Re: [TLS] Server validation of a second ClientHello
Eric Rescorla <ekr@rtfm.com> Wed, 13 February 2019 14:39 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 621E5129441 for <tls@ietfa.amsl.com>; Wed, 13 Feb 2019 06:39:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0165e6rdlVth for <tls@ietfa.amsl.com>; Wed, 13 Feb 2019 06:39:43 -0800 (PST)
Received: from mail-lj1-x22e.google.com (mail-lj1-x22e.google.com [IPv6:2a00:1450:4864:20::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BA8E9126C7E for <tls@ietf.org>; Wed, 13 Feb 2019 06:39:42 -0800 (PST)
Received: by mail-lj1-x22e.google.com with SMTP id f24-v6so2240637ljk.0 for <tls@ietf.org>; Wed, 13 Feb 2019 06:39:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=6Ng13XbHiYGvt49ozAyCUqOeUdMY18ZmdPYGXbdmq4c=; b=js0KDWDXwcYMBp6ZlCUqcXrF5b1G04HNmANwi2pT5WAUZB8DhU5IirUKtgXHGpCa1e Oj+UWkHT2AMYstONNBk+2HwUvBSjQn97l3Qa6sAMzwQI145hecAu3dLIT2RFqrYd7OKr Iu3MFUZqaeVIzhz0pmvA43Xjqr5oKWuni65K/4NLSZMtJoO3NohIxsVn/12hEQfG4Sz3 ln7h2EtSBmVQV91zlgDdFwiEVKIMfCG77eTV7kVUa3clzNBLAGhK0KMgg+NKnJRbbPFo 9CnfmlvpgdOT99kxgLsdNmW01kfRO08nWat785wW9X9T1WbHvpsjVe7Fmnmy/aCLPMYl zH0Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=6Ng13XbHiYGvt49ozAyCUqOeUdMY18ZmdPYGXbdmq4c=; b=YtCALCj+QCBrh1BDE/e35vrr1NdY6aLnm9YfFRdqmJkd9yZvFeCb4sM5Do1M+L/LNp ll1KJ5qYJf93PVxYJl6j1McAYYSRBLvIogbaqCB8V46xy3lQ1oJHXBXj0wwDcLL212Xl kd2Gme4ymku8pxdrCoH4VKhS6eVRJ1ejCvlU+L9pzx5Q9A+Gcp7/ShKFlU0jm4D/OQeg Bouhfcuvfitd3xGY6lTmf3YnBGaXC1tyPN3eifyzxWkc+nrmQE9dEbw0oQj7sd2foTgt 1EDvC9Vzfq8oYkYl8+nQIYeUtFB1L3m5ifETXT3wvrAyJvn8bfXPmlyDSEP07j2VLJYa /sUw==
X-Gm-Message-State: AHQUAuZ+aOeHC3kQ/CXMXTUnPT6IFsa7LKL+22Dl73SKuUx2KO1Iu4ez nMKOdKV9sa6dXxdWJ7WkKP7TLh789qqDFs249y7jpw==
X-Google-Smtp-Source: AHgI3IZS9uTdksZXWDgGZ4xPAI2Rr4imcbDqE9UvEloVQ2WpPGhq2pPb4biDmdlA2hsl+a9OyL2GnTyWIZH/fWKYhp8=
X-Received: by 2002:a2e:965a:: with SMTP id z26mr462352ljh.59.1550068780855; Wed, 13 Feb 2019 06:39:40 -0800 (PST)
MIME-Version: 1.0
References: <1549596678.898774.1653407000.2B2ACE8E@webmail.messagingengine.com> <1549980018.5oto7EOJll@pintsize.usersys.redhat.com> <CABcZeBNZJp+KiLEuaRZR0nO1PPEr_qcCJ9MypU104qTm6v8tcA@mail.gmail.com> <103341275.xSgb4icBHy@pintsize.usersys.redhat.com>
In-Reply-To: <103341275.xSgb4icBHy@pintsize.usersys.redhat.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Wed, 13 Feb 2019 06:39:03 -0800
Message-ID: <CABcZeBP=MGrj4x5brO5t5uf4tYumkL3Vthu=4zwhBHOYpsSJyQ@mail.gmail.com>
To: Hubert Kario <hkario@redhat.com>
Cc: Martin Thomson <mt@lowentropy.net>, "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000000f88a90581c78331"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/N3BANCu6JY3blyxYK8ZVOPAw0-c>
Subject: Re: [TLS] Server validation of a second ClientHello
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Feb 2019 14:39:46 -0000
On Wed, Feb 13, 2019 at 4:12 AM Hubert Kario <hkario@redhat.com> wrote: > On Wednesday, 13 February 2019 01:31:41 CET Eric Rescorla wrote: > > I concur with what I take to be MT's position here: > > > > 1. The client is clearly prohibited from changing most elements of the CH > > (except for listed exceptions). > > 2. It's reasonable to check for and fail the handshake on any spec > > violation except those where checking is explicitly forbidden (e.g., Must > > Be Zero but Must be Ignored) > > 3. Nothing in the spec requires the server to check for this condition. > > and what about values that technically can't change (as you noted > yourself) > but they do change and the server does use them? > > you are not suggesting that which value will be used (from first or second > CH), or if the connection will be aborted, to be implementation dependant > *by design* , do you? > I'n not sure I understand your question, but I'll try to answer what I think it says. 1. I do think that whether you continue the connection or abort it is an implementation decision