Re: [TLS] Spec issue with RFC 7627 (EMS) and resumption
Achim Kraus <achimkraus@gmx.net> Wed, 27 October 2021 08:55 UTC
Return-Path: <achimkraus@gmx.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AAED53A08C1 for <tls@ietfa.amsl.com>; Wed, 27 Oct 2021 01:55:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.429
X-Spam-Level:
X-Spam-Status: No, score=-5.429 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, NICE_REPLY_A=-3.33, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=gmx.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SHrg9pDp0eQJ for <tls@ietfa.amsl.com>; Wed, 27 Oct 2021 01:55:50 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.15]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5F49C3A08C0 for <tls@ietf.org>; Wed, 27 Oct 2021 01:55:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1635324941; bh=y82LwQy6r84mBM7RBGxgKxuKdGvenIjT7gTcJ+iEjfI=; h=X-UI-Sender-Class:Subject:To:Cc:References:From:Date:In-Reply-To; b=XqH5TSNfOcI7FF8x65ahGEPVjlgVqRblg6wBNVqT+l8BqL5NBx1fEzgQD1v8btQ0y CiMEQia06xE7QIW53aGMnqLxy2Kgx1bwniWoz8w26jhngF0WQMjhewc9WSEA0GbX+G bQn2lL+6o3m5ZcCTAeNK/xrPM+ct/rhPuPAzDGA8=
X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c
Received: from [192.168.178.10] ([5.146.193.130]) by mail.gmx.net (mrgmx005 [212.227.17.190]) with ESMTPSA (Nemesis) id 1MatRZ-1nD4vX3ZGt-00cTMd; Wed, 27 Oct 2021 10:55:40 +0200
To: David Benjamin <davidben@chromium.org>
Cc: "tls@ietf.org" <tls@ietf.org>
References: <CAF8qwaDi19sp_hg0mTySRGEf46kHfc1bCKee4bH+98QQmxtjog@mail.gmail.com> <CAF8qwaBW_MMJNjP5cQbFvgTgu8hEXAGDpoTjiKWgPzbAeG7O2A@mail.gmail.com> <b2731682-e3a1-6f5d-c692-9d9234e15757@gmx.net> <CAF8qwaBbGUOJEf9rYCzEZzbOy9WN+cHQ8wwP9GY5XcA3vygL6Q@mail.gmail.com>
From: Achim Kraus <achimkraus@gmx.net>
Message-ID: <85e45c6c-4df0-c73c-a39c-b31b78443a0c@gmx.net>
Date: Wed, 27 Oct 2021 10:55:38 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.13.0
MIME-Version: 1.0
In-Reply-To: <CAF8qwaBbGUOJEf9rYCzEZzbOy9WN+cHQ8wwP9GY5XcA3vygL6Q@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: de-AT-frami
Content-Transfer-Encoding: quoted-printable
X-Provags-ID: V03:K1:LVbohU/bejOLfQe97P+UkqNdN8OdFet5fp/rzg6Rmk53eXw9gm0 bRmyOvcjyUDjFCLbqd/s1Ik7lKy/eCXs2XQDHm02WgTQefGNwHesB+ou33zidxGPN86HP3y 8m2UR84y/9tP9UzakCbjPfBCD726Vre1qLme9O8r0aj9q2iNjb/lJWMSdURw2jqTNko1RmB FSLsgZw4EtSPf4gkVT4hw==
X-UI-Out-Filterresults: notjunk:1;V03:K0:cpyVEkthtIE=:TzMETpsYA6iM0YjCaarKwW +5rL7fFArgElAoSXH4LY5yA+Ej7R1gtpb1c0eaTJXuNeS3UtxtISmGHFVAirDlyqTl7/PogHI CfU1K+kccAnv0lxYRvWo5dgDpty8bvpUMBeftZXeuQBGwxY0TNqRW8ITLiqH78KwK+5tP25ia IcfTBL7xibsP0n0Fus6mr3PrZyVZFeaNjm5R/4q1lwrQfJQIT1lnTFbQQN00m10T0WumztIc5 J7wAjnpnkTlRwiwH5VeC6DF4dE1sl1czUNVWdtGYObb/t0xZsvSmwB2RFTGkHHjanErCVSIh1 yxppdavuNHombnTxouvWi+ql2obISOAsul108A2ufyGYcy6a7KsyLwFbCMTAwoa4alSLqkE3/ z1dohBwGNm9+iwdUyhu4vgYndFq0wFkxnlSc5styW8GB7K9bxjJt14IbBuD7ZVW9Tm8xfeyGx PJVk4lowwj4TsHMHYzFQuZ6Ozu5ht8FmLBZYv03RfiE1bAZCrKYeId2t481fQAcLF5vkGZ8AH IlJWLcJ4HzVFftXt/3MNyU6ysY7QXHf0ytKs0a7FrXuSgWMHZokNsiFfgZrTzzXeThSngQ/zy B8t3BVFe8fbAFIZz0B0b1sJMeFJgZ69Ic6VF+ohqAgNlJxM+5BvyFASO4KYa2d+kqhmK84Yzv 1xW2SMoLDIOGYoekCUMifU9Eo+wgiku9tnbgn5eYMGX1BIN8gqVTTicZ4nWP4gOnUSYH6U9xt +VFRtsvMFxNePCGAksJEJIOIYsSjc7WsuN8WFNzHaMS2j5IN4yMMWQYOLt3mFoTVA4DcHSXB4 lm3WMpg1OyRnm5qbSLd7MreMVl2WlB2yxwHGVaFNydu41cHyWg8Sqvo5rEf0GVuuIzHk2piKY xvG9HLH1QaEs04Lnrkw9tI53U+E580TLeLgtPr3VT9zElVXiXZcYRzn9OuLpbGtDhCXhTOCQO idDLeUOhRE7WieUbNte5iOiKIDRG/xHlDjRu0E1nfrFBVjLLv4hpFJbLFVFedVyhXHlrDeQS3 g6UK2Nd7PcprBgcmta2IDTOUhDrOsHME6qwXaEqgm65uq+rZQTgBYugMIJQzIR2LAinXLHgPJ RUCdj6hiYHPAL8=
