Re: [TLS] Comments on draft-rescorla-tls-renegotiate

Martin Rex <> Fri, 13 November 2009 01:50 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 4326C3A67E4 for <>; Thu, 12 Nov 2009 17:50:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.166
X-Spam-Status: No, score=-6.166 tagged_above=-999 required=5 tests=[AWL=0.083, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_MED=-4]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id OvsRGq5+BOub for <>; Thu, 12 Nov 2009 17:50:11 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 99F533A6358 for <>; Thu, 12 Nov 2009 17:50:11 -0800 (PST)
Received: from by (26) with ESMTP id nAD1odl1028109 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 13 Nov 2009 02:50:39 +0100 (MET)
From: Martin Rex <>
Message-Id: <>
To: (Nicolas Williams)
Date: Fri, 13 Nov 2009 02:50:38 +0100 (MET)
In-Reply-To: <20091113005419.GQ1105@Sun.COM> from "Nicolas Williams" at Nov 12, 9 06:54:19 pm
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal05
X-SAP: out
Subject: Re: [TLS] Comments on draft-rescorla-tls-renegotiate
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 13 Nov 2009 01:50:13 -0000

Nicolas Williams wrote:
> Comments:
> 1) The rest of this comment can be ignored if the use of protocol
>    extensions in draft-rescorla-tls-renegotiate is deemed to not be a
>    problem.
>    I believe this problem can be fixed without using protocol extensions
>    at all.  All that has to be done is this: for re-negotiations the
>    Finished message computation changes from this:
>     PRF(master_secret, finished_label, Hash(handshake_messages))
>        [0..verify_data_length-1];
>    to:
>     PRF(master_secret, finished_label,
> 	    Hash(handshake_messages || outer_connection_client_finished))
>        [0..verify_data_length-1];
>    where outer_connection_client_finished is the client Finished message
>    for the previous/old/outer TLS connection
>    There is no need to signal this!

If you do not signal, then your client will not be able to detect
whether it is talking to an old server, in which case the clients
initial handshake might still be proxied into the renegotiation
of that old server.

If there is a signaling in both directions available, and the
client does not receive an indicator in the ServerHello that it
is talking to an Updated Server, then it can never warn and offer
to not connect (some people seem to want that option).

Similarly, if you do not get a feedback in the ServerHello telling
you whether that server is an updated server or not, then your
client can not agree to an old insecure renegotiation (there
might be environments where the connectivity and possibility
to renegotiate is desired, and the MITM-susceptibility not
considered a problem.

If you want to provide the consumers those options, you will
need signaling.  When changing the calculation of the verify_data
of the finished messages for renegotiation, then the only information
that needs to be signaled is that the other side is updated.

Apparently there are some network monitoring folks that would like
to be able to distinguish patched from unpatched TLS implementations.
They might want signaling.

You could have the servers signal with the highest bit of the
protocol server_version in the ServerHello that they're using a
secured (i.e. different from the base protocol version) finished
message calculation for renegotiations, provided that the
client has indicated support for recognizing this modified
server_version in the ServerHello, indicating that the client
is actually talking to an updated server.

For TLS v1.3, the secure renegotiation Finished message calculation
could be made the default, and then it would no longer be necessary
to have the server modify its protocol version number for
protocol versions >=1.3.

Old clients would still get the old protocol version back
on the ServerHello.

Updated clients asserting the special ciphersuite ID would receive:


  0x03,0x00     unpatched server, SSLv3 protocol, original finished calc
  0x03,0x01     unpatched server, TLSv1.0 protocol, original finished calc
  0x03,0x02     unpatched server, TLSv1.1 protocol, original finished calc
  0x03,0x03     unpatched server, TLSv1.2 protocol, original finished calc

  0x83,0x00     patched server, SSLv3 protocol, secure renego finished
  0x83,0x01     patched server, TLSv1.0 protocol, secure renego finished 
  0x83,0x02     patched server, TLSv1.1 protocol, secure renego finished  
  0x83,0x03     patched server, TLSv1.2 protocol, secure renego finished 

and in the future:
  0x03,0x04     new server, TLSv1.3 protocol, secure renego finished

If we're modifying the calculation for the finished messages for
the renegotiation handshake to include the verify_data of the
previous session, then this is a protocol change, and indicating
this in the protocol version of the ServerHello is _no_ abuse. :)

If the client wants to (a) still talk or somewhat dangerous (b) still
renegotiate in the unprotected traditional fashion with an old server,
it can do so, because it determine from the server_version in ServerHello
whether the server is patched and which Finished message calculation
the server will be using.