IETF Logo Mail Archive

Re: [TLS] Application data during renegotiation handshake

Mike Bishop <Michael.Bishop@microsoft.com> Thu, 12 November 2015 21:09 UTC

Return-Path: <Michael.Bishop@microsoft.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5AAE51B3608 for <tls@ietfa.amsl.com>; Thu, 12 Nov 2015 13:09:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id veDWmk9fLaGf for <tls@ietfa.amsl.com>; Thu, 12 Nov 2015 13:09:20 -0800 (PST)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1bon0749.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::1:749]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 202C31B3607 for <tls@ietf.org>; Thu, 12 Nov 2015 13:09:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=sqgDQUwdUkGIrZKuKmX97S7oe2/Cvng0DmWq1pNL7Q4=; b=ezcm8956lBqjPywrdr9cELhfvJN1Yeg2dHF6pRFi9yZ9f8XIHjgVapDN4l37exYxTssDLx6YpduqmK/bkbf2wYiIbrPqnPYnC/19lGYYr6NAv+EJgsOuAZDQ7ZEf+cYlpzKaTHUK3f8gErD81uyGIW4m01bO74mK0SIeRYPTDB8=
Received: from BN3PR03MB1367.namprd03.prod.outlook.com (10.163.34.153) by BN3PR03MB1366.namprd03.prod.outlook.com (10.163.34.152) with Microsoft SMTP Server (TLS) id 15.1.325.17; Thu, 12 Nov 2015 21:08:58 +0000
Received: from BN3PR03MB1367.namprd03.prod.outlook.com ([10.163.34.153]) by BN3PR03MB1367.namprd03.prod.outlook.com ([10.163.34.153]) with mapi id 15.01.0325.003; Thu, 12 Nov 2015 21:08:57 +0000
From: Mike Bishop <Michael.Bishop@microsoft.com>
To: David Benjamin <davidben@chromium.org>, Yoav Nir <ynir.ietf@gmail.com>, Adam Langley <agl@imperialviolet.org>
Thread-Topic: [TLS] Application data during renegotiation handshake
Thread-Index: AdEcrQnuroKmbT4dRXSQtSnp2IGJXAAPOh2AAAreWIAAHVVLgAAAE5ow
Date: Thu, 12 Nov 2015 21:08:57 +0000
Message-ID: <BN3PR03MB1367EAFDEE6FA4D3433C50CF87120@BN3PR03MB1367.namprd03.prod.outlook.com>
References: <CY1PR03MB13743E3AE466C2F8F7AC140687130@CY1PR03MB1374.namprd03.prod.outlook.com> <CAMfhd9UV=Zya6dort29J0s7NcrbrU=a-6+diD_Sq9U6h2x1fgQ@mail.gmail.com> <F36034F5-2B2C-4E36-B44D-E581AD0B813E@gmail.com> <CAF8qwaBYpDxynY6QpPC++AH7JR46R3NH2WmWfUS60TCWodp+cA@mail.gmail.com>
In-Reply-To: <CAF8qwaBYpDxynY6QpPC++AH7JR46R3NH2WmWfUS60TCWodp+cA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Bishop@microsoft.com;
x-originating-ip: [2001:4898:80e8:6::1f7]
x-microsoft-exchange-diagnostics: 1; BN3PR03MB1366; 5:kd+3XRBc65O7hl4gT19qK/o4f7KDP6u+AoxlOELV0oESSUgz6zpkDkTJJup6h8AZi/BZ4Lm/luE6Sq2rDux22F4X86w6MZqhHaXtV69by0UkdzYgnTNOtxvjUM4chRc3EmlGJVlmA9+XbHd1Jt8nkw==; 24:+x/RvmV4ySEDNsa+MvvdQJUFG0IYhpbLeVPAHN09o7+K3B5ok62TwsYPQThWQ93Q+KR6WDeSCDbU75rGpdwe8y9AimXBg6c6zH9NNfRtHMY=; 20:WKdCUW4zxSyP8KeXc7lIhhvWGJ028enkuaOBhuhtvF5CSrNcx0PeiyC9VfPrOv7X/jSbgzUUtkIeVcVZf+xjdQ==
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BN3PR03MB1366;
x-microsoft-antispam-prvs: <BN3PR03MB1366A9B82DB1035B9ED1888787120@BN3PR03MB1366.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(108003899814671);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425024)(601004)(2401047)(5005006)(520078)(8121501046)(10201501046)(3002001)(61426024)(61427024); SRVR:BN3PR03MB1366; BCL:0; PCL:0; RULEID:; SRVR:BN3PR03MB1366;
x-forefront-prvs: 07584EDBCD
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(199003)(24454002)(52034003)(377454003)(189002)(97736004)(15975445007)(87936001)(81156007)(77096005)(102836002)(122556002)(5001770100001)(5003600100002)(86362001)(19617315012)(40100003)(2900100001)(5002640100001)(19609705001)(86612001)(74316001)(19580395003)(19580405001)(2950100001)(5004730100002)(5007970100001)(99286002)(76176999)(189998001)(19300405004)(92566002)(5001920100001)(10090500001)(54356999)(5008740100001)(93886004)(19625215002)(101416001)(106356001)(33656002)(10290500002)(5005710100001)(76576001)(10400500002)(16236675004)(105586002)(5001960100002)(8990500004)(50986999)(3826002); DIR:OUT; SFP:1102; SCL:1; SRVR:BN3PR03MB1366; H:BN3PR03MB1367.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_BN3PR03MB1367EAFDEE6FA4D3433C50CF87120BN3PR03MB1367namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Nov 2015 21:08:57.7841 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN3PR03MB1366
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/Bnwqv4SH6HtzKgYNiTrS67iQMs0>
X-Mailman-Approved-At: Thu, 12 Nov 2015 16:21:26 -0800
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Application data during renegotiation handshake
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Nov 2015 21:09:23 -0000

