Re: [TLS] TLS ALPN (rfc7301), no reserved seperator char and why is 0 no banned
Hubert Kario <hkario@redhat.com> Tue, 14 April 2015 18:04 UTC
Return-Path: <hkario@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 055B71A1B48 for <tls@ietfa.amsl.com>; Tue, 14 Apr 2015 11:04:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.912
X-Spam-Level:
X-Spam-Status: No, score=-6.912 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FZgrPiEFhpxj for <tls@ietfa.amsl.com>; Tue, 14 Apr 2015 11:04:31 -0700 (PDT)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0EFB21A1ABC for <tls@ietf.org>; Tue, 14 Apr 2015 11:04:30 -0700 (PDT)
Received: from int-mx13.intmail.prod.int.phx2.redhat.com (int-mx13.intmail.prod.int.phx2.redhat.com [10.5.11.26]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id t3EI4Tw4009842 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Tue, 14 Apr 2015 14:04:29 -0400
Received: from pintsize.usersys.redhat.com (dhcp-0-236.brq.redhat.com [10.34.0.236]) by int-mx13.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id t3EI4Qvk028498 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NO); Tue, 14 Apr 2015 14:04:28 -0400
From: Hubert Kario <hkario@redhat.com>
To: tls@ietf.org, mrex@sap.com
Date: Tue, 14 Apr 2015 20:04:20 +0200
Message-ID: <16060812.rZlCWar0gQ@pintsize.usersys.redhat.com>
User-Agent: KMail/4.14.4 (Linux/3.19.3-100.fc20.x86_64; KDE/4.14.6; x86_64; ; )
In-Reply-To: <20150413223049.63EE81B281@ld9781.wdf.sap.corp>
References: <20150413223049.63EE81B281@ld9781.wdf.sap.corp>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="nextPart1524492.FzM0Kf4g20"; micalg="pgp-sha512"; protocol="application/pgp-signature"
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.26
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/JJZH6JmXKZq_SsOoxZ3vgWpvjo0>
Subject: Re: [TLS] TLS ALPN (rfc7301), no reserved seperator char and why is 0 no banned
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Apr 2015 18:04:33 -0000
On Tuesday 14 April 2015 00:30:49 Martin Rex wrote: > Andrei Popov wrote: > > Yes, this is an example of NPN legacy in ALPN, > > and yes there is some API pain involved. > > I'm not trying to break things and I'm not advocating to change > any existing APIs. But I've just been asked for support of this > and am looking into newly implementing it, and I would appreciate > if we (i.e. the IETF TLS working group) could restrict the TLS ALPN IDs > at least by banning the character 0 from TLS ALPN ID registrations now. > > Being allowed to reject embedded NULs would facilitate some aspects > (save me a few lines of code). > > I can live with UTF8. > > A single reserved character (such as colon ':' or pipe '|' or comma ',') > would allow me to avoid a character escaping scheme for the API I'm > trying to create, but I could live with this issue being a proprietary > thing. You don't prevent CVE-2009-2408-like exploits by banning nulls in fields. If anything, the RFC could be updated to explicitly state that implementations MUST be able to handle the case where the IDs include null bytes. But this is the case for basically all fields both in TLS and X509... -- Regards, Hubert Kario Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
- [TLS] TLS ALPN (rfc7301), no reserved seperator c… Martin Rex
- Re: [TLS] TLS ALPN (rfc7301), no reserved seperat… Andrei Popov
- Re: [TLS] TLS ALPN (rfc7301), no reserved seperat… Martin Rex
- Re: [TLS] TLS ALPN (rfc7301), no reserved seperat… Martin Thomson
- Re: [TLS] TLS ALPN (rfc7301), no reserved seperat… Andrei Popov
- Re: [TLS] TLS ALPN (rfc7301), no reserved seperat… Martin Rex
- Re: [TLS] TLS ALPN (rfc7301), no reserved seperat… Hubert Kario
- Re: [TLS] TLS ALPN (rfc7301), no reserved seperat… Watson Ladd
- Re: [TLS] TLS ALPN (rfc7301), no reserved seperat… Martin Rex
- Re: [TLS] TLS ALPN (rfc7301), no reserved seperat… Hubert Kario
- Re: [TLS] TLS ALPN (rfc7301), no reserved seperat… Andrei Popov
- Re: [TLS] TLS ALPN (rfc7301), no reserved seperat… Martin Thomson
- Re: [TLS] TLS ALPN (rfc7301), no reserved seperat… Andrei Popov
- Re: [TLS] TLS ALPN (rfc7301), no reserved seperat… Martin Thomson
- Re: [TLS] TLS ALPN (rfc7301), no reserved seperat… Andrei Popov