IETF Logo Mail Archive

[TLS] Server validation of a second ClientHello

Martin Thomson <mt@lowentropy.net> Fri, 08 February 2019 03:31 UTC

Return-Path: <mt@lowentropy.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6FB18130F1D for <tls@ietfa.amsl.com>; Thu, 7 Feb 2019 19:31:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b=TE7UkZLn; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=L8DnDVlK
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YNfBgzY-5C6B for <tls@ietfa.amsl.com>; Thu, 7 Feb 2019 19:31:20 -0800 (PST)
Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com [66.111.4.26]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5D5E3128B01 for <tls@ietf.org>; Thu, 7 Feb 2019 19:31:20 -0800 (PST)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.nyi.internal (Postfix) with ESMTP id 2692E22089; Thu, 7 Feb 2019 22:31:19 -0500 (EST)
Received: from web3 ([10.202.2.213]) by compute1.internal (MEProxy); Thu, 07 Feb 2019 22:31:19 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=message-id:from:to:mime-version:content-transfer-encoding :content-type:date:subject; s=fm1; bh=VYs/XpX7mGLU4H+brhonOfog0F f4iGQRupyodE4lQ+o=; b=TE7UkZLnhHyB2jgxY2wWLLH8Qj77NSd+hI0qo0uQys r+g78JWmHflGN9p9TF5PUEawNUSfSorGe755yYQVHFpsOjPtSMpM9FS9yhq8Q2gH NZHefvyAvegOaP52srwINpQv4Nxm42nGJkaL6LhwHNEg21kIE9qgxYHup/6t4+Kh io8cPPR3LWZrguqYa62wbQ3LqPiDe7GZiXRbgkHLyTmii7Ultvvd67MwGAQNxr8a Jq4nMSYKuD7BVLoyhn1KAO1QVWMT1qUO77KTQCrDjV/nma7hKrAhwGqaCF/zxETF bvGE/y5mwaMqsUjuCTgF6KO/oWu16Ip0wx9ftICTFrpQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:message-id:mime-version:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=VYs/Xp X7mGLU4H+brhonOfog0Ff4iGQRupyodE4lQ+o=; b=L8DnDVlKRBWWGCOT25tNXg bdzm07ykFxJVcDolOAhtHeYPYldYJVFES8KrOpXXa/nWOj4O5PYpMuP6sI5puZ3W fS64daDyzRummhVnG9TEhVHK2+x9UNMpKWYhq/49YCSxOp6mx3uzRemOLLYPrBaQ 5fkltCu1XNMTl9GUs2u+l7ND5DQ7MPxMuhqQ/fn9X5FXdXcmMK+4Q2JY6NmbzI0U YMHCh7OJcBd1nugDqLiQ2W7+WX18UCVWIB54pJ+8F9lRbEV3r/asElIqFNjXN+4r lcdoJgiZT5PowbaEVtvf8ux+llcnJlSTIYtm3+pWe7ODfMEZveI0Q326ZgzWJkkA ==
X-ME-Sender: <xms:BvhcXGJA2mu0V8GOcJQPSkxaakSy3BdVqGGnYr6o0VRbDHTC8_td-Q>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedtledrledugdehkecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfhuthenuceurghilhhouhhtmecufedt tdenucenucfjughrpefkhffvggfgtgfofffusehtjeertdertdejnecuhfhrohhmpeforg hrthhinhcuvfhhohhmshhonhcuoehmtheslhhofigvnhhtrhhophihrdhnvghtqeenucfr rghrrghmpehmrghilhhfrhhomhepmhhtsehlohifvghnthhrohhphidrnhgvthenucevlh hushhtvghrufhiiigvpedt
X-ME-Proxy: <xmx:BvhcXMhfkKv8W2hox8G4pvOibJzCuI4VtLforstctuDYd94rJv_njg> <xmx:BvhcXCsxUvq3lXt2rfu7ebkPb9luyRZrsOR8SNSiE2jHpHv-mH1xZg> <xmx:BvhcXOgnK8sVb0QE6-0p1S-90cOseX4UVZC1JD3CfJjy_6YOKDmSsA> <xmx:B_hcXA1lICA8wPeQN63_ufNV0dWlgI9PCtnqbKp_kNNRtuhBHx5-ug>
Received: by mailuser.nyi.internal (Postfix, from userid 99) id 9822F9E595; Thu, 7 Feb 2019 22:31:18 -0500 (EST)
Message-Id: <1549596678.898774.1653407000.2B2ACE8E@webmail.messagingengine.com>
From: Martin Thomson <mt@lowentropy.net>
To: tls@ietf.org, hkario@redhat.com
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="utf-8"
X-Mailer: MessagingEngine.com Webmail Interface - ajax-e6290ad1
Date: Fri, 08 Feb 2019 14:31:18 +1100
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/8A6WaBVK9rNEgiuu-tDFHzAYPCw>
Subject: [TLS] Server validation of a second ClientHello
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Feb 2019 03:31:22 -0000

TLS 1.3 is pretty firm about what you can change in a second ClientHello.  It lists a small set of allowed changes to extensions (cookie, PSK binder, key shares, early data, and padding).  For the rest it says that nothing can change.  So clearly a client is in the wrong if it changes, adds, or removes an extension that isn't on this list.

The first question is whether a server should be required to check that only permitted changes are made to a second ClientHello.  

The second question is - if the server is not required to check for consistency - which ClientHello the server uses.

The third question is - if we allow checking at all - what the consistency check looks like.

My position is that the check cannot be mandatory, but we should allow servers to check.  One feature that we put significant effort into supporting was the notion of a stateless HelloRetryRequest, which I believe to be incompatible with checking (or at best extraordinately inconvenient).

With that answer in mind, if the second ClientHello might differ, I assert that the server uses that.  Hubert observes that this behaviour is not specified at all, which is entirely true.  I think that using the first ClientHello would be nonsensical, because the server needs to use the second ClientHello for those extensions that can change, like key share.

If we require or allow checking - and I think that we should definitely allow a check - the details of the conditions under which a check might fail aren't completely obvious for new extensions.  A new extension might be defined that has special handling in HelloRetryRequest, so it might be reasonable to allow new extensions to be changed.

Conversely, we might assume that anything that changes is going to be present in the HelloRetryRequest.  Therefore, only extensions that the server understands and includes in HelloRetryRequest can change.  That's not true for the early data extension, which is removed after HelloRetryRequest without any requirement for a server indicating support, but we might assume that extensions in the core spec have special status in this regard.

The simplest thing here seems to be a prohibition on checking unknown extensions for consistency between ClientHello1 and ClientHello2.

A final observation about checking extensions: it's not clear that we require consistent extension ordering.  If the key share extension changes, can it be reordered?  Can unchanged extensions be reordered?  Clearly neither results in a semantic change, but if a server that is required to check, might need to aggressively compress information about the first ClientHello in order to comply and extension ordering is an obvious thing to erase to save space in the cookie.

v2.23.0 | Report a Bug | By Email