IETF Logo Mail Archive

Re: [TLS] handling of duplication of extensions between ServerHello and EncryptedExtensions

Hubert Kario <hkario@redhat.com> Fri, 02 September 2016 19:35 UTC

Return-Path: <hkario@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C121012B05E for <tls@ietfa.amsl.com>; Fri, 2 Sep 2016 12:35:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.45
X-Spam-Level:
X-Spam-Status: No, score=-7.45 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.548, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kM21OXdXc4Tx for <tls@ietfa.amsl.com>; Fri, 2 Sep 2016 12:35:41 -0700 (PDT)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 78977126B6D for <tls@ietf.org>; Fri, 2 Sep 2016 12:35:41 -0700 (PDT)
Received: from int-mx09.intmail.prod.int.phx2.redhat.com (int-mx09.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 354038E251; Fri, 2 Sep 2016 19:35:41 +0000 (UTC)
Received: from pintsize.usersys.redhat.com (vpn1-5-142.ams2.redhat.com [10.36.5.142]) by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id u82JZd4b024403 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 2 Sep 2016 15:35:40 -0400
From: Hubert Kario <hkario@redhat.com>
To: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 02 Sep 2016 21:35:39 +0200
Message-ID: <4118587.U72rWoGRq0@pintsize.usersys.redhat.com>
User-Agent: KMail/5.2.3 (Linux/4.6.7-300.fc24.x86_64; KDE/5.25.0; x86_64; ; )
In-Reply-To: <CABcZeBPm-Cwgh8+Nqeed=Dr=fgC=0VCn72b_8g-6H01u8-Qjqw@mail.gmail.com>
References: <2847810.DkTLEJYpS7@pintsize.usersys.redhat.com> <CAF8qwaCg6NkDNJ0x5g=67MVwTMj++ku=g-hvgS+R24u5ifqAFA@mail.gmail.com> <CABcZeBPm-Cwgh8+Nqeed=Dr=fgC=0VCn72b_8g-6H01u8-Qjqw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="nextPart14031589.M4D56unV4v"; micalg="pgp-sha512"; protocol="application/pgp-signature"
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.22
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.26]); Fri, 02 Sep 2016 19:35:41 +0000 (UTC)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/NHdFP33Q3F_2vFB6BGsazLUn89k>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] handling of duplication of extensions between ServerHello and EncryptedExtensions
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Sep 2016 19:35:44 -0000

On Friday, 2 September 2016 12:23:03 CEST Eric Rescorla wrote:
> I agree. FWIW, this is how NSS behaves. A clarifying PR would be welcome
> here.

that was an easy one: https://github.com/tlswg/tls13-spec/pull/622

since there's already text prohibiting that situation:

  The ServerHello MUST only include extensions which are               
  required to establish the cryptographic context. Currently the only           
  such extensions are "key_share", "pre_shared_key", and "early_data".          
  Clients MUST check the ServerHello for the presence of any forbidden          
  extensions and if any are found MUST terminate the handshake with a           
  "illegal_parameter" alert.

and

   Extensions which are designated to               
   appear in ServerHello MUST NOT appear in EncryptedExtensions. Clients              
   MUST check EncryptedExtensions for the presence of any forbidden                
   extensions and if any are found MUST terminate the handshake with an            
   "illegal_parameter" alert.
 
> On Fri, Sep 2, 2016 at 12:21 PM, David Benjamin <davidben@chromium.org>
> 
> wrote:
> > Huh. I agree that text is weird. We should probably remove it. I think we
> > actually get something akin to what you suggest basically implicitly:
> > 
> > Servers aren't allowed to send unsolicited extensions, so your SH and EE
> > parsers should be rejecting any unknown extensions. If you combine that
> > with not accepting known extensions in the wrong context (unencrypted ALPN
> > or encrypted key_share) since extensions already specify which messages
> > they may live in, this all works out.
> > 
> > So even if we explicitly say this rule, I don't think reflecting it in
> > code is the cleanest implementation strategy. (It requires one keep a list
> > of SH extensions and compare against it.) It might be better to say that
> > extensions in unexpected contexts should be rejected like any other
> > unexpected extension.
> > 
> > David
> > 
> > On Fri, Sep 2, 2016 at 1:31 PM Hubert Kario <hkario@redhat.com> wrote:
> >> So, the draft has following text:
> >>     The same extension types MUST NOT appear in both the ServerHello and
> >>     EncryptedExtensions.  If the same extension appears in both
> >>     locations,
> >>     the client MUST rely only on the value in the EncryptedExtensions
> >>     block.
> >> 
> >> if the extension "MUST NOT" be in both ServerHello and
> >> EncryptedExtensions,
> >> why the client should continue with the handshake if a server makes such
> >> a
> >> major mistake? Why aborting the connection in such situation isn't safer?
> >> --
> >> Regards,
> >> Hubert Kario
> >> Senior Quality Engineer, QE BaseOS Security team
> >> Web: www.cz.redhat.com
> >> Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech
> >> Republic_______________________________________________
> >> TLS mailing list
> >> TLS@ietf.org
> >> https://www.ietf.org/mailman/listinfo/tls
> > 
> > _______________________________________________
> > TLS mailing list
> > TLS@ietf.org
> > https://www.ietf.org/mailman/listinfo/tls


-- 
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic

v2.23.0 | Report a Bug | By Email