Re: [TLS] TLSrenego - current summary of semantics and possibilities
<Pasi.Eronen@nokia.com> Wed, 11 November 2009 09:05 UTC
Return-Path: <Pasi.Eronen@nokia.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3472328B56A for <tls@core3.amsl.com>; Wed, 11 Nov 2009 01:05:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.54
X-Spam-Level:
X-Spam-Status: No, score=-6.54 tagged_above=-999 required=5 tests=[AWL=0.059, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Gmqv-xN6EARC for <tls@core3.amsl.com>; Wed, 11 Nov 2009 01:05:13 -0800 (PST)
Received: from mgw-mx06.nokia.com (smtp.nokia.com [192.100.122.233]) by core3.amsl.com (Postfix) with ESMTP id 32C903A69AD for <tls@ietf.org>; Wed, 11 Nov 2009 01:05:12 -0800 (PST)
Received: from esebh106.NOE.Nokia.com (esebh106.ntc.nokia.com [172.21.138.213]) by mgw-mx06.nokia.com (Switch-3.3.3/Switch-3.3.3) with ESMTP id nAB95GNL016205; Wed, 11 Nov 2009 11:05:37 +0200
Received: from esebh102.NOE.Nokia.com ([172.21.138.183]) by esebh106.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.3959); Wed, 11 Nov 2009 11:05:35 +0200
Received: from vaebh101.NOE.Nokia.com ([10.160.244.22]) by esebh102.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.3959); Wed, 11 Nov 2009 11:05:36 +0200
Received: from smtp.mgd.nokia.com ([65.54.30.8]) by vaebh101.NOE.Nokia.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.3959); Wed, 11 Nov 2009 11:05:31 +0200
Received: from NOK-EUMSG-01.mgdnok.nokia.com ([65.54.30.106]) by nok-am1mhub-04.mgdnok.nokia.com ([65.54.30.8]) with mapi; Wed, 11 Nov 2009 10:05:24 +0100
From: Pasi.Eronen@nokia.com
To: mrex@sap.com, mike-list@pobox.com
Date: Wed, 11 Nov 2009 10:05:20 +0100
Thread-Topic: [TLS] TLSrenego - current summary of semantics and possibilities
Thread-Index: AcpiO/1MyR/4JmGwRxehwQk6vAbUhwAcKhyg
Message-ID: <808FD6E27AD4884E94820BC333B2DB774F30DD16C4@NOK-EUMSG-01.mgdnok.nokia.com>
References: <4AF99E04.3060604@pobox.com> from "Michael D'Errico" at Nov 10, 9 09:08:20 am <200911101928.nAAJSGjI020038@fs4113.wdf.sap.corp>
In-Reply-To: <200911101928.nAAJSGjI020038@fs4113.wdf.sap.corp>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginalArrivalTime: 11 Nov 2009 09:05:31.0076 (UTC) FILETIME=[1E9A9840:01CA62AE]
X-Nokia-AV: Clean
Cc: tls@ietf.org
Subject: Re: [TLS] TLSrenego - current summary of semantics and possibilities
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Nov 2009 09:05:15 -0000
Martin, I think we should provide *some* way to make this secure while still allowing "fallback to less advanced TLS handshakes" (e.g. from "TLS 1.2 with extensions" to "TLS 1.0 without any extensions", or even "SSLv3 without any extensions" -- the specifics vary from one implementation to another, but I think "without extensions" is one common part). Those fallbacks aren't going to go away any time soon... Of the possibilities listed in your email, my preference would to allocate a cipher suite number that means "I support the renegotiation extension, but chose not to include it" (perhaps because an earlier connection with the extensions failed -- which could have been caused by the attacker). (If I recall right, some tests I run around 2006 suggested that some servers didn't like ClientHello's proposing non-NULL compression algorithms -- so a magic compression algorithm number might lead to interop problems, too. But AFAIK all servers properly ignore cipher suite numbers they don't support...) Best regards, Pasi (speaking as individual contributor, not wearing any hats) > -----Original Message----- > From: tls-bounces@ietf.org [mailto:tls-bounces@ietf.org] On Behalf Of > ext Martin Rex > Sent: 10 November, 2009 21:28 > To: Michael D'Errico > Cc: tls@ietf.org > Subject: [TLS] TLSrenego - current summary of semantics and > possibilities > > Michael