Re: [TLS] SNI and tickets and resumption

Sajeev S <sajualways@gmail.com> Sun, 10 August 2014 16:16 UTC

Return-Path: <sajualways@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CCCA91A077B for <tls@ietfa.amsl.com>; Sun, 10 Aug 2014 09:16:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2BLwB03PYlVU for <tls@ietfa.amsl.com>; Sun, 10 Aug 2014 09:16:40 -0700 (PDT)
Received: from mail-oi0-x231.google.com (mail-oi0-x231.google.com [IPv6:2607:f8b0:4003:c06::231]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D70801A0772 for <tls@ietf.org>; Sun, 10 Aug 2014 09:16:39 -0700 (PDT)
Received: by mail-oi0-f49.google.com with SMTP id u20so4909336oif.36 for <tls@ietf.org>; Sun, 10 Aug 2014 09:16:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=xhTms1a43PMxPiTNmZ8hFfuWfkwU8Wti9A6WbF4k9oo=; b=wTIMbNQfsYFqlbXyduGmQ/902Xt/39TDEKyoPgEgxYMcwLiUQ99unEUV+Go0coN+7n peCRvuwwfv0sP6yOHlaRchvXX7+3OIGNsC9qT8VUo1EFGQZqRCe+S4dNHtWvFR7PsVka 238R6dT46IujUfny53r+h9nUJI1phsWpQl/xFxWS7RSaSoK2FPMjve/QKcb394AFt4nd fZkWcDVmSF1HtL0KN6uFsachI87vwz9NSkQFCO5Py8JazTs0Yb9Q+8BlqXzaMZ7I7oTL pzIr14mPXovIJu1n1e8icDj5kA1sQnX3sNPk0JPTpw7gDo3awp96wgc//wWOyKRkFtAP aUxA==
MIME-Version: 1.0
X-Received: by 10.60.45.234 with SMTP id q10mr44117030oem.25.1407687399178; Sun, 10 Aug 2014 09:16:39 -0700 (PDT)
Received: by 10.76.103.162 with HTTP; Sun, 10 Aug 2014 09:16:39 -0700 (PDT)
In-Reply-To: <2A0EFB9C05D0164E98F19BB0AF3708C7185A0C850B@USMBX1.msg.corp.akamai.com>
References: <2A0EFB9C05D0164E98F19BB0AF3708C7185A0C850B@USMBX1.msg.corp.akamai.com>
Date: Sun, 10 Aug 2014 21:46:39 +0530
Message-ID: <CAPWOt+XcRO_it4SxjHnD+TmJjEyG_BZ4+ENGXWfjjmz9SGFDjw@mail.gmail.com>
From: Sajeev S <sajualways@gmail.com>
To: "Salz, Rich" <rsalz@akamai.com>
Content-Type: multipart/alternative; boundary=001a11c21b06620538050048c320
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/TqwQubUzksjYKKjc96500pvOJkU
Cc: "TLS@ietf.org \(tls@ietf.org\)" <tls@ietf.org>
Subject: Re: [TLS] SNI and tickets and resumption
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 10 Aug 2014 16:16:41 -0000

As per RFC 6066--->Transport Layer Security (TLS) Extensions:
Extension Definitions


Note also that all the extensions defined in this document are
   relevant only when a session is initiated.  A client that requests
   session resumption does not in general know whether the server will
   accept this request, and therefore it SHOULD send the same extensions
   as it would send if it were not attempting resumption.  When a client
   includes one or more of the defined extension types in an extended
   client hello while requesting session resumption:

   -  The server name indication extension MAY be used by the server
      when deciding whether or not to resume a session as described in
      Section 3 <http://tools.ietf.org/html/rfc6066#section-3>.

   -  If the resumption request is denied, the use of the extensions is
      negotiated as normal.

   -  If, on the other hand, the older session is resumed, then the
      server MUST ignore the extensions and send a server hello
      containing none of the extension types.  In this case, the
      functionality of these extensions negotiated during the original
      session initiation is applied to the resumed session.


Regards,
Sajeev

On Sat, Aug 9, 2014 at 1:48 AM, Salz, Rich <rsalz@akamai.com> wrote:

> Can a client connect with an SNI extension and then later on resume or
> send a ticket with a different SNI value?
>
>
>
> I couldn’t find it documented anywhere. Am I missing something, or should
> we?
>
>
>
> --
>
> Principal Security Engineer
>
> Akamai Technologies, Cambridge MA
>
> IM: rsalz@jabber.me Twitter: RichSalz
>
>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>
>