IETF Logo Mail Archive

Re: [TLS] Interaction between session resumption and negotiated protocol version

Brian Smith <brian@briansmith.org> Sat, 04 April 2015 02:54 UTC

Return-Path: <brian@briansmith.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0FD511A8904 for <tls@ietfa.amsl.com>; Fri, 3 Apr 2015 19:54:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.979
X-Spam-Level:
X-Spam-Status: No, score=-1.979 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b4XnDTu8zW6G for <tls@ietfa.amsl.com>; Fri, 3 Apr 2015 19:54:36 -0700 (PDT)
Received: from mail-ob0-f173.google.com (mail-ob0-f173.google.com [209.85.214.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 99EA11A88F3 for <tls@ietf.org>; Fri, 3 Apr 2015 19:54:36 -0700 (PDT)
Received: by obbec2 with SMTP id ec2so189761458obb.3 for <tls@ietf.org>; Fri, 03 Apr 2015 19:54:36 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=nseJDSGPDK3H/Xp1GfH52TqEPObMwOf96Sxkssryhcg=; b=D+JFe9yaMXNjudVy/W5jLVOQBCKpxvNi5+V0EMy3ny+FdOVzBQuA8xupgIDhyWiVth iGzIWGKHGTP+of8dlx53tF28uanf3wJB6Oaa0zOjz3CVHICh95yn2t2O0Q2WhHfBPhtc wy0/9JQ82VQMGQ/W4akEALUdu+M6ZUm2txzKOLoLdiZM/vvEPRGw/wEexNK/NYbgxK3f U4wNckalpLg4g/nTR0FlUqj5q6OdZ3Sr4FheiETHEz/ZLXgpyg99VKd7UzFnIEKDGQES GytiWqewBXgi39DVQ+QhwGTs4mY9hKwpPKT33j2aA4dLU81yw4+YgknTqhY0G4r8uRcS i09g==
X-Gm-Message-State: ALoCoQkg/V0TFnhL76oMd0GONiF3dgTS6r2wU+MuutkCxbwHPyHYi+mj7wjAItZ1GiAiVamDMb5N
MIME-Version: 1.0
X-Received: by 10.60.160.236 with SMTP id xn12mr6197611oeb.53.1428116076077; Fri, 03 Apr 2015 19:54:36 -0700 (PDT)
Received: by 10.76.20.146 with HTTP; Fri, 3 Apr 2015 19:54:36 -0700 (PDT)
In-Reply-To: <CAF8qwaAqn8mYVP8E95HC_s9jK8dshm-PWALJLO76tBeA1qvZXQ@mail.gmail.com>
References: <CANOyrg9BSVAtVC4y34jMi-OAbK5OHMFsTUOhxRJqgGKGzO41xQ@mail.gmail.com> <BLU177-W41FFC60C00F3D8BAFDC57DC3F10@phx.gbl> <CAF8qwaAqn8mYVP8E95HC_s9jK8dshm-PWALJLO76tBeA1qvZXQ@mail.gmail.com>
Date: Fri, 03 Apr 2015 16:54:36 -1000
Message-ID: <CAFewVt5_oPqiZrc-L1uk8GGs0O34-wU=LCp57tfhh=WwRgMdgQ@mail.gmail.com>
From: Brian Smith <brian@briansmith.org>
To: David Benjamin <davidben@chromium.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/6nypmv-ZQedkNg2EUJbGUnQo3U8>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Interaction between session resumption and negotiated protocol version
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 04 Apr 2015 02:54:38 -0000

David Benjamin <davidben@chromium.org> wrote:
> I agree #3 is the most natural. The behavior for a server is then:
> 1. Based on client_version, select a protocol version.
> 2. Look up session based on session_id or ticket.
> 3. If the version the session was established at does not match the
> negotiated version, pretend the lookup failed.
> 4. Do a full or abbreviated handshake based on whether other properties of
> the session check out (cipher suite still allowed, etc.).

<snip>

> Otherwise, #1 probably works too, though OpenSSL doesn't store the
> client_version. I think I mostly see that as the client's responsibility;
> session resumption skips negotiation of lots of parameters, so you already
> have to be aware of handling this when your half of preferences change.

Agreed.

> A server SHOULD flush its session cache and invalidate tickets when
> changing cipher preferences

I think implementing your step #4 above is better than relying on such
flushing, because in a setup where multiple servers are sharing a
session cache, the flushing would likely be racy, and/or the
individual servers may be configured differently--either temporarily
as a setting change propagates across a set of servers, or permanently
due to some (mis)configuration issue.

> a client SHOULD shard the session cache by fallback
> type, etc.

Alternatively, the client should avoid doing any fallback at all. If
it has to do fallback for some reason, it could also avoid the issue
by avoiding session resumption during fallback.

Cheers,
Brian

v2.23.0 | Report a Bug | By Email