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/LAhg4jJE3n5MyQkMXWjPW1VpVes>
Subject: Re: [TLS] Spec issue with RFC 7627 (EMS) and resumption
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Oct 2021 08:55:55 -0000
Hi David, my question considers 2. , if one peer uses RFC 7627 and the other not (legacy). Case 1: - client using RFC 7627, server not (legacy) -- client fallsback to full-handshakes Case 2: - server using RFC 7627, client not (legacy) -- if the client tries a resumption, the current definition is, that the server SHOULD abort. In my opinion in case 2, the server SHOULD also just fallback to a full-handshake. That's done by sending a ServerHello with a new Session ID and the other handshake messages of a full handshake. In the end, that prevents, that a client to have to execute a second, then full handshake, as fallback. best regards Achim Am 26.10.21 um 17:50 schrieb David Benjamin: > At least for an erratum, I don't think it makes sense to change that as > part of this. > > I think your question is conflating a few things. Let me try to untangle > this, as this document is little confusing. It seems to be describing, > via SHOULDs and MUSTs, three different implementation profiles concurrently: > 1. A client or server that negotiates EMS when available, but continues > to be compatible with legacy peers, resumption and all. > 2. A client or server that negotiates EMS when available, continues to > be compatible with legacy peers, but only allows full handshakes with > them. I forget how 3SHAKE worked, but I vaguely recall that cutting out > legacy resumptions avoided a source of issues > 3. A client or server that requires EMS on all connections, and is not > compatible with legacy peers at all. This way you can rely on the EMS > bugfix being applied. > > Because these are all interleaved, it's a very hard to tell what bits > correspond to this profile and what bits correspond to EMS itself. I > think this was overambitious. Anything but (1) was implausible for most > deployments in 2016, because EMS only just started existing. I expect it > is still implausible for most, though I don't have metrics for the web. > Hence, if we were completely redoing this document (probably not worth > it?), I think it should be reorganized. :-) > > Now, as to your question, I don't believe this is right: > > > If the client follows this guide, it falls-back to use a full handshake. > > If the client doesn't follow this (maybe, the client is not aware of RFC > > 7627), the server SHOULD aborts. > > The client SHOULD you are referring to is for a client that implements > (2). If a client does not follow this, it implements (1). The server > SHOULD, however, says "If neither the original session /nor the new > ClientHello/ uses the extension, the server SHOULD abort the handshake." > That clause doesn't apply to the client SHOULD in the first place > because, whether the client is (1) or (2), the ClientHello will signal EMS. > > It does apply to legacy clients that do not implement EMS at all. > Whether the server continues, does a full handshake, or aborts depends > on whether the server wants to do (1), (2), or (3). Yes, if it picks (3) > and aborts, the server will not interoperate with a legacy client. That > is exactly what those servers would want. It is odd that the text only > describes (1) and (3) for the server in this case, not (2). But adding > (2) in without a rework will only make this complicated situation worse, > so I do not propose to address it as part of this fix. > > On Tue, Oct 26, 2021 at 1:05 AM Achim