Re: [TLS] Problem with DTLS 1.2 handshake
Jim Schaad <ietf@augustcellars.com> Mon, 26 March 2018 13:48 UTC
Return-Path: <ietf@augustcellars.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 25033127522 for <tls@ietfa.amsl.com>; Mon, 26 Mar 2018 06:48:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CPQRZ9I6ux7i for <tls@ietfa.amsl.com>; Mon, 26 Mar 2018 06:48:21 -0700 (PDT)
Received: from mail2.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 99C57127419 for <tls@ietf.org>; Mon, 26 Mar 2018 06:48:20 -0700 (PDT)
Received: from Jude (73.180.8.170) by mail2.augustcellars.com (192.168.0.56) with Microsoft SMTP Server (TLS) id 15.0.1347.2; Mon, 26 Mar 2018 06:46:06 -0700
From: Jim Schaad <ietf@augustcellars.com>
To: 'Eric Rescorla' <ekr@rtfm.com>
CC: tls@ietf.org
References: <027001d3c503$a78b14c0$f6a13e40$@augustcellars.com> <CABcZeBMTusQvQXfGbq+LRWBSDrvBu2bZcV0TBzo8VLDsQSm6pw@mail.gmail.com>
In-Reply-To: <CABcZeBMTusQvQXfGbq+LRWBSDrvBu2bZcV0TBzo8VLDsQSm6pw@mail.gmail.com>
Date: Mon, 26 Mar 2018 06:48:10 -0700
Message-ID: <028101d3c509$15631970$40294c50$@augustcellars.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0282_01D3C4CE.690552E0"
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQGZVpmGLWytkyBqaG2W2T6A8/E9gwDQD183pFDjy2A=
Content-Language: en-us
X-Originating-IP: [73.180.8.170]
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/RRtOOkhUFkfPzc9-f56xjk4YD08>
Subject: Re: [TLS] Problem with DTLS 1.2 handshake
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Mar 2018 13:48:23 -0000
Yes, I am talking about the TLS record MAC. In my case this was happening because of a misconfiguration on the PSK. When we finally figured out that this was a MAC error on the record, then we immediately looked at the values of the PSK knowing that this was the most likely failure. The fact that in the main handshake this leads to a large amount of retries by the client I am not sure that this is just a slower failure detection. I agree that this is less of an issue for a simple rotate the keys problem. I am slightly worried about having the same problem on a re-negotiation though. Jim From: Eric Rescorla <ekr@rtfm.com> Sent: Monday, March 26, 2018 6:24 AM To: Jim Schaad <ietf@augustcellars.com> Cc: <tls@ietf.org> <tls@ietf.org> Subject: Re: [TLS] Problem with DTLS 1.2 handshake First, just for clarification, you mean the TLS record MAC on the Finished rather than the TLS Finished MAC, right? Assuming that is correct, then I believe this is reasonable behavior. It makes the protocol somewhat more resistant to damaged bits on the wire. Note that QUIC takes this position even further: every packet is integrity protected (the initial packets use a key based on the CID). The primary consequence of this is slower failure detection, but the kind of case you're talking about primarily happens when there is an implementation error, so not much in the field anyway. -Ekr On Mon, Mar 26, 2018 at 6:09 AM, Jim Schaad <ietf@augustcellars.com <mailto:ietf@augustcellars.com> > wrote: I appear to have run across an implementation that does not appear to violate the specification, but which in my opinion is just plain wrong. I am doing a handshake with PSK. On the second flight from the client it sends [ChangeCipherSpec] Finished The server sees that the ChangeCipherSpec occurs and moves to use the keys. It then attempts to validate the MAC on the Finished message and silently ignores the Finish message because the MAC is incorrect and the text says that it is legal to ignore packets which have a bad MAC. This means that my client re-sends the same flight to the server on and on because it never gets a response and assumes that the packet must be getting lost in transit. The document does not say that ignoring of bad MACs does not apply until the Finished message is received and processed. I am not sure, but I believe the document needs to say that one cannot ignore a failed MAC on the first block of data in any epoch and must error on those messages. I have not looked to see if this is an issue for DTLS 1.3, but it could easily be. Jim _______________________________________________ TLS mailing list TLS@ietf.org <mailto:TLS@ietf.org> https://www.ietf.org/mailman/listinfo/tls
- [TLS] Problem with DTLS 1.2 handshake Jim Schaad
- Re: [TLS] Problem with DTLS 1.2 handshake Eric Rescorla
- Re: [TLS] Problem with DTLS 1.2 handshake Jim Schaad
- Re: [TLS] Problem with DTLS 1.2 handshake Eric Rescorla