Re: [TLS] SSL Renegotiation DOS
Martin Rex <mrex@sap.com> Tue, 15 March 2011 17:56 UTC
Return-Path: <mrex@sap.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4BEDF3A6E21 for <tls@core3.amsl.com>; Tue, 15 Mar 2011 10:56:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.221
X-Spam-Level:
X-Spam-Status: No, score=-10.221 tagged_above=-999 required=5 tests=[AWL=0.028, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Gdo8YKfpJ68E for <tls@core3.amsl.com>; Tue, 15 Mar 2011 10:55:58 -0700 (PDT)
Received: from smtpde01.sap-ag.de (smtpde01.sap-ag.de [155.56.68.170]) by core3.amsl.com (Postfix) with ESMTP id 038C43A6971 for <tls@ietf.org>; Tue, 15 Mar 2011 10:55:57 -0700 (PDT)
Received: from mail.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id p2FHvJKn020943 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 15 Mar 2011 18:57:19 +0100 (MET)
From: Martin Rex <mrex@sap.com>
Message-Id: <201103151757.p2FHvIRC014976@fs4113.wdf.sap.corp>
To: marsh@extendedsubset.com
Date: Tue, 15 Mar 2011 18:57:18 +0100
In-Reply-To: <4D7F95AA.8060007@extendedsubset.com> from "Marsh Ray" at Mar 15, 11 11:36:58 am
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-SAP: out
Cc: tls@ietf.org
Subject: Re: [TLS] SSL Renegotiation DOS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Mar 2011 17:56:00 -0000
Marsh Ray wrote: > > > Presumably, somewhere there is a TCP-based load-balancing DoS prevention > system protecting a TLS server that allows client-initiated > renegotiation. This system may do a good job of resisting DoSes on the > initial handshake but not DoSes on renegotiation handshakes. The issue might be more about the classification of what counts as a DoS attack. Recognizing TLS renegotiations is technically possible for Intrusion dectection systems, since the ChangeCipherSpec handshake message remains visible on on the wire, even for TLS renegotiations. (also, the fact that handshake messages rather than application data is exchanged, remains visible on the wire). The workload impact of full TLS handshakes on the TLS server is far from marginal. Therefore, even non-hostile clients can consume most of a servers resources. Distinguishing DoS from clients with a flaw in their TLS session caching and defective server-side TLS session caching or inappropriate configuration might be tricky for an IDS. Server resources may get drained without any errors showing up on the communication protocol level, simply by performing the cryptographic operations of the protocol over and over again. A TLS server can easily DoS _itself_ with an inadequate, too small or disabled server side TLS session cache (or due to bugs in the session cache management of the implementation). Personally, I consider it a bad idea to run a TLS server on the internet with TLS session caching entirely disabled. Limiting session cache lifetime and session cache size on the TLS server seems sensible, but running entirely without session cache does not look sensible to me (for public Web-Servers on the internet). TLS clients without session caching capabilities also seem to be unnecessarily common. Apache mod_proxy used to be incapable of client side TLS session caching--which causes a serious performance impact on the communication link between reverse proxy and backend if that link is TLS-reencrypted. > > My suggestion to Jorge would be to find such a product configuration and > demonstrate the attack against it (and file a bug with the vendor of > course). > > I don't see this as a real weakness in TLS itself either. Nevertheless, > I think might be something in scope here. Are there improvements to DoS > resistance which could be made in the scope of the IETF's TLS activity? When the topic of "client identity protection" came up on the TLS mailing list, the suggestion was made to solve this by performing a TLS renegotiation. Today (after the TLS renegotiation vulnerability), many servers may have unsolicited renegotiations disabled (and may continue to have it disabled after adopting the rfc5746 solution). Microsoft IIS seems to have never supported unsolicited renegotiations so far -- it was primarily "added value" for TLS implementations that could perform TLS renegotiation "transparently", i.e. without requiring support from the (TLS) application caller to do renegotiation. The results that TLS renegotiation might have on the client identity, as seen by the server application, is sufficiently non-trivial that some discussion on this was added to the security considerations of rfc5746 http://tools.ietf.org/html/rfc5746#section-5 -Martin
- Re: [TLS] SSL Renegotiation DOS Jorge A. Orchilles
- [TLS] SSL Renegotiation DOS Jorge A. Orchilles
- Re: [TLS] SSL Renegotiation DOS Nikos Mavrogiannopoulos
- Re: [TLS] SSL Renegotiation DOS Steve Dispensa
- Re: [TLS] SSL Renegotiation DOS Joe Orton
- Re: [TLS] SSL Renegotiation DOS Dr Stephen Henson
- Re: [TLS] SSL Renegotiation DOS Steve Dispensa
- Re: [TLS] SSL Renegotiation DOS Martin Rex
- Re: [TLS] SSL Renegotiation DOS Eric Rescorla
- Re: [TLS] SSL Renegotiation DOS Marsh Ray
- Re: [TLS] SSL Renegotiation DOS Martin Rex
- Re: [TLS] SSL Renegotiation DOS Steve Dispensa
- Re: [TLS] SSL Renegotiation DOS Peter Gutmann
- Re: [TLS] SSL Renegotiation DOS Martin Rex
- Re: [TLS] SSL Renegotiation DOS Peter Gutmann
- Re: [TLS] SSL Renegotiation DOS Jorge A. Orchilles
- Re: [TLS] SSL Renegotiation DOS Jorge A. Orchilles
- Re: [TLS] SSL Renegotiation DOS Jorge A. Orchilles
- Re: [TLS] SSL Renegotiation DOS Jorge A. Orchilles
- Re: [TLS] SSL Renegotiation DOS Jorge A. Orchilles