IETF Logo Mail Archive

Re: [TLS] First TLS cached information draft posted

Martin Rex <Martin.Rex@sap.com> Wed, 10 June 2009 18:40 UTC

Return-Path: <Martin.Rex@sap.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 11F5B3A6CA9 for <tls@core3.amsl.com>; Wed, 10 Jun 2009 11:40:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.249
X-Spam-Level:
X-Spam-Status: No, score=-6.249 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F28uTSlkbMCs for <tls@core3.amsl.com>; Wed, 10 Jun 2009 11:40:43 -0700 (PDT)
Received: from smtpde01.sap-ag.de (smtpde01.sap-ag.de [155.56.68.171]) by core3.amsl.com (Postfix) with ESMTP id 865533A6A7A for <tls@ietf.org>; Wed, 10 Jun 2009 11:40:40 -0700 (PDT)
Received: from mail.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id n5AIed1M001149 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 10 Jun 2009 20:40:39 +0200 (MEST)
From: Martin Rex <Martin.Rex@sap.com>
Message-Id: <200906101840.n5AIecJE020341@fs4113.wdf.sap.corp>
To: simon@josefsson.org
Date: Wed, 10 Jun 2009 20:40:38 +0200
In-Reply-To: <87bpowaxhj.fsf@mocca.josefsson.org> from "Simon Josefsson" at Jun 10, 9 06:02:00 pm
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal05
X-SAP: out
Cc: huangmin123@huaweisymantec.com, tls@ietf.org
Subject: Re: [TLS] First TLS cached information draft posted
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: martin.rex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Jun 2009 18:40:44 -0000

Simon,

Simon Josefsson wrote:
> 
> Min Huang <huangmin123@huaweisymantec.com> writes:
> 
> > This "heuristic" determination works well in most scenarioes, 
> > but the client still be confused in some specific cases.
> 
> Hi.  Yes.  I don't like TLS implementations playing guessing games on
> the intended interpretation of received data, though, and that is my
> primary concern with this document right now.  I'm wondering how other
> implementers feel about this, is it acceptable?

What you could do, is to unconditionally use an additional framing
for that being-cached parts of the TLS handshake messages for
for which the Client requested caching in the ClientHelloExtension
and and the Server acknowledged caching support in the
ServerHelloExtension.

(I'm not really accustomed to TLS spec language, so please
 apply common sense / corrections yourself):

enum {
   original_data(1),
   hash_over_original_data(2),
   omitted_hash_over_original_data(3),
   original_data_and_suggestion_to_not_cache(4),
   (255)
} CacheControlContentType;

struct {
   CacheControlContentType    type;
   opaque                     content<0..2^16-1>;
} CacheControlContent;

   
...and drop the things that are not needed (but mentioned for completeness)


This approach would unconditionally change the (affected) PDU if caching is
negotiated but hashes do not match (as well).  It facilitates to omit
the actual hash value at this point in a non-ambiguous fashion
(the hash should be part of the handshake once, but having it
three times looks like waste). 

-Martin

v2.23.0 | Report a Bug | By Email