IETF Logo Mail Archive

Re: [TLS] Fwd: Clarification on interleaving app data and handshake records

Hubert Kario <hkario@redhat.com> Fri, 16 October 2015 09:50 UTC

Return-Path: <hkario@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 83CBD1B34C9 for <tls@ietfa.amsl.com>; Fri, 16 Oct 2015 02:50:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.911
X-Spam-Level:
X-Spam-Status: No, score=-6.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dwZ5EtPaZxUJ for <tls@ietfa.amsl.com>; Fri, 16 Oct 2015 02:50:43 -0700 (PDT)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 133DD1B34C8 for <tls@ietf.org>; Fri, 16 Oct 2015 02:50:42 -0700 (PDT)
Received: from int-mx09.intmail.prod.int.phx2.redhat.com (int-mx09.intmail.prod.int.phx2.redhat.com [10.5.11.22]) by mx1.redhat.com (Postfix) with ESMTPS id 6B5EBC0B64C1; Fri, 16 Oct 2015 09:50:42 +0000 (UTC)
Received: from pintsize.usersys.redhat.com (ovpn-112-54.ams2.redhat.com [10.36.112.54]) by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id t9G9obMi012919 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 16 Oct 2015 05:50:41 -0400
From: Hubert Kario <hkario@redhat.com>
To: tls@ietf.org
Date: Fri, 16 Oct 2015 11:50:30 +0200
Message-ID: <55580670.jzLYtZ8hkN@pintsize.usersys.redhat.com>
User-Agent: KMail/4.14.9 (Linux/4.1.10-200.fc22.x86_64; KDE/4.14.11; x86_64; ; )
In-Reply-To: <CABkgnnUZpvH4F5d42geQ4Y5h5tf5POHjTr9PpfemLtir0kavFg@mail.gmail.com>
References: <20151014154401.DF1401A2E6@ld9781.wdf.sap.corp> <561EDAAA.3050600@baggins.org> <CABkgnnUZpvH4F5d42geQ4Y5h5tf5POHjTr9PpfemLtir0kavFg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="nextPart1526812.lyuG49bKPV"; micalg="pgp-sha512"; protocol="application/pgp-signature"
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.22
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/AsYtoYy_BBGFtHSQh9_gyfegKF8>
Subject: Re: [TLS] Fwd: Clarification on interleaving app data and handshake records
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Oct 2015 09:50:44 -0000

On Wednesday 14 October 2015 16:06:00 Martin Thomson wrote:
> On 14 October 2015 at 15:43, Matt Caswell <frodo@baggins.org> wrote:
> > "highly dangerous idea"
> 
> Wrong Martin.  I agree that there is a need for caution, but in
> reality, it's not like you can use renegotiation to hand-off to
> someone else entirely.  The person you are talking to hasn't changed.
> What is dangerous is making assertions about *new* things that the
> renegotiation introduces.

Also, we're talking with a peer that does implement RFC 5746, so we can 
be *sure* that we're talking to the same peer still.

So the problem happens when application is querying the library for 
connection information (certificates mainly) and getting info from new 
connection while still actually receiving application data from the old 
context.

The problem is, that we can verify the handshake only after we receive 
Finished message, until then, the server can present any certificate it 
wants and client has no way of verifying if it (for *DH it can even 
receive information sent by client after its Finished message). For 
server it's nicer, as the certificate can be verified much quicker (in 
the same flight), but the window still exists.

That makes it dangerous when going from low to high security context, 
not so much other way round.
-- 
Regards,
Hubert Kario
Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic

v2.23.0 | Report a Bug | By Email