IETF Logo Mail Archive

Re: [TLS] Proposed changes to draft-ietf-tls-rfc4366-bis

Michael D'Errico <mike-list@pobox.com> Mon, 17 May 2010 18:40 UTC

Return-Path: <mike-list@pobox.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3E2863A6AA8 for <tls@core3.amsl.com>; Mon, 17 May 2010 11:40:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.983
X-Spam-Level:
X-Spam-Status: No, score=-1.983 tagged_above=-999 required=5 tests=[AWL=0.616, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RGx-usY74JS1 for <tls@core3.amsl.com>; Mon, 17 May 2010 11:40:39 -0700 (PDT)
Received: from sasl.smtp.pobox.com (a-pb-sasl-quonix.pobox.com [208.72.237.25]) by core3.amsl.com (Postfix) with ESMTP id 19FEB3A6A84 for <tls@ietf.org>; Mon, 17 May 2010 11:40:39 -0700 (PDT)
Received: from sasl.smtp.pobox.com (unknown [127.0.0.1]) by a-pb-sasl-quonix.pobox.com (Postfix) with ESMTP id C4A35B4F88; Mon, 17 May 2010 14:40:30 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=message-id :date:from:mime-version:to:cc:subject:references:in-reply-to :content-type:content-transfer-encoding; s=sasl; bh=rjEAjs3jvlly eJBNbrMZn28N9pc=; b=uuWdN7/fd5i1yfrS7pv/ZoyhU47tTtYKlFfdhOb32X6f FfTP/xOd7RJI2FEdm1Hn6uZpsO6YzFJiXo4ZHuAPl4gIbH7yKSTi4+Q2mfHxXvjR EIv8AKNr1w/X2hnTpnswZw6xjSU6qsVQdHjq5/yGtM0RR4jQLWokL+B3gFMEpBo=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=pobox.com; h=message-id:date :from:mime-version:to:cc:subject:references:in-reply-to :content-type:content-transfer-encoding; q=dns; s=sasl; b=FIBmO7 Qadrp4VjMmC1u6vydQWw2Z/3bBk5G1f8fWEoAFLt9zEmM7Ru/8tkg2tjjPTXNIqF xraQJ2uZrsXDg7BrfHJcGRhDHGdXVx71OFAgKfi5vk4t+5MCYBGKB9s9soaFszuu s0rhT8eBJEnq8mS/iuWTtNrD+VBvJgZdIZMBI=
Received: from a-pb-sasl-quonix. (unknown [127.0.0.1]) by a-pb-sasl-quonix.pobox.com (Postfix) with ESMTP id 8D07BB4F86; Mon, 17 May 2010 14:40:27 -0400 (EDT)
Received: from administrators-macbook-pro.local (unknown [24.234.114.35]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by a-pb-sasl-quonix.pobox.com (Postfix) with ESMTPSA id A5784B4F84; Mon, 17 May 2010 14:40:23 -0400 (EDT)
Message-ID: <4BF18D96.5040602@pobox.com>
Date: Mon, 17 May 2010 11:40:22 -0700
From: Michael D'Errico <mike-list@pobox.com>
User-Agent: Thunderbird 2.0.0.23 (Macintosh/20090812)
MIME-Version: 1.0
To: "Joseph Salowey (jsalowey)" <jsalowey@cisco.com>
References: <AC1CFD94F59A264488DC2BEC3E890DE50A67C235@xmb-sjc-225.amer.cisco.com> from "Joseph Salowey" at May 16, 10 09:43:08 pm <201005171321.o4HDLgmX018711@fs4113.wdf.sap.corp> <AC1CFD94F59A264488DC2BEC3E890DE50A67C2D6@xmb-sjc-225.amer.cisco.com> <4BF170FE.9090506@pobox.com> <AC1CFD94F59A264488DC2BEC3E890DE50A67C355@xmb-sjc-225.amer.cisco.com>
In-Reply-To: <AC1CFD94F59A264488DC2BEC3E890DE50A67C355@xmb-sjc-225.amer.cisco.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Pobox-Relay-ID: A9982676-61E3-11DF-B1BA-D033EE7EF46B-38729857!a-pb-sasl-quonix.pobox.com
Cc: tls@ietf.org
Subject: Re: [TLS] Proposed changes to draft-ietf-tls-rfc4366-bis
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 May 2010 18:40:40 -0000

Joseph Salowey (jsalowey) wrote:
> 
>> -----Original Message-----
>> From: Michael D'Errico [mailto:mike-list@pobox.com]
>> Sent: Monday, May 17, 2010 9:38 AM
>> To: Joseph Salowey (jsalowey)
>> Cc: mrex@sap.com; d3e3e3@gmail.com; tls@ietf.org
>> Subject: Re: [TLS] Proposed changes to draft-ietf-tls-rfc4366-bis
>>
>> [snip]
>>
>> In my code, I've decided that the SNI is more important, so the
> session
>> is not resumed even if it is still in the session cache.  Thus a full
>> handshake occurs using the SNI from the client hello, and the client
>> ends up talking to the correct virtual server.
>>
> [Joe] From this description it sounds like we need to make a bigger
> change to the section to accommodate this behavior.  What happens if the
> client does not present an SNI during resumption?  Will this cause a
> problem contacting the correct virtual server?  Is the SNI required by
> your implementation during session resumption.  

I accommodate an empty SNI by allowing the configuration of a
default virtual server.  When there is no SNI sent by the client
or if it doesn't match anything, the default is selected.

The case where a client attempts to resume a session without
sending an SNI is a problem for the client to fix.  It can not
assume the session will be resumed, so it isn't providing enough
information to the server.

I just checked my code and if the client omits the SNI on resume,
it will force a full handshake using the default virtual server
(if configured).

Mike

v2.23.0 | Report a Bug | By Email