[TLS] More clarity on resumption and session hash
Eric Rescorla <ekr@rtfm.com> Mon, 25 May 2015 17:36 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EB5CE1ACD7C for <tls@ietfa.amsl.com>; Mon, 25 May 2015 10:36:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.723
X-Spam-Level:
X-Spam-Status: No, score=0.723 tagged_above=-999 required=5 tests=[BAYES_50=0.8, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LxjD_nb8I7EX for <tls@ietfa.amsl.com>; Mon, 25 May 2015 10:36:12 -0700 (PDT)
Received: from mail-wi0-f178.google.com (mail-wi0-f178.google.com [209.85.212.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DD8D01ACD63 for <tls@ietf.org>; Mon, 25 May 2015 10:36:11 -0700 (PDT)
Received: by wifw1 with SMTP id w1so4212580wif.0 for <tls@ietf.org>; Mon, 25 May 2015 10:36:10 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to :content-type; bh=jxJBFLDL3+426ahx6M6lPk82LSQa7OpvKm6+95YnISo=; b=S6prA7ZIaD/tpVaYxrZZfhcEYTbgFQq/5EsJVxXyjCv7LeSCy6ceyI3n6xlEBz2xqk UTqSxxkR054p+gwstnJreM4Lc5JwYnk1Sgo6OUtIjF/yH0X+4+m4yvrcfccaBKK6zuPB h8s2Xk6hmbP1MBJ8jLUXyg2fzRF/8yvkc8r/btxC/sAJ33S76l6XIqr9a6Xb9CS4HsPP teuXcV5aQo5w57weA7dY04+4e0nqa/1o6IdiDDhWU6oxDum/e3QZG/R6Lu1IXLDxfHGV x6ulISV7lK3yTisnvnWPNskBtxvx5brRQci4fkfuxfHYJAME/ZaPuy5VSlvnJdgX/Y7h OwzQ==
X-Gm-Message-State: ALoCoQlzmyjTbwrf82IDhf017VGk3kk4NY444VFomlP8FEjCRV4Lh1clqa7qXBhcKDlUi+bk1Kyo
X-Received: by 10.194.59.79 with SMTP id x15mr24257494wjq.81.1432575370643; Mon, 25 May 2015 10:36:10 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.27.225.14 with HTTP; Mon, 25 May 2015 10:35:30 -0700 (PDT)
From: Eric Rescorla <ekr@rtfm.com>
Date: Mon, 25 May 2015 10:35:30 -0700
Message-ID: <CABcZeBM9UGZoifzDZZ3METMJJHa1ueX9CdHiccYTDW5UVC3RrA@mail.gmail.com>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="047d7b8737ae14f6340516eb7252"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/Q-WFl9sTXqy0Yn58pTASIMJutuo>
Subject: [TLS] More clarity on resumption and session hash
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 May 2015 17:36:14 -0000
I'm updating the NSS session hash implementation to conform to the new spec and I see that it's very clear on what happens when you have a resumption where the original handshake did not include the extension and the new one does (thanks David and Martin) o If the original session did not use an extended master secret but the new ClientHello does contain the "extended_master_secret" extension, the server MUST NOT perform the abbreviated handshake. Instead, it SHOULD continue with a full handshake to negotiate a new session. However, it's less clear on what happens when the original handshake included the extension and the new one does not: o If the new ClientHello does not contain the "extended_master_secret" extension, the server SHOULD abort the handshake. If it continues with an abbreviated handshake in order to interoperate with legacy peers, then the considerations in Section 5.4 apply. This doesn't seem to distinguish between the two cases (original session did and did not use the extension), but they seem different, since the original session not using session hash is a common case (legacy) whereas an extension->no extension transition is an anomaly. Note that the client *is* required to send it, so I think there's a reasonably strong argument that the server should require it. The two main options appear to be: 1. Fall back to a full handshake. 2. Abort the connection The argument for the first appears to be interop. The argument for the second appears to be that it's likely there is an error or a mid-flight reconfiguration on the client (which seems not good). My mild preference is for abort but I think it's important in any case that the draft be clear. Similarly, the text about the client side doesn't seem to draw this distinction: If the new ServerHello does not contain the "extended_master_secret" extension, the client SHOULD abort the handshake. If it continues with an abbreviated handshake in order to interoperate with legacy peers, then the considerations in Section 5.4 apply. Because above the server is required to provide the extension when resuming a session where the extension was negotiated, it seems like we should require the client to fail in that case (that's the sense of the MUST). I see there was some discussion on the list 3/10 but it was inconclusive. -Ekr
- [TLS] More clarity on resumption and session hash Eric Rescorla
- Re: [TLS] More clarity on resumption and session … Karthikeyan Bhargavan
- Re: [TLS] More clarity on resumption and session … Eric Rescorla
- Re: [TLS] More clarity on resumption and session … Martin Thomson
- Re: [TLS] More clarity on resumption and session … Karthikeyan Bhargavan
- Re: [TLS] More clarity on resumption and session … Ilari Liusvaara
- Re: [TLS] More clarity on resumption and session … Karthikeyan Bhargavan
- Re: [TLS] More clarity on resumption and session … Ilari Liusvaara
- Re: [TLS] More clarity on resumption and session … Ilari Liusvaara
- Re: [TLS] More clarity on resumption and session … David Benjamin
- Re: [TLS] More clarity on resumption and session … David Benjamin
- Re: [TLS] More clarity on resumption and session … Nico Williams
- Re: [TLS] More clarity on resumption and session … Martin Thomson
- Re: [TLS] More clarity on resumption and session … Eric Rescorla
- Re: [TLS] More clarity on resumption and session … David Benjamin
- Re: [TLS] More clarity on resumption and session … Salz, Rich
- Re: [TLS] More clarity on resumption and session … David Benjamin
- Re: [TLS] More clarity on resumption and session … David Benjamin
- Re: [TLS] More clarity on resumption and session … Adam Langley