Kraus <achimkraus@gmx.net > <mailto:achimkraus@gmx.net>> wrote: > > Hi David, > > if you're on it, maybe it's worth to consider my question from January > 2021 as well. > > > If the client follows this guide, it falls-back to use a full > handshake. > > If the client doesn't follow this (maybe, the client is not > aware of RFC > 7627), the server SHOULD aborts. > > > Why SHOULD the server not (also) just fall-back to use a full > handshake? > > For more details see: > > https://mailarchive.ietf.org/arch/msg/tls/gjBFHWwp1k-w1KdBkotp496zaf8/ > <https://mailarchive.ietf.org/arch/msg/tls/gjBFHWwp1k-w1KdBkotp496zaf8/> > > best regards > Achim Kraus > > Am 26.10.21 um 00:51 schrieb David Benjamin: > > Here's some possible replacement text for that paragraph: > > > > """ > > In some deployments, a legacy client or server may be exposed to a > > session using extended master secret. For example, a group of servers > > sharing a ticket encryption key may be in the process of enabling > this > > extension. If such a session is used in an abbreviated handshake > without > > the extension, a newer peer will fail the connection, as described in > > Section 5.3. To avoid this, legacy servers SHOULD ignore such > sessions > > and continue with a full handshake, and legacy clients SHOULD NOT > offer > > such sessions in the ClientHello. > > > > This can be implemented by ensuring legacy implementations do not > > recognize sessions using extended master secret. For example, the > > sessions may have a higher internal version number or, if the older > > implementation rejects unrecognized fields, include a new field. > If this > > is not possible, deployments may deploy a new session cache or ticket > > encryption key alongside the new version. > > """ > > > > Unfortunately, "session using extended master secret" is a bit of a > > mouthful, but section 5.4 didn't define a more concise term. > > > > On Mon, Oct 25, 2021 at 4:01 PM David Benjamin > <davidben@chromium.org <mailto:davidben@chromium.org> > > <mailto:davidben@chromium.org <mailto:davidben@chromium.org>>> wrote: > > > > Hi all, > > > > In diagnosing an interop issue, I noticed RFC 7627 did not > describe > > the correct server behavior for EMS very well. Seemingly as a > > result, some server implementation has gotten this wrong. I'd > like > > to fix this in the spec so this doesn't happen again. I think, at > > minimum, we need to replace the last paragraph of section 5.4. > > > > The issue is a server that /doesn't/ implement EMS, when > presented a > > ClientHello containing a ticket or session ID by a server that > > /did/ implement EMS, must ignore the session and continue with a > > full handshake. Failing to do so will trip the client check in > > Section 5.3, "If a client receives a ServerHello that accepts an > > abbreviated handshake, [...]". This is important to meet > these three > > properties: > > > > - If the client and server both support EMS, the connection must > > negotiate it. > > - On resumption, the EMS status of the connection must match > the EMS > > status of the session > > - In order for EMS to be safely deployable, it must be > possible to > > roll EMS out gradually, or roll it back, without breaking > > connections. This means a mixed pre-EMS and post-EMS server > > deployment must work. > > > > Note that, although this behavior is only visible at the pre-EMS > > server (not directly in scope for this document), it is > actually a > > requirement on the post-EMS server. When the post-EMS server > issues > > a session, it must arrange