IETF Logo Mail Archive

Re: [TLS] Spec issue with RFC 7627 (EMS) and resumption

Achim Kraus <achimkraus@gmx.net> Wed, 27 October 2021 08:55 UTC

Return-Path: <achimkraus@gmx.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AAED53A08C1 for <tls@ietfa.amsl.com>; Wed, 27 Oct 2021 01:55:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.429
X-Spam-Level:
X-Spam-Status: No, score=-5.429 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, NICE_REPLY_A=-3.33, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=gmx.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SHrg9pDp0eQJ for <tls@ietfa.amsl.com>; Wed, 27 Oct 2021 01:55:50 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.15]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5F49C3A08C0 for <tls@ietf.org>; Wed, 27 Oct 2021 01:55:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1635324941; bh=y82LwQy6r84mBM7RBGxgKxuKdGvenIjT7gTcJ+iEjfI=; h=X-UI-Sender-Class:Subject:To:Cc:References:From:Date:In-Reply-To; b=XqH5TSNfOcI7FF8x65ahGEPVjlgVqRblg6wBNVqT+l8BqL5NBx1fEzgQD1v8btQ0y CiMEQia06xE7QIW53aGMnqLxy2Kgx1bwniWoz8w26jhngF0WQMjhewc9WSEA0GbX+G bQn2lL+6o3m5ZcCTAeNK/xrPM+ct/rhPuPAzDGA8=
X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c
Received: from [192.168.178.10] ([5.146.193.130]) by mail.gmx.net (mrgmx005 [212.227.17.190]) with ESMTPSA (Nemesis) id 1MatRZ-1nD4vX3ZGt-00cTMd; Wed, 27 Oct 2021 10:55:40 +0200
To: David Benjamin <davidben@chromium.org>
Cc: "tls@ietf.org" <tls@ietf.org>
References: <CAF8qwaDi19sp_hg0mTySRGEf46kHfc1bCKee4bH+98QQmxtjog@mail.gmail.com> <CAF8qwaBW_MMJNjP5cQbFvgTgu8hEXAGDpoTjiKWgPzbAeG7O2A@mail.gmail.com> <b2731682-e3a1-6f5d-c692-9d9234e15757@gmx.net> <CAF8qwaBbGUOJEf9rYCzEZzbOy9WN+cHQ8wwP9GY5XcA3vygL6Q@mail.gmail.com>
From: Achim Kraus <achimkraus@gmx.net>
Message-ID: <85e45c6c-4df0-c73c-a39c-b31b78443a0c@gmx.net>
Date: Wed, 27 Oct 2021 10:55:38 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.13.0