D'Errico wrote: > > > > A client that wants protection from this attack MUST send the > extension > > in its initial handshake. Why don't you want to do that? > > If there were only well-behaved servers out there, there would not > be any problem. > > The default configuration of MSIE6 on WinXP to disable TLSv1.0, as well > as newer browsers providing a reconnect fallback to SSLv3-only > ClientHello > indicate that there is an installed base of TLS servers that either > predates the SSLv3 internet-draft from Nov,18th 1996 or is defective. > > There used to be a draft draft-pettersen-tls-interop-experience-xx.txt > (I have archived a -00 that expired oct-2006), which describes the > mess around spec non-compliance. TLS-extensions are covered in section > 4. > > What it seems to indicate, in essence, is that the for maximum > interoperability with the installed base of (broken) servers out there, > you use a SSLv3 ClientHello with (0x03,0x00) in the client.version > and _no_ TLS extensions. > > So conservative clients that do not want to implement reconnect > fallbacks may have a problem with the recommendation to always > use a TLS extension. > > > > There are a number of things we would like to achieve with a fix: > > - provide a method for secure renegotiation in the future > > - deprecate the traditional renegotiation > > - provide a secure base for the (previously flawed) assumptions > of servers when performing a renegotiation to request a > client certificate. > > > in oder to achieve this, we should probably make the following > recommendations: > > - if a TLS client (any protocol version, including SSLv3) performs > renegotiation (i.e. sends a ClientHello over an established > TLS session with a ciphersuite other than TLS_NULL_WITH_NULL_NULL), > then it SHOULD always and unconditionally use the TLS extension > Renegotiation_Info containing the verify_data of the > client.finished > handshake message from the active TLS session, > The TLS client should do that even when it did not send the > TLS extension Renegotiation_Info with and empty extension data > in the initial TLS handshake on a connection! > > Lacking application level re-connect provisions for forward- > incompatible > SSL/TLS servers, a TLS client might not want to sent the TLS > extension > in the initial ClientHello of a connection. > > If the presence of the TLS extension Renegotiation_Info causes the > server to abort the TLS connection, then that > server is not capable of secure renegotiation, and the TLS client > should abort the Handshake with an error and close the connection > in order to protect the client and the clients credential from > abuse with servers that are still vulnerable to the TLS > renegotiation problem. > > - A TLS server (any protocol version, including SSLv3) should require > the presence of a TLS extension Renegotiation_Info for _every_ > renegotiation handshake. > > If the TLS extension Renegotiation_Info is absent from the > ClientHello > received on an active TLS session, the server should abort the > connection. (add Alert here) > > If the TLS extension Renegotiation_Info is present, then the TLS > server > MUST verify the contained verify_data of the client.finished > message > as known to the client with its own memorized client.finished > message from the SecurityParameters of the current TLS connection > state. > > If the comparison of the verify_data from the client.finished > messages fails, the server MUST abort the connection. > > When the client's and the server's notion of the verify_data from > the previous TLS session compare equal, the server MUST send back > the TLS extension RenegotiationInfo with in a ServerHelloExtension > containing the verify_data from the client.finished message and > the