for the pre-EMS server to ignore > it. For > > example, if the pre-EMS server rejects sessions with unparsable > > fields (the safest option), the post-EMS server can add a new > field > > to the session state serialization. Failing that, it can bump > some > > internal version number. Another strategy is to rotate session > > ticket keys alongside the version, but this can be tricky the way > > deployments and software updates are often split. > > > > There's an analogous, though less likely, client scenario that a > > pre-EMS client must not offer a post-EMS session. Otherwise > it will > > run afoul of a server requirement. This can be relevant for > clients > > that serialize their session cache. > > > > As far as I can tell, RFC 7627 does not specify any of this. The > > first paragraph of section 5.4 talks about adding a flag, but > > doesn't talk about how pre-EMS servers interact with that > flag. The > > last paragraph discusses this scenario, but says something very > > strange, if not plain wrong: > > > > If the original session uses an extended master secret > but the > > ClientHello or ServerHello in the abbreviated handshake > does not > > include the extension, it MAY be safe to continue the > abbreviated > > handshake since it is protected by the extended master > secret of the > > original session. This scenario may occur, for example, > when a > > server that implements this extension establishes a > session but the > > session is subsequently resumed at a different server > that does not > > support the extension. Since such situations are unusual > and likely > > to be the result of transient or inadvertent > misconfigurations, this > > document recommends that the client and server MUST abort > such > > handshakes. > > > > https://datatracker.ietf.org/doc/html/rfc7627#section-5.4 > <https://datatracker.ietf.org/doc/html/rfc7627#section-5.4> > > <https://datatracker.ietf.org/doc/html/rfc7627#section-5.4 > <https://datatracker.ietf.org/doc/html/rfc7627#section-5.4>> > > > > First, the "MAY" is immediately contradicted by the following > > "MUST", and by section 5.3. It seems it should have been an > English > > lowercase "may", not a normative RFC 2119 "MAY". It is also > wrong in > > calling this situation "unusual and likely to be the result of > > transient or inadvertent misconfigurations". Rather, it is the > > natural transition state of any large server rollout. I think we > > need to delete that entire paragraph and replace it with text > that > > describes the rules above. If we were doing a whole new > version of > > the document, I think the text could do with reorganization. But > > that may not be worth doing, given folks should be using TLS > 1.3 now. > > > > Thoughts? I can put together some replacement text if folks > agree. > > What would be the best way to do this? Just an erratum? > > > > David > > > > > > _______________________________________________ > > TLS mailing list > > TLS@ietf.org <mailto:TLS@ietf.org> > > https://www.ietf.org/mailman/listinfo/tls > <https://www.ietf.org/mailman/listinfo/tls> > > >
- [TLS] Spec issue with RFC 7627 (EMS) and resumpti… David Benjamin
- Re: [TLS] Spec issue with RFC 7627 (EMS) and resu… David Benjamin
- Re: [TLS] Spec issue with RFC 7627 (EMS) and resu… Achim Kraus
- Re: [TLS] Spec issue with RFC 7627 (EMS) and resu… David Benjamin
- Re: [TLS] Spec issue with RFC 7627 (EMS) and resu… Achim Kraus
- Re: [TLS] Spec issue with RFC 7627 (EMS) and resu… David Benjamin
- Re: [TLS] Spec issue with RFC 7627 (EMS) and resu… Achim Kraus