IETF Logo Mail Archive

Re: [TLS] simplistic renego protection

Martin Rex <mrex@sap.com> Wed, 18 November 2009 21:22 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 94DC23A6846 for <tls@core3.amsl.com>; Wed, 18 Nov 2009 13:22:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.045
X-Spam-Level:
X-Spam-Status: No, score=-6.045 tagged_above=-999 required=5 tests=[AWL=0.204, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oyGL79M7gzeZ for <tls@core3.amsl.com>; Wed, 18 Nov 2009 13:22:54 -0800 (PST)
Received: from smtpde03.sap-ag.de (smtpde03.sap-ag.de [155.56.68.140]) by core3.amsl.com (Postfix) with ESMTP id 93FB83A67A1 for <tls@ietf.org>; Wed, 18 Nov 2009 13:22:54 -0800 (PST)
Received: from mail.sap.corp by smtpde03.sap-ag.de (26) with ESMTP id nAILMnOU003976 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 18 Nov 2009 22:22:49 +0100 (MET)
From: Martin Rex <mrex@sap.com>
Message-Id: <200911182122.nAILMm23018985@fs4113.wdf.sap.corp>
To: rdugal@certicom.com
Date: Wed, 18 Nov 2009 22:22:48 +0100
In-Reply-To: <7E1DF37F1F42AB4E877E492C308E6AC40251FFD4@XCH57YKF.rim.net> from "Robert Dugal" at Nov 18, 9 07:39:20 am
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal05
X-SAP: out
Cc: tls@ietf.org
Subject: Re: [TLS] simplistic renego protection
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Nov 2009 21:22:55 -0000

Robert Dugal wrote:
> 
> I noticed you said this in the jabber log http://www.ietf.org/jabber/logs/tls/2009-11-12.txt 
> 
> [06:31:06] <EKR> It occurred to me the other day that there is
> a special case where hte server does not need to refuse renegotiation:
> when the client has sent no data yet.
> [06:31:20] <EKR> This would allow step-up/SGC to continue to work
> assuming we cared it)

Define "client has sent no data yet" ?

There is an implementors note in TLSv1.2, section about "Fragmentation"
that is as old as SSLv3 which requires that application can be
arbitrarily interleaved with a renegotiation handshake.

So the MitM can inject the data before forwarding the ChangeCipherSpec
message.  So whenever you implement something for this special case,
make sure that your TLS implementation checks "client has sent no data yet"
concurrently with verifying the finished message (unless it fails
reliably when receiving application data during the renegotiation
handshake).



> 
> Our products do support step-up/SGC and some customers may still be
> using it, or at least have servers with SGC certificates.
> Since there is no vulnerability is this special case, should
> some note be added to the draft? 

You mean like enumerating conceivable usage scenarios that
TLS extension RI is very likely to break?


Maybe a spec where that section is very small or empty
would be more appreciated by the community.


-Martin

v2.23.0 | Report a Bug | By Email