IETF Logo Mail Archive

Re: [TLS] Proposed text for removing renegotiation

Andrei Popov <Andrei.Popov@microsoft.com> Thu, 12 June 2014 00:22 UTC

Return-Path: <Andrei.Popov@microsoft.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 755DA1B28F2 for <tls@ietfa.amsl.com>; Wed, 11 Jun 2014 17:22:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QoY9wrEpEi8l for <tls@ietfa.amsl.com>; Wed, 11 Jun 2014 17:22:19 -0700 (PDT)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1lp0140.outbound.protection.outlook.com [207.46.163.140]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9232D1B28E0 for <tls@ietf.org>; Wed, 11 Jun 2014 17:22:19 -0700 (PDT)
Received: from BL2PR03MB419.namprd03.prod.outlook.com (10.141.92.18) by BL2PR03MB417.namprd03.prod.outlook.com (10.141.92.12) with Microsoft SMTP Server (TLS) id 15.0.954.9; Thu, 12 Jun 2014 00:22:17 +0000
Received: from BL2PR03MB419.namprd03.prod.outlook.com ([10.141.92.18]) by BL2PR03MB419.namprd03.prod.outlook.com ([10.141.92.18]) with mapi id 15.00.0954.000; Thu, 12 Jun 2014 00:22:17 +0000
From: Andrei Popov <Andrei.Popov@microsoft.com>
To: Martin Thomson <martin.thomson@gmail.com>
Thread-Topic: [TLS] Proposed text for removing renegotiation
Thread-Index: AQHPefQqRTsIIFK8gk6N5dkaAVUiXZtVJ/UAgAEX8YCADnobgIABFBgAgAALywCAApynAIAAs6aAgAAEdjCAADDigIAC+GgggAAUEoCAAEUNkA==
Date: Thu, 12 Jun 2014 00:22:15 +0000
Message-ID: <71550d53435b46c9960e3151eee71180@BL2PR03MB419.namprd03.prod.outlook.com>
References: <CAFewVt65X1V6=A_HP_pcg=6nXNVFLxQmSsPB2rq1KvmGPRz+og@mail.gmail.com> <20140606223045.3B5AF1AD46@ld9781.wdf.sap.corp> <CACsn0cmcc6kXvOuqkZaDj7+QPdpY9qqQ58bs3s-JBGXdNJSZyw@mail.gmail.com> <CABcZeBPe45BM-uXd7DEBD_BBn=jhk8KkYB=facp+NMb2e4nBiw@mail.gmail.com> <1402299260.2427.2.camel@dhcp-2-127.brq.redhat.com> <CABkgnnX5+fXNDy1o7Pu60rp8vSx7XfKbt337e_q=+3fb8fXHJw@mail.gmail.com> <fab4976db86243c5a02039866e3be457@BL2PR03MB419.namprd03.prod.outlook.com> <CABkgnnWn8YTZvh3=caLmpQtT+tUWJmx20J3cPrQJEObRQK4UiA@mail.gmail.com> <319344a622ba450aa60d454fd9f97135@BL2PR03MB419.namprd03.prod.outlook.com> <CABkgnnXOa7cyTK2pHSoPjGhjHaWTdZQ_PnwM3F=2vPEXCdFpyw@mail.gmail.com>
In-Reply-To: <CABkgnnXOa7cyTK2pHSoPjGhjHaWTdZQ_PnwM3F=2vPEXCdFpyw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [2001:4898:80e8:ed31::2]
x-microsoft-antispam: BL:0; ACTION:Default; RISK:Low; SCL:0; SPMLVL:NotSpam; PCL:0; RULEID:
x-forefront-prvs: 02408926C4
x-forefront-antispam-report: SFV:NSPM; SFS:(6009001)(428001)(24454002)(377454003)(13464003)(189002)(199002)(83072002)(85852003)(4396001)(76482001)(64706001)(83322001)(19580395003)(33646001)(77982001)(92566001)(46102001)(20776003)(80022001)(19580405001)(81342001)(79102001)(74662001)(74502001)(31966008)(81542001)(15975445006)(99396002)(2656002)(87936001)(99286001)(101416001)(50986999)(54356999)(86362001)(21056001)(76176999)(77096999)(74316001)(76576001)(93886003)(24736002); DIR:OUT; SFP:; SCL:1; SRVR:BL2PR03MB417; H:BL2PR03MB419.namprd03.prod.outlook.com; FPR:; MLV:sfv; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (: microsoft.com does not designate permitted sender hosts)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Andrei.Popov@microsoft.com;
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: microsoft.onmicrosoft.com
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/EskcrfZ9tfRW4k4W5jsnmaLnZoo
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Proposed text for removing renegotiation
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Jun 2014 00:22:22 -0000