verify_data from the server.finished message. > > - A TLS client (any protocol version, including SSLv3) that receives > the TLS extension Renegotiation_Info in a ServerHello extension > must compare the extension data with its own SecurityParameters > in the TLS connection state. > > If the Renegotiation_Info with empty extension_data is received > on a client's initial TLS handshake, everything is fine > > If the Renegotiation_Info with empty extension_data is received > on an active TLS session, the client MUST abort the handshake > with an error and close the connection. > > If the Renegotiation_Info with non-empty extension_data is received > on a client's initial TLS handshake, the client MUST abort the > handshake > with an error and close the connection. > > If the Renegotiation_Info with non-empty extension_data is received > on a client's renegotiation handshake, the client MUST compare the > contained verify_data of the server-memorized client.finished and > server.finished messages with its own memorized verify_data for > both finished messages in the SecurityParameters of the TLS > connection > state for the current session. > - if they compare equal, everything is fine > - if they do not match, the client MUST abort the handshake and > close the connection. > > > > It is possible that a TLS client may not want to assert the TLS > extension > Renegotiation_Info in an initial ClientHello because of > interoperability > concerns with an installed base of not-quite-spec-compliant servers. > > What other strategies could be used on the initial handshake on a > connection with lesser side effects that a TLS extension > Renegotiation_Info > with empty extension_data? > > > Overloading ("abusing") the semantics of other regular elements > of an SSL/TLS handshake that have a lesser likelihood to upset > legacy servers. > > - Assign one (or two) specific ciphersuite IDs that the client > can include in the ciphersuites list which signal the clients > notion of the connection state (initial vs. renegotiation) > to the server. > > - Assign one (or two) compression algorithm IDs that the client > can include in the supported compression algorithms list which > signal the clients notion of the connection state (initial vs. > renegotiation) to the server. > > I assume that a Client->Server signalling through a special cipher > suite > might be the easy to implement for clients and expect that it has the > least side effects on handshakes with old servers. > > Fancy compression algs might be less digestable to old servers. > > > Both of these (one or two fany ciphersuites in the ciphersuite > list of the client) can only be used for signalling from client > to server, not in the direction server to client. > > > What could be used to signal from the server to the client that the > client should send the TLS extension Renegotiation_Info in the > ClientHello of a renegotiation handshake if the client does not > want to send the TLS extension in the initial handshake of a > connection? > > We could define a new TLS handshake message "RenegotiationRequest" > to be sent instead of a "HelloRequest". This would be an option for > those servers, that will abort the handshake and connection > if the client does not send the TLS extension Renegotiation_Info. > > The purpose of a RenegotiationRequest would be to encourage clients to > send the TLS extension Renegotiation_Info, in order to keep existing > usage scenarios usable. The message itself is not protected, but > that doesn't matter. The servers decision for success or failure > of the renegotiation depends only and entirely on the use of > the TLS extension Renegotiation_Info in the renegotiation handshake > and successful verification of the verify_data from the > client.finished handshake message of the active TLS session. > > > > -Martin > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls
