue, 07 Nov 2017 09:57:28 -0800 (PST)
MIME-Version: 1.0
Received: by 10.129.61.12 with HTTP; Tue, 7 Nov 2017 09:56:48 -0800 (PST)
In-Reply-To: <CAGbWB+hddVX5sNFdjRCia84X2h29acMbfjeM1fapOQk2TvEDCA@mail.gmail.com>
References: <CAGbWB+hddVX5sNFdjRCia84X2h29acMbfjeM1fapOQk2TvEDCA@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Tue, 07 Nov 2017 09:56:48 -0800
Message-ID: <CABcZeBOepA9J8GPZZHPXRv5rUPmeZ8TXFhe7gJGaeWvEi+41Zw@mail.gmail.com>
To: Illya Gerasymchuk <giluxonchik@gmail.com>
Cc: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="001a114edd48ee5d78055d684d26"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/6goDhoXC0dokvuU0p30a7NR-OSg>
Subject: Re: [TLS] TLS Extensions: Omitting Handshake Messages
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Nov 2017 17:57:33 -0000

On Tue, Nov 7, 2017 at 6:15 AM, Illya Gerasymchuk <giluxonchik@gmail.com>
wrote:

> Greetings,
>
> I've been reading though various RFCs and couldn't find a definite answer
> to my question: can a negotiated TLS extension skip some of the TLS
> Handshake messages and still be compliant with the TLS specification? My
> goal is to develop a new version of TLS (as part of my Master Thesis work),
> while preferably, staying backwards-compatible.
>
> Here, I will be specifically talking about TLS 1.2, defined in RFC 5246.
> Below is a message flow for the full handshake (taken directly from RFC
> 5246):
>
>   Client                                          Server
>   ------                                          ------
>
>   ClientHello                  -------->
>                                                         ServerHello
>                                                         Certificate*
>                                                         ServerKeyExchange*
>                                                         CertificateRequest*
>                                       <--------      ServerHelloDone
>   Certificate*
>   ClientKeyExchange
>   CertificateVerify*
>   [ChangeCipherSpec]
>   Finished                       -------->
>
> [ChangeCipherSpec]
>                                       <--------        Finished
>   Application Data          <------->       Application Data
>
>
> * (asterisk) Indicates optional or situation-dependent messages that are
> not always sent.
> Now, I do know that it's perfect legal for a TLS extension to modify the
> structure of some message or add a new message, but I'm not sure if one of
> the messages, not defined as optional/situation-dependent can be omitted.
>
> Let me give you a concrete example. Let's say I create a new extension
> called *XYZ*. The client and the server negotiate that extension in the
> their extended hello messages. Would it be legal for the *XYZ* extension
> to mandate the server not to send the *ServerHelloDone* message? As far
> as I understood, this is not legal.
>

You certainly can use extensions to indicate that a new message is to be
sent, so I don't think it would be necessarily be prohibited to have it
remove a message, though I can't offhand think of an example of where we do
so.


RFC 5245 Section 4.4.1.4 states that:
>
> "it would be technically possible to use extensions to change major aspects
> of the design of TLS; for example the design of cipher suite
> negotiation.  This is not recommended; it would be more appropriate to
> define a new version of TLS -- particularly since the TLS handshake
> algorithms have specific protection against version rollback attacks
> based on the version number, and the possibility of version rollback
> should be a significant consideration in any major design change"
>

To be honest, this mostly seems aspirational :)


I would assume, however, that those major aspects do no include omitting
> messages not marked as optional/situation-dependent in the spec.
>
> Both, TLS 1.2 and TLS 1.3 draft specs mention REQUIRED/MUST in the section
> describing the ClientHello. There are no REQUIRED mentions in other
> messages though. You do have the following for the Finished: "A Finished
> message is always sent immediately after a change cipher spec message to
> verify that the key exchange and authentication processes were successful."
> , so things like these lead me to believe that the messages not explicitly
> marked as optional, are in fact, required.
>

They're required absent some extension and you would have to be pretty
careful with changes which moved them.

-Ekr


>
>
> Thank you.
>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>
>

v2.23.0 | Report a Bug | By Email