Re: [TLS] Proposed text for removing renegotiation

Martin Thomson <martin.thomson@gmail.com> Wed, 11 June 2014 20:01 UTC

Return-Path: <martin.thomson@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3C09B1A0273 for <tls@ietfa.amsl.com>; Wed, 11 Jun 2014 13:01:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UwDB5WaoWCGE for <tls@ietfa.amsl.com>; Wed, 11 Jun 2014 13:01:43 -0700 (PDT)
Received: from mail-we0-x22f.google.com (mail-we0-x22f.google.com [IPv6:2a00:1450:400c:c03::22f]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5B1A91A026D for <tls@ietf.org>; Wed, 11 Jun 2014 13:01:43 -0700 (PDT)
Received: by mail-we0-f175.google.com with SMTP id p10so254104wes.20 for <tls@ietf.org>; Wed, 11 Jun 2014 13:01:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=Axbg98c9q6+cSOS5msl3wohVIpSdTm1gaBTn82b9C4Q=; b=dbXDQDuQxychF9YslWHHUDJz/tZYAPYEeLwQfSrTJjPEYZSrQ90wRkfIGtWKxWLMrU nUoR6xl2Co2RNjrVnKsh1s1elTtDeS1rrilrNQFsJdMQUXf2HkOGAxmMO1Z8r+ilUxKK 3NUapTg0SLL98QOVQTDXxwY2cVVBo6u3DsnDb7V8PpdaGDYZ8e5FHFOdn0PU+CfBcEUC F+mhuGuialKVImIkYLGc/K4SmZ5zH089o2m7vqG6NDX01kEnG2bLX/Z5yN7l6lFunQlt 057NV3h5LAog5bnam3xfFA33dkuMrVC7cHDCYPvEs/nlAyfbYxcVkHsjCTtbwgqtZy6V +8mQ==
MIME-Version: 1.0
X-Received: by 10.180.19.233 with SMTP id i9mr144652wie.38.1402516901772; Wed, 11 Jun 2014 13:01:41 -0700 (PDT)
Received: by 10.194.51.134 with HTTP; Wed, 11 Jun 2014 13:01:41 -0700 (PDT)
In-Reply-To: <319344a622ba450aa60d454fd9f97135@BL2PR03MB419.namprd03.prod.outlook.com>
References: <CAFewVt65X1V6=A_HP_pcg=6nXNVFLxQmSsPB2rq1KvmGPRz+og@mail.gmail.com> <20140606223045.3B5AF1AD46@ld9781.wdf.sap.corp> <CACsn0cmcc6kXvOuqkZaDj7+QPdpY9qqQ58bs3s-JBGXdNJSZyw@mail.gmail.com> <CABcZeBPe45BM-uXd7DEBD_BBn=jhk8KkYB=facp+NMb2e4nBiw@mail.gmail.com> <1402299260.2427.2.camel@dhcp-2-127.brq.redhat.com> <CABkgnnX5+fXNDy1o7Pu60rp8vSx7XfKbt337e_q=+3fb8fXHJw@mail.gmail.com> <fab4976db86243c5a02039866e3be457@BL2PR03MB419.namprd03.prod.outlook.com> <CABkgnnWn8YTZvh3=caLmpQtT+tUWJmx20J3cPrQJEObRQK4UiA@mail.gmail.com> <319344a622ba450aa60d454fd9f97135@BL2PR03MB419.namprd03.prod.outlook.com>
Date: Wed, 11 Jun 2014 13:01:41 -0700
Message-ID: <CABkgnnXOa7cyTK2pHSoPjGhjHaWTdZQ_PnwM3F=2vPEXCdFpyw@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
To: Andrei Popov <Andrei.Popov@microsoft.com>
Content-Type: text/plain; charset=UTF-8
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/PNA1GxH6Sa1Q7W1-FbGLqMIJQCI
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Proposed text for removing renegotiation
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Jun 2014 20:01:45 -0000

To establish a bit more context here: the consensus in HTTPbis is to
provide a mechanism whereby servers are able to downgrade to HTTP/1.1
for the purposes of corner cases that are only properly supported by
HTTP/1.1.

Aside from some interesting legacy scenarios, client authentication
was considered a major reason for this feature.  We decided not to
adopt something like the -cant draft at the current time, since the
more generic capability was also needed.

On 11 June 2014 12:37, Andrei Popov <Andrei.Popov@microsoft.com> wrote:
> 1. An existing HTTP/1.1 server cannot take advantage of TLS 1.3 if TLS client auth is required. This is because an existing HTTP/1.1 server is not aware of httpbis-cant.

Correct.  That makes something like -cant a prerequisite of an upgrade
to TLS 1.3 for those servers.

> 2. An HTTP/2 server requires an updated TLS stack with tls-care support in order to perform TLS client auth. This is because HTTP/2 prohibits renegotiation.

This can be worked around.  In fact, the proposed text permits
renegotiation in TLS 1.2 (there is no "earlier" here because we
prohibit the use of earlier versions) prior to starting HTTP/2:

https://github.com/http2/http2-spec/pull/514/files#diff-8894168382f6487e5e38c4306e613a88R3430

(This isn't in the main spec due to a dependency issue, that text
captures the established consensus from the most recent interim
meeting.)

> 3. Even with the updated TLS stack in place, an HTTP/2 server cannot negotiate TLS 1.2 and earlier if TLS client auth is required. This is because TLS 1.2 and earlier would send the client cert in the clear, which is bad for client privacy.

See above workaround.  The cost there is an additional round trip (if
you do false start, that is, it's a lot more without).

> 4. Without renegotiation, TLS client auth requires additional round-trips to establish a new TCP connection.

Correct.