- Re: [TLS] TLSrenego - possibilities, suggestion f… Marsh Ray
- Re: [TLS] TLSrenego - current summary of semantic… Pasi.Eronen
- [TLS] assert TLSext in renego-ServerHello instead… Martin Rex
- Re: [TLS] assert TLSext in renego-ServerHello ins… Marsh Ray
- Re: [TLS] assert TLSext in renego-ServerHello ins… Martin Rex
- Re: [TLS] assert TLSext in renego-ServerHello ins… Martin Rex
- Re: [TLS] assert TLSext in renego-ServerHello ins… Eric Rescorla
- Re: [TLS] assert TLSext in renego-ServerHello ins… David-Sarah Hopwood
- Re: [TLS] assert TLSext in renego-ServerHello ins… Michael D'Errico
- Re: [TLS] assert TLSext in renego-ServerHello ins… David-Sarah Hopwood
- Re: [TLS] assert TLSext in renego-ServerHello ins… David-Sarah Hopwood
- Re: [TLS] assert TLSext in renego-ServerHello ins… Michael D'Errico
- Re: [TLS] assert TLSext in renego-ServerHello ins… David-Sarah Hopwood
- Re: [TLS] assert TLSext in renego-ServerHello ins… David-Sarah Hopwood
- Re: [TLS] assert TLSext in renego-ServerHello ins… Eric Rescorla
- Re: [TLS] assert TLSext in renego-ServerHello ins… Eric Rescorla
- Re: [TLS] assert TLSext in renego-ServerHello ins… Michael D'Errico
- [TLS] TLSrenego - current summary of semantics an… Martin Rex
- Re: [TLS] TLSrenego - current summary of semantic… Steve Dispensa
- Re: [TLS] TLSrenego - current summary of semantic… Nicolas Williams
- Re: [TLS] TLSrenego - current summary of semantic… Yair Elharrar
- Re: [TLS] TLSrenego - current summary of semantic… Michael D'Errico
- Re: [TLS] TLSrenego - current summary of semantic… Marsh Ray
- Re: [TLS] TLSrenego - current summary of semantic… Nicolas Williams
- Re: [TLS] TLSrenego - current summary of semantic… Martin Rex
- Re: [TLS] TLSrenego - current summary of semantic… Michael D'Errico
- Re: [TLS] TLSrenego - current summary of semantic… Martin Rex
- Re: [TLS] TLSrenego - current summary of semantic… Michael D'Errico
- Re: [TLS] TLSrenego - possibilities, suggestion f… Martin Rex
- Re: [TLS] TLSrenego - possibilities, suggestion f… Yair Elharrar
- Re: [TLS] TLSrenego - possibilities, suggestion f… Marsh Ray
- Re: [TLS] TLSrenego - possibilities, suggestion f… Martin Rex
- Re: [TLS] TLSrenego - possibilities, suggestion f… Yair Elharrar
- Re: [TLS] TLSrenego - possibilities, suggestion f… Martin Rex
- Re: [TLS] TLSrenego - possibilities, suggestion f… Rob P Williams
- Re: [TLS] TLSrenego - possibilities, suggestion f… Yoav Nir
- Re: [TLS] TLSrenego - possibilities, suggestion f… Marsh Ray
- Re: [TLS] TLSrenego - possibilities, suggestion f… Marsh Ray
- Re: [TLS] TLSrenego - possibilities, suggestion f… Rob P Williams
- Re: [TLS] TLSrenego - possibilities, suggestion f… Michael D'Errico
- Re: [TLS] TLSrenego - possibilities, suggestion f… Peter Gutmann
- Re: [TLS] TLSrenego - possibilities, suggestion f… Yoav Nir
- Re: [TLS] TLSrenego - possibilities, suggestion f… Peter Gutmann
- Re: [TLS] TLSrenego - possibilities, suggestion f… Martin Rex
- Re: [TLS] assert TLSext in renego-ServerHello ins… Eric Rescorla
- Re: [TLS] History of extensions Marsh Ray
- Re: [TLS] History of extensions Martin Rex
- Re: [TLS] assert TLSext in renego-ServerHello ins… Michael D'Errico
- Re: [TLS] assert TLSext in renego-ServerHello ins… Marsh Ray
- Re: [TLS] History of extensions Nicolas Williams
- Re: [TLS] History of extensions Martin Rex
- Re: [TLS] History of extensions Nicolas Williams
- Re: [TLS] assert TLSext in renego-ServerHello ins… Eric Rescorla
- Re: [TLS] History of extensions Eric Rescorla
- [TLS] Protected Renegotiation -- refined proposal Martin Rex
- Re: [TLS] assert TLSext in renego-ServerHello ins… Michael D'Errico
