IETF Logo Mail Archive

Re: [TLS] Triple Handshake Fix.

Nico Williams <nico@cryptonector.com> Mon, 05 May 2014 20:59 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7BABA1A0656 for <tls@ietfa.amsl.com>; Mon, 5 May 2014 13:59:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.044
X-Spam-Level:
X-Spam-Status: No, score=-1.044 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, IP_NOT_FRIENDLY=0.334] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SVrxGWi4O1wT for <tls@ietfa.amsl.com>; Mon, 5 May 2014 13:59:56 -0700 (PDT)
Received: from homiemail-a89.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id E0C491A065B for <tls@ietf.org>; Mon, 5 May 2014 13:59:56 -0700 (PDT)
Received: from homiemail-a89.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a89.g.dreamhost.com (Postfix) with ESMTP id 70781318065 for <tls@ietf.org>; Mon, 5 May 2014 13:59:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type; s=cryptonector.com; bh=788epiE1OMQ2xk4bScyz 8FV4J2k=; b=hhO0siJEW4YWzHIazUtDVpWrYsOH8hCCLFHncChwinmBZKbdSMq+ InKKNrjEAEg9NInP90XDLnyFQX2HgMppEBugOUkTqqell93qjoE8zZiWUe2q5R2r CFRi8RywjE2xCNj2lyMwXAfG2GJhVGReYqm306Ry4v2IYsHrVmw3epQ=
Received: from mail-wg0-f43.google.com (mail-wg0-f43.google.com [74.125.82.43]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a89.g.dreamhost.com (Postfix) with ESMTPSA id 23E89318064 for <tls@ietf.org>; Mon, 5 May 2014 13:59:52 -0700 (PDT)
Received: by mail-wg0-f43.google.com with SMTP id l18so7003579wgh.26 for <tls@ietf.org>; Mon, 05 May 2014 13:59:51 -0700 (PDT)
MIME-Version: 1.0
X-Received: by 10.194.143.109 with SMTP id sd13mr165353wjb.95.1399323591834; Mon, 05 May 2014 13:59:51 -0700 (PDT)
Received: by 10.216.29.200 with HTTP; Mon, 5 May 2014 13:59:51 -0700 (PDT)
In-Reply-To: <CADMpkcLKaAMGcHmjOQzPqT=6fywgq8fhD9h7gxpvGzM6Esrb7g@mail.gmail.com>
References: <CAL9PXLyGjM0R-NRdqzbfKWOvbLjT+mwE9uT0BQTpiFt5p27ATQ@mail.gmail.com> <CALR0ui+RfdFiQ4-1Odb8DKa3Kc_Ont__eBnpMNa9Obm1FeCi2A@mail.gmail.com> <CADMpkc+JeDDebHs0G3G3f17AGw9EjOe=EcK1dh_mikKjyF1DbQ@mail.gmail.com> <CA+_8ft7fwatXJjDmcsHvXG5W+CRPAx8N1+cT9Mh86pntQ7=_vQ@mail.gmail.com> <CAK3OfOgrXFeBEx8EWHaxvp7ZtQJ2YAap1myn5BHWKesTMCYEXA@mail.gmail.com> <CADMpkcKTYhNAdNVypGiGu-axNWitLGRKzE3R6Rc81qJ2Jq6_bA@mail.gmail.com> <CAK3OfOiD3RcO2u0v+u1nxtGo31iNY_NorLtMcaCqOr3BxazPXA@mail.gmail.com> <CADMpkcLKaAMGcHmjOQzPqT=6fywgq8fhD9h7gxpvGzM6Esrb7g@mail.gmail.com>
Date: Mon, 05 May 2014 15:59:51 -0500
Message-ID: <CAK3OfOjk714z8NaMm6EuKkrVPkhHoGGwvytjA9zL1x_3=AMJ3g@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: Bodo Moeller <bmoeller@acm.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/AXcvBcG9VcJIhAVuVlG8TbBIz2o
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Triple Handshake Fix.
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 May 2014 20:59:57 -0000

On Mon, May 5, 2014 at 3:44 PM, Bodo Moeller <bmoeller@acm.org> wrote:
> Nico Williams <nico@cryptonector.com>:
>
>> (2) only results in reduced performance in old/new or new/old cases,
>> but those should disappear soon enough.
>
>
> The point is, if you're the first to switch from "old" to "new", this would
> affect *all* your connections.  (Indeed there's no interoperability problem
> per se, but the performance hit can be nontrivial.)  Having (1) available as
> an intermediate state would make it easier to switch early.

Several optimizations are possible.  Here's a possible set of rules:

 - neither new clients nor new servers should permit renegotiation
within resumed connections when talking to an old peer

 - new clients should not permit resumption of renegotiated
connections to old servers unless the inner connection is bound to the
outer and

   - tls-unique will not be extracted or will be made unavailable when
talking to old servers

 - new servers should not offer nor permit resumption by old clients
when tls-unique CB may be extracted OR they should disallow tls-unique
CB extraction

Is that complete?  I think so.  But that's fairly complicated and
mistakes could be made in interpreting it.

We all need resumption fixed, and we're getting pretty good at
deploying new TLS implementations (because goto fail bug, because
heartbleed).  I'd rather simplify things by going with (2) alone.

Nico
--

v2.23.0 | Report a Bug | By Email