Re: [TLS] [POSSIBLE SPAM] Re: draft-ietf-tls-renegotation: next
Martin Rex <mrex@sap.com> Thu, 17 December 2009 15:23 UTC
Return-Path: <mrex@sap.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C0B5428C123 for <tls@core3.amsl.com>; Thu, 17 Dec 2009 07:23:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.196
X-Spam-Level:
X-Spam-Status: No, score=-6.196 tagged_above=-999 required=5 tests=[AWL=0.053, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XmhCSFo6Wdpw for <tls@core3.amsl.com>; Thu, 17 Dec 2009 07:23:42 -0800 (PST)
Received: from smtpde03.sap-ag.de (smtpde03.sap-ag.de [155.56.68.140]) by core3.amsl.com (Postfix) with ESMTP id E01343A6801 for <tls@ietf.org>; Thu, 17 Dec 2009 07:23:41 -0800 (PST)
Received: from mail.sap.corp by smtpde03.sap-ag.de (26) with ESMTP id nBHFNOs2019323 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 17 Dec 2009 16:23:24 +0100 (MET)
From: Martin Rex <mrex@sap.com>
Message-Id: <200912171523.nBHFNOMU024985@fs4113.wdf.sap.corp>
To: marsh@extendedsubset.com
Date: Thu, 17 Dec 2009 16:23:24 +0100
In-Reply-To: <4B29CB55.4060306@extendedsubset.com> from "Marsh Ray" at Dec 17, 9 00:10:29 am
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal05
X-SAP: out
Cc: tls@ietf.org
Subject: Re: [TLS] [POSSIBLE SPAM] Re: draft-ietf-tls-renegotation: next
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Dec 2009 15:23:43 -0000
Marsh Ray wrote: > > Obviously the part that says > > If this is the initial handshake for a connection, then the > > "renegotiated_connection" field is of zero length in both the > > ClientHello and the ServerHello. > is not limiting itself to renegotiations. > > I don't know how the IETF rules work, if a future implementaion can say > it implements proper TLS without implementing this extension. In > practice, every TLS implementation (except perhaps yours) is going to > want to implement the security fix properly lest they be shunned by > other implementations. I'm not an IETF process wizard. but I have not knowingly come across such a situation with IETF protocols so far. There will likely not be TLSv1.0-2010, TLSv1.1-2010 and TLSv1.2-2010. There will be implementations of particular RFCs, but if an implementation says TLSv1.0, that will not _by_itself_ imply that this includes any updates. You will probably need to look for the update-RFC number to be explicitly mentioned. The point in time when a product is developed or shipped or sold does not impact this at all. > > > Section 4 seems to be incomplete, the last paragraph describes > > the situation only for non-renegotiating clients, the paragraph > > for non-renegotiating servers appears to be missing from section 4, > > but belongs there as well and with comparable characteristics > > than for non-renegotiating clients. > > You appear to be questioning why there isn't an equivalent statement > about servers which do not renegotiate. Correct. The absence of that makes that update unnecessary complex. Myself, I don't have any of the gadgets like these: http://www.networkwebcams.co.uk/product_info.php?products_id=855 which implement SSL. I don't know whether they desperately need renegotiation, but I woul not discount the possibility that they do not need it. I don't know how many years manufacturers provide firmware updates for such gadgets, and how difficult it is to update them. But if such a thing doesn't need renegotiation, then it might make a difference for the decision for a manufacturer whether to develop a firmware update for a 3+ year old product, whether there's a simple "I'm updated" signaling available. I guess we will get accustomed to using several browsers in a year in order to not have to unnecessarily dump a lot of equiment that isn't really defective, but no longer interoperable with browsers from some suppliers. Those weenies in the IETF that ask for interoperability in communication protocols do not have a clue about communication _and_ security, and do not understand how important it is that you Javascript- and ActiveContent-enabled Browser no longer talks to this dangerous WebCam and all those other boxes and gadgets that you bought more than two years ago. > > It's not an equivalent situation because the server must respond to the > client hello as it was sent and can not "simply use the SCSV in all > initial handshakes" like the client can. The logic for a > non-renegotiating server does not reduce as much as it does for a > non-renegotiating client. Well, it _could_ be like that, as demonstrated by my specification. > > >> TLS does not define such a thing as a "server that