> the consensus in HTTPbis is to provide a mechanism whereby servers are able to downgrade to HTTP/1.1 for the purposes of corner cases that are only properly supported by HTTP/1.1.
I can't help noticing that this seems to directly contradict the #1 item on the HTTPbis WG charter:
" The Working Group's specification deliverables are:
 * A document (or set of documents) that is SUITABLE TO SUPERCEDE RFC 2616 as
 the definition of HTTP/1.1 and move RFC 2817 to Historic status"
But I guess this is up to the HTTPbis WG to discuss:)

> https://github.com/http2/http2-spec/pull/514/files#diff-8894168382f6487e5e38c4306e613a88R3430 
There are at least two protocol layering violations in this text, which I think will cause problems:
1) Preventing the use of renegotiation in response to a request for a specific protected resource, and
2) Constraining the TLS cipher suites to be used with HTTP/2.

-----Original Message-----
From: Martin Thomson [mailto:martin.thomson@gmail.com] 
Sent: Wednesday, June 11, 2014 1:02 PM
To: Andrei Popov
Cc: Nikos Mavrogiannopoulos; tls@ietf.org
Subject: Re: [TLS] Proposed text for removing renegotiation

To establish a bit more context here: the consensus in HTTPbis is to provide a mechanism whereby servers are able to downgrade to HTTP/1.1 for the purposes of corner cases that are only properly supported by HTTP/1.1.

Aside from some interesting legacy scenarios, client authentication was considered a major reason for this feature.  We decided not to adopt something like the -cant draft at the current time, since the more generic capability was also needed.

On 11 June 2014 12:37, Andrei Popov <Andrei.Popov@microsoft.com> wrote:
> 1. An existing HTTP/1.1 server cannot take advantage of TLS 1.3 if TLS client auth is required. This is because an existing HTTP/1.1 server is not aware of httpbis-cant.

Correct.  That makes something like -cant a prerequisite of an upgrade to TLS 1.3 for those servers.

> 2. An HTTP/2 server requires an updated TLS stack with tls-care support in order to perform TLS client auth. This is because HTTP/2 prohibits renegotiation.

This can be worked around.  In fact, the proposed text permits renegotiation in TLS 1.2 (there is no "earlier" here because we prohibit the use of earlier versions) prior to starting HTTP/2:

https://github.com/http2/http2-spec/pull/514/files#diff-8894168382f6487e5e38c4306e613a88R3430

(This isn't in the main spec due to a dependency issue, that text captures the established consensus from the most recent interim
meeting.)

> 3. Even with the updated TLS stack in place, an HTTP/2 server cannot negotiate TLS 1.2 and earlier if TLS client auth is required. This is because TLS 1.2 and earlier would send the client cert in the clear, which is bad for client privacy.

See above workaround.  The cost there is an additional round trip (if you do false start, that is, it's a lot more without).

> 4. Without renegotiation, TLS client auth requires additional round-trips to establish a new TCP connection.

Correct.

v2.23.0 | Report a Bug | By Email