[TLS] More clarity on resumption and session hash

Eric Rescorla <ekr@rtfm.com> Mon, 25 May 2015 17:36 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EB5CE1ACD7C for <tls@ietfa.amsl.com>; Mon, 25 May 2015 10:36:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.723
X-Spam-Level:
X-Spam-Status: No, score=0.723 tagged_above=-999 required=5 tests=[BAYES_50=0.8, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LxjD_nb8I7EX for <tls@ietfa.amsl.com>; Mon, 25 May 2015 10:36:12 -0700 (PDT)
Received: from mail-wi0-f178.google.com (mail-wi0-f178.google.com [209.85.212.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DD8D01ACD63 for <tls@ietf.org>; Mon, 25 May 2015 10:36:11 -0700 (PDT)
Received: by wifw1 with SMTP id w1so4212580wif.0 for <tls@ietf.org>; Mon, 25 May 2015 10:36:10 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to :content-type; bh=jxJBFLDL3+426ahx6M6lPk82LSQa7OpvKm6+95YnISo=; b=S6prA7ZIaD/tpVaYxrZZfhcEYTbgFQq/5EsJVxXyjCv7LeSCy6ceyI3n6xlEBz2xqk UTqSxxkR054p+gwstnJreM4Lc5JwYnk1Sgo6OUtIjF/yH0X+4+m4yvrcfccaBKK6zuPB h8s2Xk6hmbP1MBJ8jLUXyg2fzRF/8yvkc8r/btxC/sAJ33S76l6XIqr9a6Xb9CS4HsPP teuXcV5aQo5w57weA7dY04+4e0nqa/1o6IdiDDhWU6oxDum/e3QZG/R6Lu1IXLDxfHGV x6ulISV7lK3yTisnvnWPNskBtxvx5brRQci4fkfuxfHYJAME/ZaPuy5VSlvnJdgX/Y7h OwzQ==
X-Gm-Message-State: ALoCoQlzmyjTbwrf82IDhf017VGk3kk4NY444VFomlP8FEjCRV4Lh1clqa7qXBhcKDlUi+bk1Kyo
X-Received: by 10.194.59.79 with SMTP id x15mr24257494wjq.81.1432575370643; Mon, 25 May 2015 10:36:10 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.27.225.14 with HTTP; Mon, 25 May 2015 10:35:30 -0700 (PDT)
From: Eric Rescorla <ekr@rtfm.com>
Date: Mon, 25 May 2015 10:35:30 -0700
Message-ID: <CABcZeBM9UGZoifzDZZ3METMJJHa1ueX9CdHiccYTDW5UVC3RrA@mail.gmail.com>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary=047d7b8737ae14f6340516eb7252
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/Q-WFl9sTXqy0Yn58pTASIMJutuo>
Subject: [TLS] More clarity on resumption and session hash
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 May 2015 17:36:14 -0000

I'm updating the NSS session hash implementation to conform to the new spec
and I see that it's very clear on what happens when you have a resumption
where the original handshake did not include the extension and the new one
does (thanks David and Martin)

  o  If the original session did not use an extended master secret but
      the new ClientHello does contain the "extended_master_secret"
      extension, the server MUST NOT perform the abbreviated handshake.
      Instead, it SHOULD continue with a full handshake to negotiate a
      new session.

However, it's less clear on what happens when the original handshake
included
the extension and the new one does not:

   o  If the new ClientHello does not contain the
      "extended_master_secret" extension, the server SHOULD abort the
      handshake.  If it continues with an abbreviated handshake in order
      to interoperate with legacy peers, then the considerations in
      Section 5.4 apply.

This doesn't seem to distinguish between the two cases (original session
did and did not use the extension), but they seem different, since the
original session not using session hash is a common case (legacy) whereas
an extension->no extension transition is an anomaly. Note that the client
*is* required to send it, so I think there's a reasonably strong
argument that the server should require it.

The two main options appear to be:

    1. Fall back to a full handshake.
    2. Abort the connection

The argument for the first appears to be interop. The argument for the
second appears to be that it's likely there is an error or a mid-flight
reconfiguration on the client (which seems not good). My mild preference
is for abort but I think it's important in any case that the draft be
clear.


Similarly, the text about the client side doesn't seem to draw this
distinction:

      If the new ServerHello does not contain the
      "extended_master_secret" extension, the client SHOULD abort the
      handshake.  If it continues with an abbreviated handshake in order
      to interoperate with legacy peers, then the considerations in
      Section 5.4 apply.

Because above the server is required to provide the extension when
resuming a session where the extension was negotiated, it seems like
we should require the client to fail in that case (that's the sense
of the MUST).

I see there was some discussion on the list 3/10 but it was inconclusive.

-Ekr