IETF Logo Mail Archive

Re: [TLS] A new consensus call on ALPN vs NPN (was ALPN concerns)

Yoav Nir <ynir@checkpoint.com> Wed, 11 December 2013 22:17 UTC

Return-Path: <ynir@checkpoint.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9CE481AE0D6 for <tls@ietfa.amsl.com>; Wed, 11 Dec 2013 14:17:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.902
X-Spam-Level:
X-Spam-Status: No, score=-6.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gAyrSbkZC3Xs for <tls@ietfa.amsl.com>; Wed, 11 Dec 2013 14:17:31 -0800 (PST)
Received: from smtp.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by ietfa.amsl.com (Postfix) with ESMTP id 287C31ADF52 for <tls@ietf.org>; Wed, 11 Dec 2013 14:17:30 -0800 (PST)
Received: from DAG-EX10.ad.checkpoint.com ([194.29.34.150]) by smtp.checkpoint.com (8.13.8/8.13.8) with ESMTP id rBBMHLCY010843; Thu, 12 Dec 2013 00:17:21 +0200
X-CheckPoint: {52A8E0E1-7-1B221DC2-1FFFF}
Received: from IL-EX10.ad.checkpoint.com ([169.254.2.146]) by DAG-EX10.ad.checkpoint.com ([169.254.3.213]) with mapi id 14.03.0123.003; Thu, 12 Dec 2013 00:17:21 +0200
From: Yoav Nir <ynir@checkpoint.com>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Thread-Topic: [TLS] A new consensus call on ALPN vs NPN (was ALPN concerns)
Thread-Index: AQHO9PKwvFEdHESyEEm0ZUd+bMkQKppNxnIAgAAZ0wCAABfOAIABARgAgAAiFBCAAE9YgIAAB4AA
Date: Wed, 11 Dec 2013 22:17:20 +0000
Message-ID: <CC063FF0-D2FF-4BB3-9234-8E1C26EBDAF9@checkpoint.com>
References: <CAFewVt7SS9ud8J=6VtR-Zv-9bhaTHEnjT8XD+ULaRSVUkYftaQ@mail.gmail.com> <52A77DB4.7020501@gmx.net> <52A7935E.5020906@cs.tcd.ie> <87ob4o1dbd.fsf@alice.fifthhorseman.net> <52A87F00.7000304@cs.tcd.ie> <4613980CFC78314ABFD7F85CC302772121B21CE3@IL-EX10.ad.checkpoint.com> <52A8DE25.4070905@fifthhorseman.net>
In-Reply-To: <52A8DE25.4070905@fifthhorseman.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [172.31.20.139]
x-kse-antivirus-interceptor-info: scan successful
x-kse-antivirus-info: Clean
Content-Type: text/plain; charset="us-ascii"
Content-ID: <D1BB9D0041E0694288E3B75A919F7399@ad.checkpoint.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: IETF TLS Working Group <tls@ietf.org>
Subject: Re: [TLS] A new consensus call on ALPN vs NPN (was ALPN concerns)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Dec 2013 22:17:33 -0000

On Dec 11, 2013, at 11:50 PM, Daniel Kahn Gillmor <dkg@fifthhorseman.net> wrote:

> On 12/11/2013 10:16 AM, Yoav Nir wrote:
>> I think it's possible to get all the extension hiding we want in TLS 1.3, even while keeping BC with TLS 1.0 servers:
>> 
>> 1. Client sends ClientHello without the problem extensions (ALPN, SNI). The record version is 3.1 (TLS 1.0), while the supported version is 3.4 (TLS 1.3). 
>> 
>> 2a. The server replies with TLS 1.3, and everything works as planned. The end.
>> 
>> 2b. The server replies with TLS 1.0, and some certificate. The certificate may or may not fit the site. Makes no difference for now.
>> 3b. The client completes the exchange, and immediately begins a renegotiation
>> 4b. In this renegotiation, the versions offered are just TLS 1.0 to TLS 1.2, and all extensions are present (though encrypted).
>> 5b. The renegotiation completes at TLS 1.0 with all extensions.
> 
> This approach should work to hide all extensions in current versions of
> TLS as well, right?  But no one does it, as far as i know.

Not that I'm aware of either, but it's not that different from hiding client certificates by making the first handshake server-authenticated, and the second handshake mutually-authenticated. That is something that some servers do, and all the clients cooperate nicely.

> Do you know of any TLS client library which does this, or provides an
> option to do it without a bunch of manual intervention in the workflow
> of the TLS stack by the library user?  Do you think certain tools or
> users should be doing this now?

I've seen the client certificate hiding done with Apache and OpenSSL. I don't think any information in the TLS handshake is as sensitive as the user name in the certificate.

> 
> Are there any extensions which require that their content must be
> identical across session resumption or across a re-handshake?

Not to my knowledge.

> If so, it doesn't seem like those extensions could be used in this
> re-handshake approach.
> 
> 
> 	--dkg
> 
>

v2.23.0 | Report a Bug | By Email