Re: [TLS] Impact of draft-ietf-mptcp-api on TLS
Florian Weimer <fweimer@redhat.com> Thu, 29 November 2012 09:21 UTC
Return-Path: <fweimer@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9FC6421F8A7B for <tls@ietfa.amsl.com>; Thu, 29 Nov 2012 01:21:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.599
X-Spam-Level:
X-Spam-Status: No, score=-110.599 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, NORMAL_HTTP_TO_IP=0.001, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c4oBmBRwV+Ke for <tls@ietfa.amsl.com>; Thu, 29 Nov 2012 01:21:26 -0800 (PST)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by ietfa.amsl.com (Postfix) with ESMTP id F0CA321F8773 for <tls@ietf.org>; Thu, 29 Nov 2012 01:21:25 -0800 (PST)
Received: from int-mx09.intmail.prod.int.phx2.redhat.com (int-mx09.intmail.prod.int.phx2.redhat.com [10.5.11.22]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id qAT9L7TG024180 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 29 Nov 2012 04:21:10 -0500
Received: from fweimer.str.redhat.com (oldenburg.str.redhat.com [10.33.200.60]) by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id qAT9L4S9032260 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Thu, 29 Nov 2012 04:21:06 -0500
Message-ID: <50B72900.5050400@redhat.com>
Date: Thu, 29 Nov 2012 10:21:04 +0100
From: Florian Weimer <fweimer@redhat.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/17.0 Thunderbird/17.0
MIME-Version: 1.0
To: Geoffrey Keating <geoffk@geoffk.org>
References: <20121128153650.7A2971A3BD@ld9781.wdf.sap.corp> <50B6333C.50606@cs.tcd.ie> <m2624ptshs.fsf@localhost.localdomain>
In-Reply-To: <m2624ptshs.fsf@localhost.localdomain>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.22
Cc: tls@ietf.org
Subject: Re: [TLS] Impact of draft-ietf-mptcp-api on TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Nov 2012 09:21:27 -0000
On 11/28/2012 08:52 PM, Geoffrey Keating wrote: > Maybe a related example will help: suppose the user is trying to > connect to https://198.51.100.3. There is an HTTP proxy configured, > so what the browser actually does is make a TCP connection to > 192.0.2.99, send 'CONNECT https://198.51.100.3', and then start the > SSL negotiation. The certificate still has to mention 198.51.100.3, > and doesn't have to mention 192.0.2.99. > > So, in MPTCP, if the user asks for mphttps://198.51.100.3 (or > whatever), then 198.51.100.3 is the address that has to appear in the > certificate, even if the connection is redirected to some other > endpoint, even if the redirection happens before any data is actually > sent on the connection. I suspect the confusion arises because if the interaction with 198.51.100.3 causes another connection with a different IP address to be created, it hast to be verified against the IP address 198.51.100.3 as well. This is different from HTML over HTTPS, where additional connections use the embedded addresses and names for endpoint verification. This is possible because in the HTML/HTTPS case, these names and addresses are protected by the TLS channel, while in MPTCP, they are not. -- Florian Weimer / Red Hat Product Security Team
- [TLS] Impact of draft-ietf-mptcp-api on TLS Sean Turner
- Re: [TLS] Impact of draft-ietf-mptcp-api on TLS Sean Turner
- Re: [TLS] Impact of draft-ietf-mptcp-api on TLS Florian Weimer
- Re: [TLS] Impact of draft-ietf-mptcp-api on TLS Stephen Farrell
- Re: [TLS] Impact of draft-ietf-mptcp-api on TLS Martin Rex
- Re: [TLS] Impact of draft-ietf-mptcp-api on TLS Stephen Farrell
- Re: [TLS] Impact of draft-ietf-mptcp-api on TLS Geoffrey Keating
- Re: [TLS] Impact of draft-ietf-mptcp-api on TLS Peter Saint-Andre
- Re: [TLS] Impact of draft-ietf-mptcp-api on TLS Stephen Farrell
- Re: [TLS] Impact of draft-ietf-mptcp-api on TLS Stephen Farrell
- Re: [TLS] Impact of draft-ietf-mptcp-api on TLS Martin Rex
- Re: [TLS] Impact of draft-ietf-mptcp-api on TLS Stephen Farrell
- Re: [TLS] Impact of draft-ietf-mptcp-api on TLS Florian Weimer
- Re: [TLS] Impact of draft-ietf-mptcp-api on TLS Geoffrey Keating
- Re: [TLS] Impact of draft-ietf-mptcp-api on TLS Florian Weimer