Re: [TLS] Collisions (Re: Nico's suggestions - Re: Consensus Call:

Nicolas Williams <> Tue, 11 May 2010 15:23 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id F28C73A6CE3 for <>; Tue, 11 May 2010 08:23:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.68
X-Spam-Status: No, score=-3.68 tagged_above=-999 required=5 tests=[AWL=0.504, BAYES_40=-0.185, RCVD_IN_DNSWL_MED=-4, UNPARSEABLE_RELAY=0.001]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Nah3BTaUjRTY for <>; Tue, 11 May 2010 08:23:05 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 336E53A689C for <>; Tue, 11 May 2010 08:22:40 -0700 (PDT)
Received: from ( []) by (Switch-3.4.2/Switch-3.4.1) with ESMTP id o4BFMD0r017346 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 11 May 2010 15:22:14 GMT
Received: from ( []) by (Switch-3.4.2/Switch-3.4.1) with ESMTP id o4B7P2F0022096; Tue, 11 May 2010 15:22:10 GMT
Received: from by with ESMTP id 255168581273591327; Tue, 11 May 2010 08:22:07 -0700
Received: from (/ by default (Oracle Beehive Gateway v4.0) with ESMTP ; Tue, 11 May 2010 08:22:03 -0700
Date: Tue, 11 May 2010 10:21:54 -0500
From: Nicolas Williams <>
To: Martin Rex <>
Message-ID: <>
References: <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.5.20 (2010-03-02)
X-Auth-Type: Internal IP
X-Source-IP: []
X-CT-RefId: str=0001.0A090204.4BE97626.0205:SCFMA4539811,ss=1,fgs=0
Subject: Re: [TLS] Collisions (Re: Nico's suggestions - Re: Consensus Call:
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 11 May 2010 15:23:07 -0000

On Tue, May 11, 2010 at 03:39:50PM +0200, Martin Rex wrote:
> Nicolas Williams wrote:
> > Well...  Many applications might not.  Can the handshake be retried
> > transparently to the application?  Or will the application have to
> > close() its socket and re-connect()?
> Re-thinking this scenario, I do not think that is a workable approach.
> The reason why I originally asked for using a (sha-1) hash value over the
> replaced data instead of a simple, server-assigned identifier,
> was robustness.  Going through a handshake failure is _NOT_ an option.

That's what I expect as well, that handshake failure is not transparent
to _all_ applications, and that any retry logic will have to be in the
application.  That makes this protocol a bit problematic -- failures
will be rare, no doubt, so rare that we might not care, but when they
happen the application won't know that the failure is not permanent.
For browsers that may not be a problem (the user will just reload); for
non-browser apps (and scripts running in the browser!) this could be a

> I wanted to avoid the cache of the server and client to get out-of-sync,
> and the use of a sha-1 hash value over the real data instead of that
> data should be sufficiently robust so that the server will send the
> real data in case the clients cached value differs from what the
> server would normally send.

I don't see how to recover from collisions, transparently to apps,
without either adding round-trips, which is supposed to be a big no-no,
or making handshakes retriable (I'm assuming they aren't).

> It is generally impossible to recover from a TLS handshake failure.

Well, the app can retry.

Also, StartTLS protocols might be able to retry without the application
having to disconnect/reconnect.

> It normally requires closure of the existing connection and opening
> of a new connection because it is completely unspecified how to
> recover from a TLS handshake failure on a connection (and how to
> clear the network pipe from unprocessed data from the previous handshake).

It's easy to clear the "pipe" since the records have lengths.

> If a client-side proxy traversal is involved, a full app-level proxy
> handshake is required.  If proxy traversal requires an OTP authentication,
> it will be completely impossible without user interaction.

Is there such a thing as proxies that require OTP for authentication?