MIME-Version: 1.0
In-Reply-To: <CAF8qwaBbGUOJEf9rYCzEZzbOy9WN+cHQ8wwP9GY5XcA3vygL6Q@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: de-AT-frami
Content-Transfer-Encoding: quoted-printable
X-Provags-ID: V03:K1:LVbohU/bejOLfQe97P+UkqNdN8OdFet5fp/rzg6Rmk53eXw9gm0 bRmyOvcjyUDjFCLbqd/s1Ik7lKy/eCXs2XQDHm02WgTQefGNwHesB+ou33zidxGPN86HP3y 8m2UR84y/9tP9UzakCbjPfBCD726Vre1qLme9O8r0aj9q2iNjb/lJWMSdURw2jqTNko1RmB FSLsgZw4EtSPf4gkVT4hw==
X-UI-Out-Filterresults: notjunk:1;V03:K0:cpyVEkthtIE=:TzMETpsYA6iM0YjCaarKwW +5rL7fFArgElAoSXH4LY5yA+Ej7R1gtpb1c0eaTJXuNeS3UtxtISmGHFVAirDlyqTl7/PogHI CfU1K+kccAnv0lxYRvWo5dgDpty8bvpUMBeftZXeuQBGwxY0TNqRW8ITLiqH78KwK+5tP25ia IcfTBL7xibsP0n0Fus6mr3PrZyVZFeaNjm5R/4q1lwrQfJQIT1lnTFbQQN00m10T0WumztIc5 J7wAjnpnkTlRwiwH5VeC6DF4dE1sl1czUNVWdtGYObb/t0xZsvSmwB2RFTGkHHjanErCVSIh1 yxppdavuNHombnTxouvWi+ql2obISOAsul108A2ufyGYcy6a7KsyLwFbCMTAwoa4alSLqkE3/ z1dohBwGNm9+iwdUyhu4vgYndFq0wFkxnlSc5styW8GB7K9bxjJt14IbBuD7ZVW9Tm8xfeyGx PJVk4lowwj4TsHMHYzFQuZ6Ozu5ht8FmLBZYv03RfiE1bAZCrKYeId2t481fQAcLF5vkGZ8AH IlJWLcJ4HzVFftXt/3MNyU6ysY7QXHf0ytKs0a7FrXuSgWMHZokNsiFfgZrTzzXeThSngQ/zy B8t3BVFe8fbAFIZz0B0b1sJMeFJgZ69Ic6VF+ohqAgNlJxM+5BvyFASO4KYa2d+kqhmK84Yzv 1xW2SMoLDIOGYoekCUMifU9Eo+wgiku9tnbgn5eYMGX1BIN8gqVTTicZ4nWP4gOnUSYH6U9xt +VFRtsvMFxNePCGAksJEJIOIYsSjc7WsuN8WFNzHaMS2j5IN4yMMWQYOLt3mFoTVA4DcHSXB4 lm3WMpg1OyRnm5qbSLd7MreMVl2WlB2yxwHGVaFNydu41cHyWg8Sqvo5rEf0GVuuIzHk2piKY xvG9HLH1QaEs04Lnrkw9tI53U+E580TLeLgtPr3VT9zElVXiXZcYRzn9OuLpbGtDhCXhTOCQO idDLeUOhRE7WieUbNte5iOiKIDRG/xHlDjRu0E1nfrFBVjLLv4hpFJbLFVFedVyhXHlrDeQS3 g6UK2Nd7PcprBgcmta2IDTOUhDrOsHME6qwXaEqgm65uq+rZQTgBYugMIJQzIR2LAinXLHgPJ RUCdj6hiYHPAL8=
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/LAhg4jJE3n5MyQkMXWjPW1VpVes>
Subject: Re: [TLS] Spec issue with RFC 7627 (EMS) and resumption
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Oct 2021 08:55:55 -0000

