Re: [TLS] DTLS Handshake race condition
Andy Wilson <andrewgwilson@gmail.com> Sun, 11 August 2013 14:25 UTC
Return-Path: <andrewgwilson@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC02A11E80F9 for <tls@ietfa.amsl.com>; Sun, 11 Aug 2013 07:25:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Lh2yLldGfmU6 for <tls@ietfa.amsl.com>; Sun, 11 Aug 2013 07:25:53 -0700 (PDT)
Received: from mail-bk0-x22c.google.com (mail-bk0-x22c.google.com [IPv6:2a00:1450:4008:c01::22c]) by ietfa.amsl.com (Postfix) with ESMTP id 87CAC21E8050 for <tls@ietf.org>; Sun, 11 Aug 2013 07:19:30 -0700 (PDT)
Received: by mail-bk0-f44.google.com with SMTP id mz10so1897077bkb.31 for <tls@ietf.org>; Sun, 11 Aug 2013 07:19:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=7D63AltDBDZ0CzQ3DF7WKP5Yb5w0N22Zsax123PPpeM=; b=EiljkGIch6/7Ti28NrVouRF2Zhsd4qSASHoYRsRvsuy9qnsigIJKKgrU/NYBFJrdu7 gqvk2w2VU9/JjkZSHlCglkmcU8oSHC6QWp7ojrccRmgN2rfAa3DnCcHlr5oPCkvzHfNR XvAuGwxRbQL8dhfGPtJw9xZfJLdoWUEf/giX6m2m1J7DhlHUKXQECFm7L7SRMiHlNSrn UTzSgniZ82JOMTQdKChDvKWm8zm54Ynnp1fr/Vl1ojdJshw7ky6kbLNtSDMPkuVO7wWG bG+UlTQB5hJEJeKWkPh36FWi0kH7pe82C8Jg6jphoiCxJ7elDmGW850kYH1Pyx0uAWJk XoWg==
MIME-Version: 1.0
X-Received: by 10.204.187.196 with SMTP id cx4mr3000264bkb.118.1376230769559; Sun, 11 Aug 2013 07:19:29 -0700 (PDT)
Received: by 10.205.115.141 with HTTP; Sun, 11 Aug 2013 07:19:29 -0700 (PDT)
In-Reply-To: <1CBCCCAF-163A-474B-8DD0-6634460644C1@lurchi.franken.de>
References: <1CBCCCAF-163A-474B-8DD0-6634460644C1@lurchi.franken.de>
Date: Mon, 12 Aug 2013 02:19:29 +1200
Message-ID: <CAL2p+8QvmiH-L0WYWDdtAirgQ8i_VoaJQUDfNw4dXDZ1xOzq=w@mail.gmail.com>
From: Andy Wilson <andrewgwilson@gmail.com>
To: Michael Tuexen <Michael.Tuexen@lurchi.franken.de>
Content-Type: multipart/alternative; boundary="20cf302acee2263bb504e3acb215"
Cc: tls@ietf.org
Subject: Re: [TLS] DTLS Handshake race condition
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 11 Aug 2013 14:25:54 -0000
After looking over the RFC a bit, wouldn't the client be expecting a HelloVerifyRequest after its ClientHello? On 12 August 2013 01:17, Michael Tuexen <Michael.Tuexen@lurchi.franken.de>wrote: > Dear all, > > while fixing a bug in OpenSSL regarding the DTLS handshake, I thought about > the following scenario (both sides decide to renegotiate at about the same > time): > > * A DTLS connection is established. > * The server sends a HelloRequest(MsgSeqNo = 0) and starts the > retransmission > timer, since this is a flight. > * The HelloRequest is dropped by the network. > * The client sends a ClientHello(MsgSeqNo = 0) and start a retransmission > timer, > since it is its first flight. > * The server receives the ClientHello, stops the retransmission timer > and sends the next flight starting with ServerHello(MsgSeqNo = 1) > since it considers the received ClientHello as an ack for the flight. > * The client doesn't process the ServerHello, since it expects the > MsgSeqNo == 0. > > Therefore the client retransmits its ClientHello and the server retransmits > its flight containing the ServerHello. Am I missing something? > > The problem is that the server has no way to figure out if the received > ClientHello is a reaction to a HelloRequest or not. > The only way out I see is that the client accepts ServerHellos with > MsgSeqNo=0 and MsgSeqNo=1. > I don't think this is covered in http://tools.ietf.org/html/rfc6347 > > Any opinions? > > Best regards > Michael > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > -- Regards Andy
- [TLS] DTLS Handshake race condition Michael Tuexen
- Re: [TLS] DTLS Handshake race condition Andy Wilson
- Re: [TLS] DTLS Handshake race condition Michael Tuexen
- Re: [TLS] DTLS Handshake race condition Andy Wilson
- Re: [TLS] DTLS Handshake race condition Michael Tuexen
- Re: [TLS] DTLS Handshake race condition Michael Tuexen
- Re: [TLS] DTLS Handshake race condition Martin Rex
- Re: [TLS] DTLS Handshake race condition Michael Tuexen
- Re: [TLS] DTLS Handshake race condition Martin Rex