- Re: [TLS] assert TLSext in renego-ServerHello ins… Marsh Ray
- Re: [TLS] Protected Renegotiation -- refined prop… Martin Rex
- Re: [TLS] History of extensions Nicolas Williams
- Re: [TLS] TLSrenego - possibilities, suggestion f… Martin Rex
- Re: [TLS] assert TLSext in renego-ServerHello ins… Yoav Nir
- Re: [TLS] assert TLSext in renego-ServerHello ins… Dr Stephen Henson
- Re: [TLS] History of extensions Eric Rescorla
- Re: [TLS] TLSrenego - possibilities, suggestion f… Martin Rex
- Re: [TLS] Protected Renegotiation -- refined prop… Eric Rescorla
- Re: [TLS] History of extensions Nicolas Williams
- Re: [TLS] History of extensions Eric Rescorla
- Re: [TLS] History of extensions Nicolas Williams
- Re: [TLS] TLSrenego - possibilities, suggestion f… Nasko Oskov
- Re: [TLS] History of extensions Eric Rescorla
- [TLS] Redefine Finished message for TLS 1.3 ? Nelson B Bolyard
- Re: [TLS] Redefine Finished message for TLS 1.3 ? Nicolas Williams
- Re: [TLS] Redefine Finished message for TLS 1.3 ? Nelson B Bolyard
- Re: [TLS] Redefine Finished message for TLS 1.3 ? David-Sarah Hopwood
- Re: [TLS] History of extensions Martin Rex
- Re: [TLS] Protected Renegotiation -- refined prop… Martin Rex
- Re: [TLS] Redefine Finished message for TLS 1.3 ? Nicolas Williams
- Re: [TLS] History of extensions Martin Rex
- Re: [TLS] History of extensions David-Sarah Hopwood
- Re: [TLS] Redefine Finished message for TLS 1.3 ? Martin Rex
- Re: [TLS] Redefine Finished message for TLS 1.3 ? Michael D'Errico
- Re: [TLS] Redefine Finished message for TLS 1.3 ? Marsh Ray
- Re: [TLS] Redefine Finished message for TLS 1.3 ? Martin Rex
- Re: [TLS] Redefine Finished message for TLS 1.3 ? David-Sarah Hopwood
- Re: [TLS] Redefine Finished message for TLS 1.3 ? Marsh Ray
- Re: [TLS] Redefine Finished message for TLS 1.3 ? Martin Rex
- [TLS] A crazy idea Michael D'Errico
- Re: [TLS] A crazy idea Marsh Ray
- Re: [TLS] Redefine Finished message for TLS 1.3 ? Nelson B Bolyard
- Re: [TLS] A crazy idea Michael D'Errico
- Re: [TLS] Protected Renegotiation -- refined prop… Yoav Nir
- Re: [TLS] A crazy idea Nicolas Williams
- Re: [TLS] TLSrenego - possibilities, suggestion f… Bodo Moeller
- Re: [TLS] TLSrenego - possibilities, suggestion f… Marsh Ray
- Re: [TLS] TLSrenego - possibilities, suggestion f… Joseph Salowey (jsalowey)
- Re: [TLS] A not-so crazy idea Michael D'Errico
- Re: [TLS] TLSrenego - possibilities, suggestion f… Bodo Moeller
- Re: [TLS] Redefine Finished message for TLS 1.3 ? Bodo Moeller
- Re: [TLS] TLSrenego - possibilities, suggestion f… Marsh Ray
- Re: [TLS] Redefine Finished message for TLS 1.3 ? Martin Rex
- Re: [TLS] assert TLSext in renego-ServerHello ins… Bodo Moeller
- Re: [TLS] Redefine Finished message for TLS 1.3 ? Bodo Moeller
- Re: [TLS] assert TLSext in renego-ServerHello ins… Marsh Ray
- Re: [TLS] A not-so crazy idea Nicolas Williams
- Re: [TLS] Redefine Finished message for TLS 1.3 ? Martin Rex
- Re: [TLS] assert TLSext in renego-ServerHello ins… Bodo Moeller
- Re: [TLS] assert TLSext in renego-ServerHello ins… Marsh Ray
- Re: [TLS] assert TLSext in renego-ServerHello ins… Bodo Moeller
- Re: [TLS] A not-so crazy idea Yair Elharrar
- Re: [TLS] assert TLSext in renego-ServerHello ins… Marsh Ray
- Re: [TLS] assert TLSext in renego-ServerHello ins… Martin Rex
- Re: [TLS] assert TLSext in renego-ServerHello ins… Marsh Ray
- Re: [TLS] A not-so crazy idea Yoav Nir
- Re: [TLS] assert TLSext in renego-ServerHello ins… Nelson B Bolyard
- Re: [TLS] assert TLSext in renego-ServerHello ins… Bodo Moeller
- Re: [TLS] assert TLSext in renego-ServerHello ins… Eric Rescorla
- Re: [TLS] assert TLSext in renego-ServerHello ins… Martin Rex
- Re: [TLS] assert TLSext in renego-ServerHello ins… Bodo Moeller
- Re: [TLS] Redefine Finished message for TLS 1.3 ? Nelson Bolyard