Doing it at the HTTP layer (as an authentication mechanism) is challenging, since applications aren’t expecting to receive it that way, and moves the authenticated exchange onto a different stream than triggered it.  I know that there’s the possibility for a layer to fake the client going away while actually sending a 401, but then you have to be able to tie the client’s second attempt back to the challenge, don’t you?

When I say “application,” I mean the code being hosted by the web server that’s actually responding to the interpreted requests.  While I’d like to minimize code changes in the HTTP server, my primary constraint is that I don’t change the application they’re hosting at all.  The change to HTTP/2 and/or TLS 1.3 should be as transparent as possible.  Keeping auth that’s currently done via TLS still in TLS helps to reduce those changes at higher layers.

In the HttpBis working group meeting, there was fairly strong consensus that we needed a backward-compatibility mechanism for existing apps moving to HTTP/2 over TLS 1.[23]; there was also interest in defining something cleaner in the future for new apps that could adopt something brand new, but not at the expense of quickly enabling current apps to keep working.  The draft below is the current candidate for least-ugly compat solution.  Doing it at the framing layer is definitely a good option for the something cleaner.

From: David Benjamin [mailto:davidben@chromium.org]
Sent: Thursday, November 12, 2015 12:43 PM
To: Yoav Nir <ynir.ietf@gmail.com>; Adam Langley <agl@imperialviolet.org>
Cc: Mike Bishop <Michael.Bishop@microsoft.com>; tls@ietf.org
Subject: Re: [TLS] Application data during renegotiation handshake

On Wed, Nov 11, 2015 at 10:43 PM Yoav Nir <ynir.ietf@gmail.com<mailto:ynir.ietf@gmail.com>> wrote:

> On 12 Nov 2015, at 3:32 AM, Adam Langley <agl@imperialviolet.org<mailto:agl@imperialviolet.org>> wrote:
>
> The TLS 1.3 post-handshake client-auth was intended, as I recall, to
> support HTTP/1.1 over TLS 1.3.

No, it was (and is) presented as a way to do client certificate authentication with HTTP/2 not at the initial handshake.

> With HTTP/2 isn't it cleaner to do client-auth at the HTTP layer (i.e.
> by signing exporter values)?

It is. I thought that an HTTP authentication method based on certificates could be a drop-in replacement for TLS layer authentication, but someone (I think it was Mike) pointed out that with TLS-layer certificate authentication the stream continues after the authentication, while with HTTP-layer authentication, the stream ends with a 401 status code, and the client has to start a new stream with the Authorization header. So applications would need to be changed for this to work.

Using existing HTTP semantics would certainly be cleaner in a vacuum, but one could still do it in HTTP/2 layer without creating a new stream. Perhaps adapt SPDY's CREDENTIAL frame and add a new SWITCH_CREDENTIAL frame to swap a stream's credential slot mid-stream?

Alternatively, HTTP/2 frontend could make the application think there were two independent requests. Am I misunderstanding the objection? What about this:
1. Client hits HTTP/2 frontend. Frontend talks to application which decides it needs client auth, expecting it on the same stream.
2. Frontend immediately aborts that request and returns a 401 to the client. Application thinks the client just gave up.
3. Client makes a new stream, now authenticated. The frontend hits the application fresh. Application requests client auth as before and frontend responds immediately with the certificate the client asserted.
This is, by the way, how Chrome implements client auth today, even with renego. We never reconfigure client auth mid-stream.

I think it would be helpful to have examples of exactly what the applications look like, to know what constraints the various interested parties are working with.

For example, Apache httpd has some high-level configuration file.
https://httpd.apache.org/docs/2.2/ssl/ssl_howto.html#arbitraryclients
Existing Apache installs can easily compatibility regardless of how the HTTP/TLS interaction looks.

On the other extreme, if the goal is to keep Apache httpd unchanged while only changing OpenSSL, then we have a very different picture because the OpenSSL API is SSL_renegotiate/SSL_do_handshake (send a HelloRequest) + SSL_set_state/SSL_do_handshake (don't continue until renego completes). That one is quite overfit to the old flow and will be difficult to reconcile with almost anything.

draft-thomson-http2-client-certs-00's HTTP/2 mode seems to be targeting something in between. It's okay with adding a new application_context_id, but the client certificate still needs to be asserted at the transport. I'm having a hard time divining the constraints from this.

David

v2.23.0 | Report a Bug | By Email