Re: [TLS] draft-rescorla-tls-renegotiate.txt

Nelson B Bolyard <> Sat, 07 November 2009 00:15 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 5532A28C0F2 for <>; Fri, 6 Nov 2009 16:15:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.802
X-Spam-Status: No, score=-2.802 tagged_above=-999 required=5 tests=[AWL=-0.203, BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id PdBlfc7FWyhb for <>; Fri, 6 Nov 2009 16:15:57 -0800 (PST)
Received: from ( []) by (Postfix) with SMTP id 846DA28C0EE for <>; Fri, 6 Nov 2009 16:15:57 -0800 (PST)
Received: (qmail 28461 invoked from network); 7 Nov 2009 00:16:20 -0000
Received: from unknown ( by ( with ESMTP; 07 Nov 2009 00:16:19 -0000
Message-ID: <>
Date: Fri, 06 Nov 2009 16:16:14 -0800
From: Nelson B Bolyard <>
Organization: Network Security Services
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; rv:1.9.1b1pre) Gecko/20081004 NOT Firefox/2.0 SeaMonkey/2.0a2pre
MIME-Version: 1.0
To: IETF TLS Working Group <>
References: <>
In-Reply-To: <>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Subject: Re: [TLS] draft-rescorla-tls-renegotiate.txt
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 07 Nov 2009 00:15:58 -0000

On 2009-11-06 15:53 PDT, Martin Rex wrote:

> But what are we going to require from Servers that use the delayed
> authentication through renegotiation, and want to continue using it
> when SSLv3 clients connect (either stuck at or configured for SSLv3 only)?
> I think we ought to require them to refuse traditional renegotiation
> in the future (what should they send back to v3.0 clients trying)?

Here is an alternative that should have the same user experience and not
be MITM vulnerable, not even with SSL 3.0 clients:

   Replace renegotiation with redirection.

Set up a second https server (process) on the same physical server, e.g
a different port on the same IP address.  The new server always requests
client authentication on the initial handshake, not in a renegotiation.

All the assets that formerly lived in the original server and formerly
required renegotiation for client authentication are moved to the second
server on the new port.  In their place on the original server in placed
something that redirects the user to the asset's new location on the new

The user visits the first server, and is redirected to the second server,
whereupon he is asked for his client certificate.  This all seems to him
the same as before, but no renegotiation has occurred.

Since the two servers reside on the same IP address and same box, they
can share the same certificate and private key, so there is no additional
cost for additional certificates (sorry, CAs).

The only area where this MAY not work that occurs to me is POST.  I seem
to recall that some (most? all?) browsers will not re-POST data if they
get a redirect after doing the initial POST.  So, the two servers might
have to collude (:-), with the first server saving the POST data, and
setting a cookie, or putting a unique string into the redirected URL that
the second server could use to find the data saved by the first server,
after the user authenticates to it. (Maybe somebody come up with a better
alternative to that.)