IETF Logo Mail Archive

Re: [TLS] Interaction between cookies and middlebox compat mode

Eric Rescorla <ekr@rtfm.com> Thu, 28 December 2017 12:29 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A465012D87C for <tls@ietfa.amsl.com>; Thu, 28 Dec 2017 04:29:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bRzIwX3KUf8f for <tls@ietfa.amsl.com>; Thu, 28 Dec 2017 04:29:13 -0800 (PST)
Received: from mail-yw0-x232.google.com (mail-yw0-x232.google.com [IPv6:2607:f8b0:4002:c05::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 984211201F2 for <tls@ietf.org>; Thu, 28 Dec 2017 04:29:13 -0800 (PST)
Received: by mail-yw0-x232.google.com with SMTP id g191so8439116ywe.7 for <tls@ietf.org>; Thu, 28 Dec 2017 04:29:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=jS2SPJ7SosCoiN1vjaN+AgAliqjIIfBNay2bg99jc4E=; b=pQzdYholUjhdL9Z8tOORC0/R0C+HJyZfFbnmZRKUctQK3VaqXuY36ch0NEgfqXdgEz T+ben67cAoA+JNFmIv5G1ZFtLD5yxhIN1JFNnzJeyLgD8Hr2ulQltpsFuVsPjIquHZri umbcan34yvLcXNKa4FyjUUG19SmyS+3PEk6TACw1pxytwDrM4NUTmgJSSmEJeritYgRS jeq/snmp3bGXrD8jIK1uPUz/lQztF7kZpm2ILhD7qBdkf3J+AYXDwdKikLEI00nq00Er P3+qKMtsLWLZmw6UADJqhTnu+co5e3C0ERanWfNxLn3up8DMszcXVjmyO20zY1h2Hfe4 PBBQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=jS2SPJ7SosCoiN1vjaN+AgAliqjIIfBNay2bg99jc4E=; b=I6N/FCV25XpgRO8xMjOnj09LmmiHJtZatTaalpoO4gPa8zd/4iCvPz0w38GknqsFm6 emdpnXb+rVhrfKNbcQpY9OIBEXPhoHVfWno/9U7rlNnAQ/Ln5e2+GsjurItgwBjrOlVy NNFukoijbwRjb2SNikTyutcNFGimobYnZHQoeLU/474BpOdfY44HN3QriYTz9vHrNXf9 Ptku4QZdmitNpmz8X2cRIHsauq3BBAO/0ldm+eCjy7EeVTh2UXtddR4iirSYPhpfTYox vw6bfxHyJd2CvBJSlMmAKNFM/xIDmAz/A4v/+8aS/viRRf+zm5YxzffsEiqpwbyTYnQw Bq5A==
X-Gm-Message-State: AKGB3mKC9/BLoIpcXbqGB5+iv7oGe55IdObNrdrxBaqnPc/PQMFASKmf r+otWciaGXulQpywpZ/4G2V6KhYZdj89WOrBT/1zyw==
X-Google-Smtp-Source: ACJfBouL+ZFO4iIszMt/MkMtFa0bR6TuagIDifOxfb9221ZAzFyEkENcoiHD2mIwM3jq7VUwJphzetfCRHVNrgQSOoU=
X-Received: by 10.129.154.22 with SMTP id r22mr21046457ywg.296.1514464152834; Thu, 28 Dec 2017 04:29:12 -0800 (PST)
MIME-Version: 1.0
Received: by 10.129.123.132 with HTTP; Thu, 28 Dec 2017 04:28:32 -0800 (PST)
In-Reply-To: <37a087f4-efbe-7eae-5539-d220ff67e243@openssl.org>
References: <9a7b1178-f856-ec63-c4b7-e2b29993e133@openssl.org> <CABcZeBMS9TeR-kFem4xHiWGVyKn5LbvDomdzL6vV_3XrKkravQ@mail.gmail.com> <37a087f4-efbe-7eae-5539-d220ff67e243@openssl.org>
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 28 Dec 2017 04:28:32 -0800
Message-ID: <CABcZeBOfcKTDnc+FcTPutMazSEhg3V8_tWqzeqpv=N6ki9jN9g@mail.gmail.com>
To: Matt Caswell <matt@openssl.org>
Cc: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="94eb2c0bb4e8daec2a056165a9c2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/EgqP5MIHy9Gcl4Z0r7EPDh5DOU4>
Subject: Re: [TLS] Interaction between cookies and middlebox compat mode
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Dec 2017 12:29:16 -0000

On Thu, Dec 28, 2017 at 12:54 AM, Matt Caswell <matt@openssl.org> wrote:

>
>
> On 27/12/17 19:33, Eric Rescorla wrote:
> >
> >
> > On Wed, Dec 27, 2017 at 11:17 AM, Matt Caswell <matt@openssl.org
> > <mailto:matt@openssl.org>> wrote:
> >
> >     Consider the scenario where a server is operating statelessly (i.e.
> >     using the cookie extension) and a client is operating in middlebox
> >     compat mode.
> >
> >     In that case the client sends an initial ClientHello and receives a
> >     ServerHello(HRR) back with a cookie in it. Before it sends its second
> >     ClientHello it first sends a dummy CCS.
> >
> >     >From the server perspective it is operating statelessly so until it
> >     gets
> >     a ClientHello with a valid cookie in it, any message it receives is
> >     considered the "first" one. Therefore, because the server has
> forgotten
> >     about the initial interaction with the client, the first message it
> sees
> >     is a CCS.
> >
> >     Draft-22 says this:
> >
> >       "An implementation may receive an unencrypted record of type
> >        change_cipher_spec consisting of the single byte value 0x01 at any
> >        time during the handshake and MUST simply drop it without further
> >        processing."
> >
> >     Does "any time during the handshake" include the very first message
> it
> >     receives? If so then this has implications for servers that accept
> >     connections from TLSv1.2 (and below) clients (regardless of whether
> the
> >     server is stateless or not), i.e. an incoming connection that starts
> >     with a CCS and then goes on to negotiate TLSv1.2 would be accepted
> which
> >     seems odd.
> >
> >     If it doesn't mean that then a stateless server will receive a CCS as
> >     the first message and not know how to handle it.
> >
> >
> >
> > The way that NSS handles this is to remember that the CCS was received
> > and then if it turns out that you negotiate TLS 1.2, you throw an error
> in
> > that case. With that said, in most of the cases where you are stateless,
> > you're probably going to want to ignore bogus records anyway, which would
> > include unexpected CCS.
>
> So, do you believe that the correct interpretation of "any time during
> the handshake" includes the first message?


Yes, this is how we have interpreted it



> I think it would be helpful
> to be more explicit in the text if that is the case, i.e. identify the
> first point in the handshake and the last point in the handshake where
> CCS is valid. There probably should also be some words about how servers
> implementing older TLS versions should handle a CCS that comes first.
>

I could add those.


However, I'm concerned about the added complexity of interpreting things
> that way. Suddenly a CCS arriving is no longer handled by just dropping
> it and forgetting it - you now have to store state about that and
> remember it later on in the process in other TLS versions. The CCS
> workaround was supposed to be a simple no-op to implement and it no
> longer appears that way in this interpretation.


Well, it seems like the issue here is you want the client to send CH1, CCS,
CH2
so we need the server to accept that. Am I missing something?

-Ekr

v2.23.0 | Report a Bug | By Email