Re: [TLS] SNI with early data
Matt Caswell <frodo@baggins.org> Fri, 21 July 2017 10:14 UTC
Return-Path: <frodo@baggins.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 65045127869 for <tls@ietfa.amsl.com>; Fri, 21 Jul 2017 03:14:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.12
X-Spam-Level:
X-Spam-Status: No, score=-2.12 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_SORBS_SPAM=0.5] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RdcMVnqERoDv for <tls@ietfa.amsl.com>; Fri, 21 Jul 2017 03:14:43 -0700 (PDT)
Received: from mx496502.smtp-engine.com (mx496502.smtp-engine.com [212.227.20.70]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AFA1A127337 for <tls@ietf.org>; Fri, 21 Jul 2017 03:14:42 -0700 (PDT)
Received: from mail-io0-f176.google.com (mail-io0-f176.google.com [209.85.223.176]) by mx496502.smtp-engine.com (Postfix) with ESMTPSA id E19114B9 for <tls@ietf.org>; Fri, 21 Jul 2017 11:14:40 +0100 (BST)
Received: by mail-io0-f176.google.com with SMTP id q2so20758752ioe.3 for <tls@ietf.org>; Fri, 21 Jul 2017 03:14:40 -0700 (PDT)
X-Gm-Message-State: AIVw112J51KIVrsuuoJARaR+01S/VtpukKkp92CLDztspBSgiO9cqV7z dMotq89TcaeAUJDnaJEby5ZQhqJ7vA==
X-Received: by 10.107.9.137 with SMTP id 9mr6999080ioj.131.1500632079258; Fri, 21 Jul 2017 03:14:39 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.79.37.2 with HTTP; Fri, 21 Jul 2017 03:14:38 -0700 (PDT)
In-Reply-To: <b1396d4a-2d62-d87c-3491-a965fb89cda3@akamai.com>
References: <CAMoSCWatQZDT8qUv7EqmTH_FJ4OjrSTXVY+he6qw6MmfJ_w8vg@mail.gmail.com> <b1396d4a-2d62-d87c-3491-a965fb89cda3@akamai.com>
From: Matt Caswell <frodo@baggins.org>
Date: Fri, 21 Jul 2017 11:14:38 +0100
X-Gmail-Original-Message-ID: <CAMoSCWaWs2YwmXVr+3=bjMfbrR3LNoujOvx9hDzHwUuvNbs5eA@mail.gmail.com>
Message-ID: <CAMoSCWaWs2YwmXVr+3=bjMfbrR3LNoujOvx9hDzHwUuvNbs5eA@mail.gmail.com>
To: Benjamin Kaduk <bkaduk@akamai.com>
Cc: "tls@ietf.org" <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/EBh1EDqzjy3EjBQ1Cvai6ujAFFM>
Subject: Re: [TLS] SNI with early data
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Jul 2017 10:14:44 -0000
On 20/07/17 18:10, Benjamin Kaduk wrote: > On 07/20/2017 04:51 AM, Matt Caswell wrote: >> I note in draft-21 the following text: >> >> When clients use a PSK obtained externally to send early data, then >> the following additional information MUST be provisioned to both >> parties: >> >> - The TLS version number for use with this PSK >> >> - The cipher suite for use with this PSK >> >> - The Application-Layer Protocol Negotiation (ALPN) protocol >> [RFC7301], if any is to be used >> >> - The Server Name Indication (SNI), if any is to be used > > These are in addition to the hash algorithm provisioned with the > external psk that is needed for 1-RTT operation, as mentioned somewhat > in passing in section 4.2.10 > >> Later it says this: >> >> In order to accept early data, the server MUST have accepted a PSK >> cipher suite and selected the first key offered in the client's >> "pre_shared_key" extension. In addition, it MUST verify that the >> following values are consistent with those negotiated in the >> connection during which the ticket was established. >> >> - The TLS version number and cipher suite. >> >> - The selected ALPN [RFC7301] protocol, if any. >> >> >> The language about "during which the ticket was established" seems to >> suggest that the following checks do not apply to an external PSK - >> which I don't think is intended. Additionally there does not seem to > > These values are a subset of those listed above. I believe this block > of text only applies to NST-provisioned PSKs being used for early data, > as the previous text applies to external PSKs being used for early > data. Interesting because I assumed the intention was the opposite. I'm not sure why this restriction should only apply to NST-provisioned PSKs. > So, since the previous list is a superset, there is no problem > caused by this text not applying to external PSKs. The earlier text is about what needs to be *provisioned* to both parties. This text is about what MUST be verified on the server. I think these are two subtly different things. I see no reason to exclude SNI from requiring to be verified, nor do I see a reason to restrict it to NST PSKs only. Either you MUST do it for both types of PSK or you don't need to do it at all. What is the benefit of complicating things by providing a partial list that MUST be verified for one type of PSK only? If this block of text is about NST PSKs only then the implication is that a server MAY tolerate discrepancies in ALPN for external PSK. At least that is the way I read it (although I don't think that was the intention). > >> be a requirement on the server to check that the SNI is consistent. >> So, there is a mandatory requirement for an external PSK to specify >> the SNI, but no requirement on the server to check that it is actually >> correct. Is this discrepancy intentional? >> > > I'm not sure I fully understand what you are saying. > The text says that (for external PSKs) the SNI must be provisioned to > both parties, which to me implies that the server must only use the > given PSK for early data with the specified SNI. (That is, that the > server has to check.) It does not imply that to me. It says it has to be provisioned. That fact that NST PSK MUST verify, implies to me that non-NST PSKs may tolerate discrepancies. > > For tickets, the requirement that SNI must match the original connection > is mentioned in section 4.6.1 (NewSessionTicket). Again...why only for NST PSKs? > > In short ... I don't see any problems here. Do you still see a problem? Yes - given that we have different interpretations of the same text I still see a problem. I think it should be a lot more explicit, and remove the discrepancies between NST PSKs and external PSKs. There is another example of this, earlier on in section 4.2.9: "The parameters for the 0-RTT data (symmetric cipher suite, ALPN protocol, etc.) are the same as those which were negotiated in the connection which established the PSK." This implicitly seems to only apply to NST PSKs. Why not external PSKs too? Matt
- [TLS] SNI with early data Matt Caswell
- Re: [TLS] SNI with early data Kazu Yamamoto ( 山本和彦 )
- Re: [TLS] SNI with early data Benjamin Kaduk
- Re: [TLS] SNI with early data Matt Caswell
- Re: [TLS] SNI with early data Benjamin Kaduk