Re: [TLS] RFC-4366-bis and the unrecognized_name(112) alert

Marsh Ray <marsh@extendedsubset.com> Fri, 04 June 2010 19:52 UTC

Return-Path: <marsh@extendedsubset.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A1CF53A69C0 for <tls@core3.amsl.com>; Fri, 4 Jun 2010 12:52:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.001
X-Spam-Level:
X-Spam-Status: No, score=0.001 tagged_above=-999 required=5 tests=[BAYES_50=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 04zGD-By7WO3 for <tls@core3.amsl.com>; Fri, 4 Jun 2010 12:52:50 -0700 (PDT)
Received: from mho-02-ewr.mailhop.org (mho-02-ewr.mailhop.org [204.13.248.72]) by core3.amsl.com (Postfix) with ESMTP id 631FE3A6890 for <tls@ietf.org>; Fri, 4 Jun 2010 12:52:50 -0700 (PDT)
Received: from xs01.extendedsubset.com ([69.164.193.58]) by mho-02-ewr.mailhop.org with esmtpa (Exim 4.68) (envelope-from <marsh@extendedsubset.com>) id 1OKcwW-000La4-93; Fri, 04 Jun 2010 19:52:36 +0000
Received: from [127.0.0.1] (localhost [127.0.0.1]) by xs01.extendedsubset.com (Postfix) with ESMTP id BF48264D8; Fri, 4 Jun 2010 19:52:34 +0000 (UTC)
X-Mail-Handler: MailHop Outbound by DynDNS
X-Originating-IP: 69.164.193.58
X-Report-Abuse-To: abuse@dyndns.com (see http://www.dyndns.com/services/mailhop/outbound_abuse.html for abuse reporting information)
X-MHO-User: U2FsdGVkX18/A9p91SLscRvE2AfYOW7ugnigBhIW9T4=
Message-ID: <4C09597D.1060304@extendedsubset.com>
Date: Fri, 04 Jun 2010 14:52:29 -0500
From: Marsh Ray <marsh@extendedsubset.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.8) Gecko/20100216 Thunderbird/3.0.2
MIME-Version: 1.0
To: mrex@sap.com
References: <201006041847.o54IliTQ001508@fs4113.wdf.sap.corp>
In-Reply-To: <201006041847.o54IliTQ001508@fs4113.wdf.sap.corp>
X-Enigmail-Version: 1.0.1
OpenPGP: id=1E36DBF2
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Cc: tls@ietf.org
Subject: Re: [TLS] RFC-4366-bis and the unrecognized_name(112) alert
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Jun 2010 19:52:51 -0000

On 6/4/2010 1:47 PM, Martin Rex wrote:
> Marsh Ray wrote:
>>
>> On 6/4/2010 11:47 AM, Martin Rex wrote:
>>>
>>> But defining only the situation when one peer can send a particular
>>> warning level alert is entirely insufficient.  The definition of
>>> a warning-level alert _MUST_ describe how the receiving peer is
>>> supposed to react to this.
>>
>> I don't agree with such an absolute statement.
>> [...]
> 
> It seems that I wasn't clear enough in my description.
> 
> This must first of all describe how the implementor of the technology TLS
> must make this information available to the consumer of the
> technology/implementation (i.e. the application caller).
> 
> This is similar of how an implementation of TCP must exihibt specific
> semantics to the application caller on receipt of certain TCP flags,
> e.g. the TCP PUSH flag.
> 
> If the spec does not describe this, then it may result in either getting
> entirely ignored--at which point it is useless complexity in the spec,
> or result in unnecessary interop problems, i.e. if a client unconditionally
> abort receiving a warning-level unrecognized_name alert.  In both cases
> such a (mis-)feature would have to be stripped when advancing the spec
> to draft, so there is no point including it in the spec in the first place.

OK, I'll buy that at the level of "should" but not at "_MUST_", if that
makes any sense.

Part of the value in using a separate library with a defined API is that
it reduces the number of states and failure modes that the application
code has to consider. It's exactly like object-oriented encapsulation
which allows the scary mechanical guts of an implementation to be hidden
behind a relatively simple interface. In reality, application code often
deals with TLS connections through the same interface as regular TCP
socket connections. This is great, as long as it's not an
oversimplification of what is really complicated.

As both a "casual user" and occasional "power user" of networking APIs,
I rely on having the option of working with every little detail of the
protocol when I need it. Making an API (or set of APIs) that satisfy
everyone is a real art!

Nevertheless, the vast majority of application code seems to have a
choice of two options when encountering an exceptional condition:

   1. Ignore it and continue as if nothing is wrong.
   2. Abort the operation and propagate the error up to the caller.

In relatively rare cases, a third option is:

   3. Change something (e.g. wait some time) and retry.

Since all of these options require truly non-trivial implementation on
the application side in order to result in a robust system, mandating
application behavior as part of a protocol spec may be asking a bit much.

This is a data security protocol after all and the handshake should
"fail to succeed" if the endpoint identities don't match up right.

IMHO Language like "if the server refuses to continue" should be avoided
in this kind of spec. It's the job of the spec to specify whether the
server should continue or terminate because it is or isn't safe, so in a
sense this warning is just pushing the hard decisions onto the library
and application.

When faced with a 'warning'-like condition, we should try really hard to
define it to be either a fatal error or a success (though possibly with
informational-level messages).

In most cases the name on the certificate would serve to eliminate any
confusion, but there are wildcard certs in use too.

I'm sorry if I missed this in earlier discussion, but why on earth would
an SNI-aware server ever want to continue a handshake with a client that
asked for a name he didn't serve?

A simple solution seemed to work for session resumption:

>From http://tools.ietf.org/html/draft-ietf-tls-rfc4366-bis-08 :
>    A server that implements this extension MUST NOT accept the request to
>    resume the session if the server_name extension contains a different
>    name.

Can we just define this situation as a fatal handshake error and be done
with it?

- Marsh