Hi David,

my question considers 2. ,
if one peer uses RFC 7627 and the other not (legacy).

Case 1:
- client using RFC 7627, server not (legacy)
-- client fallsback to full-handshakes

Case 2:
- server using RFC 7627, client not (legacy)
-- if the client tries a resumption, the current definition is, that the
server SHOULD abort.

In my opinion in case 2, the server SHOULD also just fallback to a
full-handshake. That's done by sending a ServerHello with a new Session
ID and the other handshake messages of a full handshake.
In the end, that prevents, that a client to have to execute a second,
then full handshake, as fallback.

best regards
Achim


Am 26.10.21 um 17:50 schrieb David Benjamin:
> At least for an erratum, I don't think it makes sense to change that as
> part of this.
>
> I think your question is conflating a few things. Let me try to untangle
> this, as this document is little confusing. It seems to be describing,
> via SHOULDs and MUSTs, three different implementation profiles concurrently:
> 1. A client or server that negotiates EMS when available, but continues
> to be compatible with legacy peers, resumption and all.
> 2. A client or server that negotiates EMS when available, continues to
> be compatible with legacy peers, but only allows full handshakes with
> them. I forget how 3SHAKE worked, but I vaguely recall that cutting out
> legacy resumptions avoided a source of issues
> 3. A client or server that requires EMS on all connections, and is not
> compatible with legacy peers at all. This way you can rely on the EMS
> bugfix being applied.
>
> Because these are all interleaved, it's a very hard to tell what bits
> correspond to this profile and what bits correspond to EMS itself. I
> think this was overambitious. Anything but (1) was implausible for most
> deployments in 2016, because EMS only just started existing. I expect it
> is still implausible for most, though I don't have metrics for the web.
> Hence, if we were completely redoing this document (probably not worth
> it?), I think it should be reorganized. :-)
>
> Now, as to your question, I don't believe this is right:
>
>  > If the client follows this guide, it falls-back to use a full handshake.
>  > If the client doesn't follow this (maybe, the client is not aware of RFC
>  > 7627), the server SHOULD aborts.
>
> The client SHOULD you are referring to is for a client that implements
> (2). If a client does not follow this, it implements (1). The server
> SHOULD, however, says "If neither the original session /nor the new
> ClientHello/ uses the extension, the server SHOULD abort the handshake."
> That clause doesn't apply to the client SHOULD in the first place
> because, whether the client is (1) or (2), the ClientHello will signal EMS.
>
> It does apply to legacy clients that do not implement EMS at all.
> Whether the server continues, does a full handshake, or aborts depends
> on whether the server wants to do (1), (2), or (3). Yes, if it picks (3)
> and aborts, the server will not interoperate with a legacy client. That
> is exactly what those servers would want. It is odd that the text only
> describes (1) and (3) for the server in this case, not (2). But adding
> (2) in without a rework will only make this complicated situation worse,
> so I do not propose to address it as part of this fix.
>
> On Tue, Oct 26, 2021 at 1:05 AM Achim Kraus <achimkraus@gmx.net
> <mailto:achimkraus@gmx.net>> wrote:
>
>     Hi David,
>
>     if you're on it, maybe it's worth to consider my question from January
>     2021 as well.
>
>       > If the client follows this guide, it falls-back to use a full
>     handshake.
>       > If the client doesn't follow this (maybe, the client is not
>     aware of RFC
>     7627), the server SHOULD aborts.
>
>       > Why SHOULD the server not (also) just fall-back to use a full
>     handshake?
>
>     For more details see:
>
>     https://mailarchive.ietf.org/arch/msg/tls/gjBFHWwp1k-w1KdBkotp496zaf8/
>     <https://mailarchive.ietf.org/arch/msg/tls/gjBFHWwp1k-w1KdBkotp496zaf8/>
>
>     best regards
>     Achim Kraus
>
>     Am 26.10.21 um 00:51 schrieb David Benjamin:
>      > Here's some possible replacement text for that paragraph:
>      >
>      > """
>      > In some deployments, a legacy client or server may be exposed to a
>      > session using extended master secret. For example, a group of servers
>      > sharing a ticket encryption key may be in the process of enabling
>     this
>      > extension. If such a session is used in an abbreviated handshake
>     without
>      > the extension, a newer peer will fail the connection, as described in
>      > Section 5.3. To avoid this, legacy servers SHOULD ignore such
>     sessions
>      > and continue with a full handshake, and legacy clients SHOULD NOT
>     offer
>      > such sessions in the ClientHello.
>      >
>      > This can be implemented by ensuring legacy implementations do not
>      > recognize sessions using extended master secret. For example, the
>      > sessions may have a higher internal version number or, if the older
>      > implementation rejects unrecognized fields, include a new field.
>     If this
>      > is not possible, deployments may deploy a new session cache or ticket
>      > encryption key alongside the new version.
>      > """
>      >
>      > Unfortunately, "session using extended master secret" is a bit of a
>      > mouthful, but section 5.4 didn't define a more concise term.
>      >
>      > On Mon, Oct 25, 2021 at 4:01 PM David Benjamin
>     <davidben@chromium.org <mailto:davidben@chromium.org>
