IETF Logo Mail Archive

Re: [TLS] Interaction between cookies and middlebox compat mode

Matt Caswell <matt@openssl.org> Thu, 28 December 2017 08:54 UTC

Return-Path: <matt@openssl.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6514A12D85F for <tls@ietfa.amsl.com>; Thu, 28 Dec 2017 00:54:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.909
X-Spam-Level:
X-Spam-Status: No, score=-6.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, T_RP_MATCHES_RCVD=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lFY6T9Yitek2 for <tls@ietfa.amsl.com>; Thu, 28 Dec 2017 00:54:49 -0800 (PST)
Received: from mta.openssl.org (mta.openssl.org [194.97.150.230]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EC6B112D858 for <tls@ietf.org>; Thu, 28 Dec 2017 00:54:48 -0800 (PST)
Received: from [10.17.10.6] (unknown [104.238.169.127]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mta.openssl.org (Postfix) with ESMTPSA id DA470E6F68; Thu, 28 Dec 2017 08:54:46 +0000 (UTC)
To: Eric Rescorla <ekr@rtfm.com>
Cc: "tls@ietf.org" <tls@ietf.org>
References: <9a7b1178-f856-ec63-c4b7-e2b29993e133@openssl.org> <CABcZeBMS9TeR-kFem4xHiWGVyKn5LbvDomdzL6vV_3XrKkravQ@mail.gmail.com>
From: Matt Caswell <matt@openssl.org>
Message-ID: <37a087f4-efbe-7eae-5539-d220ff67e243@openssl.org>
Date: Thu, 28 Dec 2017 08:54:45 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.5.0
MIME-Version: 1.0
In-Reply-To: <CABcZeBMS9TeR-kFem4xHiWGVyKn5LbvDomdzL6vV_3XrKkravQ@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-GB
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/OktgiWiYdghNSONX6KijdQFV9LY>
Subject: Re: [TLS] Interaction between cookies and middlebox compat mode
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Dec 2017 08:54:51 -0000


On 27/12/17 19:33, Eric Rescorla wrote:
> 
> 
> On Wed, Dec 27, 2017 at 11:17 AM, Matt Caswell <matt@openssl.org
> <mailto:matt@openssl.org>> wrote:
> 
>     Consider the scenario where a server is operating statelessly (i.e.
>     using the cookie extension) and a client is operating in middlebox
>     compat mode.
> 
>     In that case the client sends an initial ClientHello and receives a
>     ServerHello(HRR) back with a cookie in it. Before it sends its second
>     ClientHello it first sends a dummy CCS.
> 
>     >From the server perspective it is operating statelessly so until it
>     gets
>     a ClientHello with a valid cookie in it, any message it receives is
>     considered the "first" one. Therefore, because the server has forgotten
>     about the initial interaction with the client, the first message it sees
>     is a CCS.
> 
>     Draft-22 says this:
> 
>       "An implementation may receive an unencrypted record of type
>        change_cipher_spec consisting of the single byte value 0x01 at any
>        time during the handshake and MUST simply drop it without further
>        processing."
> 
>     Does "any time during the handshake" include the very first message it
>     receives? If so then this has implications for servers that accept
>     connections from TLSv1.2 (and below) clients (regardless of whether the
>     server is stateless or not), i.e. an incoming connection that starts
>     with a CCS and then goes on to negotiate TLSv1.2 would be accepted which
>     seems odd.
> 
>     If it doesn't mean that then a stateless server will receive a CCS as
>     the first message and not know how to handle it.
> 
> 
> 
> The way that NSS handles this is to remember that the CCS was received
> and then if it turns out that you negotiate TLS 1.2, you throw an error in
> that case. With that said, in most of the cases where you are stateless,
> you're probably going to want to ignore bogus records anyway, which would
> include unexpected CCS.

So, do you believe that the correct interpretation of "any time during
the handshake" includes the first message? I think it would be helpful
to be more explicit in the text if that is the case, i.e. identify the
first point in the handshake and the last point in the handshake where
CCS is valid. There probably should also be some words about how servers
implementing older TLS versions should handle a CCS that comes first.

However, I'm concerned about the added complexity of interpreting things
that way. Suddenly a CCS arriving is no longer handled by just dropping
it and forgetting it - you now have to store state about that and
remember it later on in the process in other TLS versions. The CCS
workaround was supposed to be a simple no-op to implement and it no
longer appears that way in this interpretation.

Matt

v2.23.0 | Report a Bug | By Email