Re: [TLS] Handshake not under protection

Marsh Ray <> Mon, 21 December 2009 18:59 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id CAD513A697D for <>; Mon, 21 Dec 2009 10:59:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.592
X-Spam-Status: No, score=-2.592 tagged_above=-999 required=5 tests=[AWL=0.007, BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id nzoe28VqRT0L for <>; Mon, 21 Dec 2009 10:59:21 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 196943A6834 for <>; Mon, 21 Dec 2009 10:59:21 -0800 (PST)
Received: from ([]) by with esmtpa (Exim 4.68) (envelope-from <>) id 1NMnTE-00063u-M2; Mon, 21 Dec 2009 18:59:04 +0000
Received: from [] (localhost []) by (Postfix) with ESMTP id 6C4CE603A; Mon, 21 Dec 2009 18:59:03 +0000 (UTC)
X-Mail-Handler: MailHop Outbound by DynDNS
X-Report-Abuse-To: (see for abuse reporting information)
X-MHO-User: U2FsdGVkX1/2lKMaAh+63ghkhoRmWb76tLPYcxD6Gis=
Message-ID: <>
Date: Mon, 21 Dec 2009 12:59:07 -0600
From: Marsh Ray <>
User-Agent: Thunderbird (Windows/20090812)
MIME-Version: 1.0
To: Ravi Ganesan <>
References: <> <>
In-Reply-To: <>
X-Enigmail-Version: 0.96.0
OpenPGP: id=1E36DBF2
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Subject: Re: [TLS] Handshake not under protection
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 21 Dec 2009 18:59:21 -0000

Ravi Ganesan wrote:
>     Ravi, your terminology is slightly confusing.  Renegotiation refers
>     to a TLS handshake that is performed under protection of an existing
>     TLS session, so the two things you could distinguish are:
> Martin, Point well taken. Thx, Ravi
> p.s. I prefer not to think of the handshake happening "under protection"
> of previous session. Another example of this is in current draft which
> says: "The handshake is in the clear to the attacker but encrypted over
> the attacker's TLS connection to the server." The handshake itself is
> always of course is in the clear, certain values in it are encrypted
> with certain keys. And in some cases this results in binding to previous
> sessions. This sounds nitpicky, but I only say this because perfectly
> smart security people with some knowledge of SSL can read sentences like
> above to assume the entire handshake (including client_random and
> server_random) is encrypted.


There is no "protection" being provided. People who are thinking
renegotiation provides real security for client certificates are
somewhat misguided.

At the TLS level, it's possible for the current session to be
anon-anon-DH, which provides no protection.

In practice, client apps will hand over the plaintext client certificate
to any MitM that asks for it.

- Marsh