Re: [TLS] TLS and KCI vulnerable handshakes
Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 12 August 2015 00:19 UTC
Return-Path: <dkg@fifthhorseman.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9F7B81A03E1 for <tls@ietfa.amsl.com>; Tue, 11 Aug 2015 17:19:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MQ6YthwuXJ_N for <tls@ietfa.amsl.com>; Tue, 11 Aug 2015 17:19:43 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [209.234.253.108]) by ietfa.amsl.com (Postfix) with ESMTP id 2013C1A03A6 for <tls@ietf.org>; Tue, 11 Aug 2015 17:19:43 -0700 (PDT)
Received: from fifthhorseman.net (unknown [38.109.115.130]) by che.mayfirst.org (Postfix) with ESMTPSA id D86C7F984; Tue, 11 Aug 2015 20:19:40 -0400 (EDT)
Received: by fifthhorseman.net (Postfix, from userid 1000) id CFADE201D4; Wed, 12 Aug 2015 02:19:30 +0200 (CEST)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: Martin Thomson <martin.thomson@gmail.com>, Clemens Hlauschek <clemens.hlauschek@rise-world.com>
In-Reply-To: <CABkgnnX9pGxwPFvPw5VUUst7-DX7fAbPC90bAz1EztxZ7K9KpA@mail.gmail.com>
References: <55C8CD7A.7030309@rise-world.com> <9A043F3CF02CD34C8E74AC1594475C73F4AD80F3@uxcn10-5.UoA.auckland.ac.nz> <9690882F-B794-4D1D-973F-DE7F90120CC3@gmail.com> <CABkgnnXruou6BbgZK8vWUeyb-gW5OTSZKPwPVPwZ826usNz9RA@mail.gmail.com> <20150811190544.GA13734@LK-Perkele-VII> <CABkgnnXnx7Fvt8oXNwMC3oLtXD4A4gFw6j-LWWuSkS3BasWqrg@mail.gmail.com> <55CA8783.8060201@rise-world.com> <CABkgnnX9pGxwPFvPw5VUUst7-DX7fAbPC90bAz1EztxZ7K9KpA@mail.gmail.com>
User-Agent: Notmuch/0.20.2 (http://notmuchmail.org) Emacs/24.5.1 (x86_64-pc-linux-gnu)
Date: Tue, 11 Aug 2015 20:19:30 -0400
Message-ID: <874mk5nyst.fsf@alice.fifthhorseman.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/PxG5laVmtx9WWSEZiXXmm7mYbU0>
Cc: Karthikeyan Bhargavan <karthik.bhargavan@gmail.com>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] TLS and KCI vulnerable handshakes
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Aug 2015 00:19:44 -0000
On Tue 2015-08-11 19:59:35 -0400, Martin Thomson wrote: > On 11 August 2015 at 16:38, Clemens Hlauschek <clemens.hlauschek@rise-world.com> wrote: [ MT wrote: ] >>> NSS (incorrectly) adopts the posture that _ECDH_ suites are >>> half-static: the server share is in the certificate, but the client >>> side is fully ephemeral. This is clearly in violation of RFC 5246, >>> Section 7.4.7 and RFC 4492, Section 3.2. I'm not going to worry about >>> that right now :) >> >> Please elaborate. I do not see how this half-static behaviour >> constitutes any violations of the mentioned RFCs. > > Both the above cited sections say very clearly that for fixed (EC)DH > cipher suites the client where the client has a fixed (EC)DH > certificate, the client MUST send an empty ClientKeyExchange. that's not how i'm reading 5246 ยง7.4.7 -- i see it as saying if the client has decided to send a fixed (EC)DH cert, then it MUST send an empty ClientKey Exchange. I see no requirement that a client MUST send a certificate if it has one that satisfies the server's CertificateRequest (and i would be strongly opposed to adding such a requirement -- clients should not be forced to reveal identity to a server just because of CertificateRequest message in the handshake). so i think NSS is doing the Right Thing here too. --dkg
- [TLS] TLS and KCI vulnerable handshakes Clemens Hlauschek
- Re: [TLS] TLS and KCI vulnerable handshakes Peter Gutmann
- Re: [TLS] TLS and KCI vulnerable handshakes Karthikeyan Bhargavan
- Re: [TLS] TLS and KCI vulnerable handshakes Martin Thomson
- Re: [TLS] TLS and KCI vulnerable handshakes Ilari Liusvaara
- Re: [TLS] TLS and KCI vulnerable handshakes Martin Thomson
- Re: [TLS] TLS and KCI vulnerable handshakes Clemens Hlauschek
- Re: [TLS] TLS and KCI vulnerable handshakes Martin Thomson
- Re: [TLS] TLS and KCI vulnerable handshakes Daniel Kahn Gillmor
- Re: [TLS] TLS and KCI vulnerable handshakes Clemens Hlauschek
- Re: [TLS] TLS and KCI vulnerable handshakes Clemens Hlauschek
- Re: [TLS] TLS and KCI vulnerable handshakes Peter Gutmann
- Re: [TLS] TLS and KCI vulnerable handshakes Peter Gutmann
- Re: [TLS] TLS and KCI vulnerable handshakes Viktor Dukhovni
- Re: [TLS] TLS and KCI vulnerable handshakes Viktor Dukhovni
- Re: [TLS] TLS and KCI vulnerable handshakes Peter Gutmann
- Re: [TLS] TLS and KCI vulnerable handshakes Salz, Rich
- Re: [TLS] TLS and KCI vulnerable handshakes Viktor Dukhovni
- Re: [TLS] TLS and KCI vulnerable handshakes Clemens Hlauschek
- Re: [TLS] TLS and KCI vulnerable handshakes Watson Ladd