does not > >> renegotiate". There are a number of things that TLS fails to define -- which is exactly the reason why the TLS renegotiation vulnerability went unnoticed for so long. My copy of rfc-5246 clearly describes that there are non-renegotiating clients and servers: rfc5246, Appendix D D.4. Implementation Pitfalls Implementation experience has shown that certain parts of earlier TLS specifications are not easy to understand, and have been a source of interoperability and security problems. TLS protocol issues: - Do you support renegotiation, both client and server initiated? While renegotiation is an optional feature, supporting it is highly recommended. > > >> Therefore, it is impossible for a general-purpose client to know this > >> about any specific server. > >> > >> Therefore, it is a useless consideration for the protocol design. > > > > Huh? > > Yes. It is impossible for a TLS clients to know that they are talking to > a server which can not be triggered to renegotiate in the general case, > or even in most specific cases. So what? Do you think that dropping from HTTPS as it is today to HTTP will be an improvement to the overall security of the internet, because you _are_, in fact, suggesting this? > > > If you want to reliably disable it, it's <10 LoC. > > http://cvs.openssl.org/timeline?d=5&e=2009-Nov-10&c=2&px=&s=1&dt=1&x=1&m=1&w=0 > > It was a little more than 10 LoC, but not a huge amount either. As I previously mentioned, the "official" patch that is currently in openssl-0.9.8l seems a little rough, because it will freeze the handshake when the client sends a ClientHello on an established TLS session. The patch that I would use to reliably abort a renegotiation handshake would be something like s3_srvr.c: case SSL3_ST_SR_CLNT_HELLO_C: + if (NULL != s->enc_read_ctx) + { + SSLerr( /* some adequate error code */ ); + s3_send_alert(s,SSL_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE); + return(-1); + } ... ssl3_get_client_hello(s,...) > > > I'm sure the OpenSSL code maintainers didn't need a code inspection > > in order to find out which statements would be necessary to > > make sure the renegotiation will _not_ work. > > I guess you've never looked at the OpenSSL codebase then. But I don't > actually know of any codebase in which you can usefully change it > without a little code inspection first. No, I didn't. That diff I posted which implements my specification is only a wild guess an works by pure chance, just like a lot of those TLS protocol implementations that you know perform renegotiation without their original _implementors_ being aware of it. -Martin
- [TLS] draft-ietf-tls-renegotation: next steps Pasi.Eronen
- Re: [TLS] draft-ietf-tls-renegotation: next steps Martin Rex
- Re: [TLS] draft-ietf-tls-renegotation: next steps Paul Hoffman
- Re: [TLS] draft-ietf-tls-renegotation: next steps Michael D'Errico
- Re: [TLS] draft-ietf-tls-renegotation: next steps Martin Rex
- Re: [TLS] draft-ietf-tls-renegotation: next steps Marsh Ray
- Re: [TLS] draft-ietf-tls-renegotation: next steps Eric Rescorla
- Re: [TLS] [POSSIBLE SPAM] Re: draft-ietf-tls-rene… Kemp, David P.
- Re: [TLS] draft-ietf-tls-renegotation: next steps Marsh Ray
- Re: [TLS] draft-ietf-tls-renegotation: next steps Martin Rex
- Re: [TLS] [POSSIBLE SPAM] Re: draft-ietf-tls-rene… Martin Rex
- Re: [TLS] [POSSIBLE SPAM] Re: draft-ietf-tls-rene… Marsh Ray
- [TLS] Generic process issues (Re: Re: draft-ietf-… Nicolas Williams
- Re: [TLS] [POSSIBLE SPAM] Re: draft-ietf-tls-rene… Martin Rex
- Re: [TLS] [POSSIBLE SPAM] Re: draft-ietf-tls-rene… Martin Rex
- Re: [TLS] [POSSIBLE SPAM] Re: draft-ietf-tls-rene… Marsh Ray
- Re: [TLS] [POSSIBLE SPAM] Re: draft-ietf-tls-rene… Martin Rex
- Re: [TLS] draft-ietf-tls-renegotation: next steps David-Sarah Hopwood
- Re: [TLS] draft-ietf-tls-renegotation: next steps David-Sarah Hopwood
- Re: [TLS] draft-ietf-tls-renegotation: next steps Martin Rex
- Re: [TLS] [POSSIBLE SPAM] Re: draft-ietf-tls-rene… Marsh Ray
- Re: [TLS] draft-ietf-tls-renegotation: next Pasi.Eronen
- Re: [TLS] [POSSIBLE SPAM] Re: draft-ietf-tls-rene… Martin Rex
- Re: [TLS] [POSSIBLE SPAM] Re: draft-ietf-tls-rene… Martin Rex
- Re: [TLS] draft-ietf-tls-renegotation: next Martin Rex
- Re: [TLS] draft-ietf-tls-renegotation: next Martin Rex
- Re: [TLS] draft-ietf-tls-renegotation: next Marsh Ray
- Re: [TLS] draft-ietf-tls-renegotation: next Kyle Hamilton
- Re: [TLS] draft-ietf-tls-renegotation: next Martin Rex
- Re: [TLS] draft-ietf-tls-renegotation: next Michael D'Errico
- Re: [TLS] draft-ietf-tls-renegotation: next David-Sarah Hopwood