IETF Logo Mail Archive

Re: [TLS] Server validation of a second ClientHello

Hubert Kario <hkario@redhat.com> Fri, 08 February 2019 12:53 UTC

Return-Path: <hkario@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2BF0C12EB11 for <tls@ietfa.amsl.com>; Fri, 8 Feb 2019 04:53:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.901
X-Spam-Level:
X-Spam-Status: No, score=-6.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dXXg0Ea35udm for <tls@ietfa.amsl.com>; Fri, 8 Feb 2019 04:53:53 -0800 (PST)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F1A011288BD for <tls@ietf.org>; Fri, 8 Feb 2019 04:53:52 -0800 (PST)
Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 4393212BB3; Fri, 8 Feb 2019 12:53:52 +0000 (UTC)
Received: from pintsize.usersys.redhat.com (unknown [10.43.21.83]) by smtp.corp.redhat.com (Postfix) with ESMTP id 7C49A60FDF; Fri, 8 Feb 2019 12:53:51 +0000 (UTC)
From: Hubert Kario <hkario@redhat.com>
To: Martin Thomson <mt@lowentropy.net>
Cc: tls@ietf.org
Date: Fri, 08 Feb 2019 13:53:44 +0100
Message-ID: <3192766.6rApcoU5jf@pintsize.usersys.redhat.com>
In-Reply-To: <1549596678.898774.1653407000.2B2ACE8E@webmail.messagingengine.com>
References: <1549596678.898774.1653407000.2B2ACE8E@webmail.messagingengine.com>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="nextPart3239363.Bl4TAJnl3i"; micalg="pgp-sha512"; protocol="application/pgp-signature"
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.30]); Fri, 08 Feb 2019 12:53:52 +0000 (UTC)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/8ZKCyamcYFaV90h6nf4MUnSPkEE>
Subject: Re: [TLS] Server validation of a second ClientHello
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Feb 2019 12:53:55 -0000

On Friday, 8 February 2019 04:31:18 CET Martin Thomson wrote:
> TLS 1.3 is pretty firm about what you can change in a second ClientHello. 
> It lists a small set of allowed changes to extensions (cookie, PSK binder,
> key shares, early data, and padding).  For the rest it says that nothing
> can change.  So clearly a client is in the wrong if it changes, adds, or
> removes an extension that isn't on this list.
> 
> The first question is whether a server should be required to check that only
> permitted changes are made to a second ClientHello.

given need for GREASE and two dozen flags across OpenSSL history for 
workarounds for bugs in different implementations, the lesson seems to be that 
the receiving side should be as strict as it can (within protocol confines) or 
we risk making the non-conforming behaviour common
 
> The second question is - if the server is not required to check for
> consistency - which ClientHello the server uses.
> 
> The third question is - if we allow checking at all - what the consistency
> check looks like.
> 
> My position is that the check cannot be mandatory, but we should allow
> servers to check.  One feature that we put significant effort into
> supporting was the notion of a stateless HelloRetryRequest, which I believe
> to be incompatible with checking (or at best extraordinately inconvenient).

"extraordinarily inconvenient" is description of the process of implementing 
any crypto and cryptographic protocols properly...
 
> With that answer in mind, if the second ClientHello might differ, I assert
> that the server uses that.  Hubert observes that this behaviour is not
> specified at all, which is entirely true.  I think that using the first
> ClientHello would be nonsensical, because the server needs to use the
> second ClientHello for those extensions that can change, like key share.

And I say that when you have already parsed, verified and sanity-checked the 
first set of extensions, it is much saner to reuse that work and only update 
the values that can change and ignore all other extensions...

There are multiple ways to look at this, and given that the standard is very 
firm that the 2nd CH needs to be as similar to the first one as possible, it 
is thus silent on which takes precedence in case they differ in general, 
because they can't.
 
> If we require or allow checking - and I think that we should definitely
> allow a check - the details of the conditions under which a check might
> fail aren't completely obvious for new extensions.  A new extension might
> be defined that has special handling in HelloRetryRequest, so it might be
> reasonable to allow new extensions to be changed.

yes, and we already had discussion on this ML about this: if the extension 
needs to change (based on protocol definition), the server MUST include it in 
HRR to signal to client, "yes, I do know about it, you can update it" and 
client MUST NOT change it otherwise
 
> The simplest thing here seems to be a prohibition on checking unknown
> extensions for consistency between ClientHello1 and ClientHello2.

that's definitely too harsh

> A final observation about checking extensions: it's not clear that we
> require consistent extension ordering.

the reordering is not in the list of allowed changes listed by the RFC

> If the key share extension changes,
> can it be reordered?

no

> Can unchanged extensions be reordered? 

no

> Clearly
> neither results in a semantic change, but if a server that is required to
> check, might need to aggressively compress information about the first
> ClientHello in order to comply and extension ordering is an obvious thing
> to erase to save space in the cookie.

the cookie can be up to 2^16 bytes long, even if client sends all 50 
extensions and spaces them with unknown extensions between, that's at most 20 
bytes per extension = 1000 bytes total extra space needed in cookie (32 bytes 
and 1600 bytes if you want to be very conservative)

and that's the excessive case, in usual case the server will not have to deal 
with more than half a dozen unknown extensions
-- 
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00  Brno, Czech Republic

v2.23.0 | Report a Bug | By Email