IETF Logo Mail Archive

Re: [TLS] Proposed changes to draft-ietf-tls-rfc4366-bis

Martin Rex <mrex@sap.com> Mon, 17 May 2010 13:26 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 24E193A6BCF for <tls@core3.amsl.com>; Mon, 17 May 2010 06:26:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.737
X-Spam-Level:
X-Spam-Status: No, score=-7.737 tagged_above=-999 required=5 tests=[AWL=-0.088, BAYES_50=0.001, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F6iZ+X8BYMGG for <tls@core3.amsl.com>; Mon, 17 May 2010 06:26:17 -0700 (PDT)
Received: from smtpde01.sap-ag.de (smtpde01.sap-ag.de [155.56.68.171]) by core3.amsl.com (Postfix) with ESMTP id 630D93A6C9C for <tls@ietf.org>; Mon, 17 May 2010 06:22:00 -0700 (PDT)
Received: from mail.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id o4HDLho7023914 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 17 May 2010 15:21:43 +0200 (MEST)
From: Martin Rex <mrex@sap.com>
Message-Id: <201005171321.o4HDLgmX018711@fs4113.wdf.sap.corp>
To: jsalowey@cisco.com
Date: Mon, 17 May 2010 15:21:42 +0200
In-Reply-To: <AC1CFD94F59A264488DC2BEC3E890DE50A67C235@xmb-sjc-225.amer.cisco.com> from "Joseph Salowey" at May 16, 10 09:43:08 pm
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal08
X-SAP: out
Cc: tls@ietf.org
Subject: Re: [TLS] Proposed changes to draft-ietf-tls-rfc4366-bis
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 May 2010 13:26:18 -0000

Joseph Salowey wrote:
> 
> This clarification is consistent with existing text in the draft and in
> RFC 4366. 

The way it is written appears somewhat misleading, and the resulting
change to 4366 indicates that we need to come up with a better description.

> 
> " Note also that all the extensions defined in this section are
>    relevant only when a session is initiated. ... 
> 
> -  If, on the other hand, the older session is resumed, then the
>       server MUST ignore the extensions and send a server hello
>       containing none of the extension types.  In this case, the
>       functionality of these extensions negotiated during the original
>       session initiation is applied to the resumed session."
>
> Michael D'Errico wrote:
> >
> >    Add to section 3 before the last paragraph to clarify session
> >    resumption behavior:
> >
> >    "When the server resumes a session, the server_name extension
> >    is ignored."
> >
> > I have not yet done it, but I plan to have my session resumption
> > logic look at the SNI to see if it matches the name used for the
> > cached session.  If they don't match, a full handshake will be
> > completed.  We already have to verify that TLS version, cipher
> > suite, and compression method are compatible with the hello
> > parameters.  I don't see why the SNI is any less important.


Your intended behaviour sounds perfectly fine and sensible.

> 
> > Does the above text suggest that my plan would be non-compliant?


No.  Your intention is to determine whether a suitable cached session
exist for resumption.  Once you have determined that, you resume without
SNI affecting the characteristics of the resumed session.


But your confusion suggests that this should probably be rephrased 
in order clarify what is meant.


There are two entirely seperate issues that ought to be distinguished.

(1) criteria which the server considers in his decision whether to
    resume a TLS session from the cache by performing an abbreviated
    TLS handshake for the TLS session ID proposed by the TLS client in
    the ClientHello handshake message.

(2) effects of parameters in ClientHello (regular or through extensions)
    on the characteristics of the established TLS session.


What Joe an the new text says is only about (2).  When the server decides
to resumt a TLS session from cache, then it must be resumed as-is, none
of the parameters or extensions in the ClientHello is allowed to modify
the characteristics of the resumed TLS session.


(1) is a totally different beast.  Whether or not the server resumes a
TLS session proposed by the TLS client is completely at the
discretion of the server.  IMHO, it makes perfect sense for the
server to check whether the attributes that the client requests
through all those parameters in regular ClientHello plus TLS extension
actually match the characteristics of proposed cached session,
and to go through a full TLS handshake if they don't.
A server can also expire a session from his session cache whenever
it sees a need to do so.


In some implementations, the TLS session cache may be shared among
several processes on a host, not just a single application that tries
to offer virtual hosting with TLS through the server name indication (SNI)
TLS extension.  That correct client implementations shouldn't be
proposing to resume TLS sessions across "virtual hosts" boundaries is
not relevant for the server's decision.  The server should not try to
make any assumptions on client desire or behaviour, but instead act
deterministically based on the parameters in the supplied ClientHello
handshake message.



-Martin

v2.23.0 | Report a Bug | By Email