and I think that the way the spec is written says that. 2. I think the spec leaves open whether you should use the first or second values, but I think implementations should use the second value. It's not clear why one would want to use the first. To my knowledge, there was never a WG discussion about this exact question, so we only have the spec to guide us. Were we pre-publication I would have advocated for (a) leaving open whether to abort and (b) requiring you to use the second value. -Ekr > > -Ekr > > > > On Tue, Feb 12, 2019 at 4:53 AM Hubert Kario <hkario@redhat.com> wrote: > > > On Monday, 11 February 2019 00:43:39 CET Martin Thomson wrote: > > > > On Fri, Feb 8, 2019, at 23:53, Hubert Kario wrote: > > > > > the cookie can be up to 2^16 bytes long, even if client sends all > 50 > > > > > extensions and spaces them with unknown extensions between, that's > at > > > > > > most > > > > > > > > 20 bytes per extension = 1000 bytes total extra space needed in > cookie > > > > > (32 bytes and 1600 bytes if you want to be very conservative) > > > > > > > > Yeah, that's ridiculously large. With quite a few extensions > supported, > > > > > > and > > > > > > > many more unknown to us, the only way we might realistically ensure > that > > > > the ClientHello doesn't change is to save a hash snapshot at every > > > > > > boundary > > > > > > > where the cookie extension might be inserted or where an extension > might > > > > > > be > > > > > > > changed. SHA-2 has a fairly small state to capture, but that's still > > > > nearly unbounded state. With an amplification factor of up to 8, > > > > meaning > > > > that it could be more efficient to send the client its entire > > > > ClientHello > > > > in the cookie. > > > > > > I definitely won't claim that it is easy or straight-forward to do, I > do > > > claim > > > that it is possible. Yes, sometimes it may mean that sending the > literal > > > CH in > > > cookie may be more bandwidth efficient. > > > > > > And regarding the specific extension in question, to verify that it > didn't > > > change between Hello's it is only 2 bytes extra in cookie. If that is > too > > > much > > > already, I don't think that stateless HRR is something we will see in > > > implementations for years to come. > > > > > > -- > > > Regards, > > > Hubert Kario > > > Senior Quality Engineer, QE BaseOS Security team > > > Web: www.cz.redhat.com > > > Red Hat Czech s.r.o., Purkyňova 115, 612 00 Brno, Czech > > > Republic_______________________________________________ > > > TLS mailing list > > > TLS@ietf.org > > > https://www.ietf.org/mailman/listinfo/tls > > > -- > Regards, > Hubert Kario > Senior Quality Engineer, QE BaseOS Security team > Web: www.cz.redhat.com > Red Hat Czech s.r.o., Purkyňova 115, 612 00 Brno, Czech Republic
- [TLS] Server validation of a second ClientHello Martin Thomson
- Re: [TLS] Server validation of a second ClientHel… Hubert Kario
- Re: [TLS] Server validation of a second ClientHel… Martin Thomson
- Re: [TLS] Server validation of a second ClientHel… Hubert Kario
- Re: [TLS] Server validation of a second ClientHel… Eric Rescorla
- Re: [TLS] Server validation of a second ClientHel… Hubert Kario
- Re: [TLS] Server validation of a second ClientHel… Eric Rescorla
- Re: [TLS] Server validation of a second ClientHel… Ilari Liusvaara
- Re: [TLS] Server validation of a second ClientHel… Benjamin Kaduk
- Re: [TLS] Server validation of a second ClientHel… Hubert Kario
- Re: [TLS] Server validation of a second ClientHel… Benjamin Kaduk
- Re: [TLS] Server validation of a second ClientHel… Eric Rescorla
- Re: [TLS] Server validation of a second ClientHel… Hubert Kario
- Re: [TLS] Server validation of a second ClientHel… Eric Rescorla
- Re: [TLS] Server validation of a second ClientHel… Hubert Kario
- Re: [TLS] Server validation of a second ClientHel… Eric Rescorla