IETF Logo Mail Archive

Re: [TLS] draft-ietf-tls-cached-info-14

"Piyush Jain" <piyush@ditenity.com> Wed, 10 April 2013 16:32 UTC

Return-Path: <piyush@ditenity.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C079D21F8C03 for <tls@ietfa.amsl.com>; Wed, 10 Apr 2013 09:32:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.145
X-Spam-Level:
X-Spam-Status: No, score=-2.145 tagged_above=-999 required=5 tests=[AWL=1.454, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9PBlzUEZECkv for <tls@ietfa.amsl.com>; Wed, 10 Apr 2013 09:32:53 -0700 (PDT)
Received: from mail-ye0-f169.google.com (mail-ye0-f169.google.com [209.85.213.169]) by ietfa.amsl.com (Postfix) with ESMTP id 9AA6921F8B45 for <tls@ietf.org>; Wed, 10 Apr 2013 09:32:53 -0700 (PDT)
Received: by mail-ye0-f169.google.com with SMTP id q14so83723yen.14 for <tls@ietf.org>; Wed, 10 Apr 2013 09:32:53 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:from:to:cc:references:in-reply-to:subject:date :message-id:mime-version:content-type:content-transfer-encoding :x-mailer:thread-index:content-language:x-gm-message-state; bh=1LJTVXqdIAfXV3G5eSyKG7vf0ZppxD2olto4493foaI=; b=CAWyvffAgJgbZsh15ooCzWnGWeaNppjcpNR1iqX0HXJp/VfGhkg8TlAZaMODpEoAA3 L2KsNgvaaHhFSoDB1ckyo3WhFi2/ch7D/lA0F4hgr1DtKQFrU59xfb2uouqJ+J9Mhalk JcbuCfe2ByRp3XocKO9ZqUqruTmDX9PPdiyKqAx63N2iUpjbqLqCrEQvopzrtuJkMv33 EaBE99gSU+ktT1K/psAAIOSvm7WJdywy5OXLANuXzKtVzb1GYR+hWxjlXAweeh68yFxw 6npDWzL6q0ihryexuIp3bFVVr8Z4vK2M+IzlJZEAhbOm64rGAaGmwJp8zCly8zG0IjVa djfA==
X-Received: by 10.236.26.203 with SMTP id c51mr1610503yha.89.1365611573035; Wed, 10 Apr 2013 09:32:53 -0700 (PDT)
Received: from hp13 (75-25-128-241.lightspeed.sjcpca.sbcglobal.net. [75.25.128.241]) by mx.google.com with ESMTPS id x33sm808143yhn.18.2013.04.10.09.32.50 (version=TLSv1 cipher=RC4-SHA bits=128/128); Wed, 10 Apr 2013 09:32:52 -0700 (PDT)
From: Piyush Jain <piyush@ditenity.com>
To: mrex@sap.com
References: <0a1801ce35fa$10283650$3078a2f0$@ditenity.com> <20130410152725.504F61A6A1@ld9781.wdf.sap.corp>
In-Reply-To: <20130410152725.504F61A6A1@ld9781.wdf.sap.corp>
Date: Wed, 10 Apr 2013 09:32:37 -0700
Message-ID: <0a7101ce3609$04346030$0c9d2090$@ditenity.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQMu/Dic7AuqNJNca90RTSzx+63m5ZYOCoHA
Content-Language: en-us
X-Gm-Message-State: ALoCoQnKc/KxbAaoxUHJ/boYwvAZPomczrOvRwP/ICteKwZAD9BxGaBwavvkdBkE6JhXvZvyeg3x
Cc: tls@ietf.org
Subject: Re: [TLS] draft-ietf-tls-cached-info-14
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Apr 2013 16:32:54 -0000

Thanks Martin. That is really interesting information.
More inline.
> This is the theory.
> 
> In theory, theory and practice are the same, in practice, they differ.
> 
> Although the SSLv3 and *ALL* TLS specs have always been very clear that
the
> correct ording of certificates in the TLS Certificate handshake message is
a
> MUST requirement, as well as that only the self-signed rootCA cert at the
> end of the path may be omitted, a number of TLS implementations are
> notoriously broken in that they will send arbitrary garbled paths that may
> include alien certs and even expired certs in Certificate handshake
messages
> (rather than telling the server admin that the configuration is
incorrect).

[Piyush] Isn't it a tacit assumption for TLS cached objects that
certificate_list will be ordered. The question is if the broken
implementations can make use of these proposed extensions effectively and if
not then should we really care.
> 
> Although this is not even mentioned in the TLS spec, a number of SSL and
TLS
> clients will perform various hacks to accomodate for such broken TLS
server
> implementations, ranging from simple reordering of certificate, to the
> extreme of using only the very first certificate from the servers TLS
> Certificate handshake message, throw the remaining certificates into a
large
> pool of candidate path certificates and perform a full certificate path
> discovery.
[Piyush] So what would be the cached representation of such chains? The
original list that the server sent or the corrected ordered list that the
client created?
If it is the former, the client can still indicate the certificates for
which it needs the status through a list of Boolean values. If it is the
latter then server has no way to resolve the certificate_list cached object
and it will need to resend all the information again.
But a bigger question is how to create a spec without agreeing on a basic
set of assumptions. If the practices that you describe are useful, then they
should make their way to the TLS spec. If not we stop taking them into
account while designing new specs.
> 

> The latter can lead to seemingly non-deterministic behaviour with some TLS
> servers that omit more than the self-signed rootCA cert from the
Certificate
> handshake message, such as intermediate CA certs, and the client behaviour
> changes from handshake failure (untrusted cert) to successful handshake
> when that "large pool" of cached certs coincidentally contains the missing
> intermediate cert from a prior TLS handshake with a correctly configured
TLS
> Server whose server cert was issued by the same (intermediate) CA.
>
[Piyush]  A couple of points here:
1) We were basing this discussion assuming that server follows the TLS spec
correctly and provides all the required certificates in the correct order.
It was limited to client using OCSP responses from different sources and was
not about client using intermediate certificates from other sources.
2) Not relevant to the current discussion but still interesting. Why does it
matter whether the client obtained the intermediate certificate from the
same server, a different server, an ldap or http repository as long as it
can build the chain to a trusted root? I appreciate your point about server
not catching the error of it ways right away in case of handshake failure if
some clients are smart enough to perform certificate discovery.
 In fact allowing the server to just send its certificate without any issuer
certificates can actually optimize the TLS handshake if the client delegates
the path validation and discovery to an external DPV server.

> 
> I remember that in march 2001 "https://www.verisign.com" was sending and
> expired VeriSign rootCA certificate in the server certificate handshake
> message.  When I reported this defect to VeriSign Support, they did (at
least
> initially) not understand that this indicated (a) a defect (or at least
significant
> sloppiness) in their server's SSL/TLS implementation and (b) a server
> configuration errror.
> 
Again, this is very interesting information. Delivering root certificate and
that too expired one in TLS handshake is sloppy. I hope that the clients
were not sloppy enough to start using those as trust anchors. :)
Now that you mention it, it is probably a common practice for many x.509
applications. The assumption is that you are providing a bag of certificates
to the peer so that he can select the right ones to build a trusted path to
a pre-configured trust anchor. 
[Piyush] 
> -Martin

v2.23.0 | Report a Bug | By Email