>      > <mailto:davidben@chromium.org <mailto:davidben@chromium.org>>> wrote:
>      >
>      >     Hi all,
>      >
>      >     In diagnosing an interop issue, I noticed RFC 7627 did not
>     describe
>      >     the correct server behavior for EMS very well. Seemingly as a
>      >     result, some server implementation has gotten this wrong. I'd
>     like
>      >     to fix this in the spec so this doesn't happen again. I think, at
>      >     minimum, we need to replace the last paragraph of section 5.4.
>      >
>      >     The issue is a server that /doesn't/ implement EMS, when
>     presented a
>      >     ClientHello containing a ticket or session ID by a server that
>      >     /did/ implement EMS, must ignore the session and continue with a
>      >     full handshake. Failing to do so will trip the client check in
>      >     Section 5.3, "If a client receives a ServerHello that accepts an
>      >     abbreviated handshake, [...]". This is important to meet
>     these three
>      >     properties:
>      >
>      >     - If the client and server both support EMS, the connection must
>      >     negotiate it.
>      >     - On resumption, the EMS status of the connection must match
>     the EMS
>      >     status of the session
>      >     - In order for EMS to be safely deployable, it must be
>     possible to
>      >     roll EMS out gradually, or roll it back, without breaking
>      >     connections. This means a mixed pre-EMS and post-EMS server
>      >     deployment must work.
>      >
>      >     Note that, although this behavior is only visible at the pre-EMS
>      >     server (not directly in scope for this document), it is
>     actually a
>      >     requirement on the post-EMS server. When the post-EMS server
>     issues
>      >     a session, it must arrange for the pre-EMS server to ignore
>     it. For
>      >     example, if the pre-EMS server rejects sessions with unparsable
>      >     fields (the safest option), the post-EMS server can add a new
>     field
>      >     to the session state serialization. Failing that, it can bump
>     some
>      >     internal version number. Another strategy is to rotate session
>      >     ticket keys alongside the version, but this can be tricky the way
>      >     deployments and software updates are often split.
>      >
>      >     There's an analogous, though less likely, client scenario that a
>      >     pre-EMS client must not offer a post-EMS session. Otherwise
>     it will
>      >     run afoul of a server requirement. This can be relevant for
>     clients
>      >     that serialize their session cache.
>      >
>      >     As far as I can tell, RFC 7627 does not specify any of this. The
>      >     first paragraph of section 5.4 talks about adding a flag, but
>      >     doesn't talk about how pre-EMS servers interact with that
>     flag. The
>      >     last paragraph discusses this scenario, but says something very
>      >     strange, if not plain wrong:
>      >
>      >         If the original session uses an extended master secret
>     but the
>      >         ClientHello or ServerHello in the abbreviated handshake
>     does not
>      >         include the extension, it MAY be safe to continue the
>     abbreviated
>      >         handshake since it is protected by the extended master
>     secret of the
>      >         original session.  This scenario may occur, for example,
>     when a
>      >         server that implements this extension establishes a
>     session but the
>      >         session is subsequently resumed at a different server
>     that does not
>      >         support the extension.  Since such situations are unusual
>     and likely
>      >         to be the result of transient or inadvertent
>     misconfigurations, this
>      >         document recommends that the client and server MUST abort
>     such
>      >         handshakes.
>      >
>      > https://datatracker.ietf.org/doc/html/rfc7627#section-5.4
>     <https://datatracker.ietf.org/doc/html/rfc7627#section-5.4>
>      >     <https://datatracker.ietf.org/doc/html/rfc7627#section-5.4
>     <https://datatracker.ietf.org/doc/html/rfc7627#section-5.4>>
>      >
>      >     First, the "MAY" is immediately contradicted by the following
>      >     "MUST", and by section 5.3. It seems it should have been an
>     English
>      >     lowercase "may", not a normative RFC 2119 "MAY". It is also
>     wrong in
>      >     calling this situation "unusual and likely to be the result of
>      >     transient or inadvertent misconfigurations". Rather, it is the
>      >     natural transition state of any large server rollout. I think we
>      >     need to delete that entire paragraph and replace it with text
>     that
>      >     describes the rules above. If we were doing a whole new
>     version of
>      >     the document, I think the text could do with reorganization. But
>      >     that may not be worth doing, given folks should be using TLS
>     1.3 now.
>      >
>      >     Thoughts? I can put together some replacement text if folks
>     agree.
>      >     What would be the best way to do this? Just an erratum?
>      >
>      >     David
>      >
>      >
>      > _______________________________________________
>      > TLS mailing list
>      > TLS@ietf.org <mailto:TLS@ietf.org>
>      > https://www.ietf.org/mailman/listinfo/tls
>     <https://www.ietf.org/mailman/listinfo/tls>
>      >
>

v2.23.0 | Report a Bug | By Email