Re: [TLS] Proposed text for removing renegotiation

Andrei Popov <> Wed, 11 June 2014 19:41 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 596FF1B289D for <>; Wed, 11 Jun 2014 12:41:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.602
X-Spam-Status: No, score=-2.602 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id M3k0tnjDbKHY for <>; Wed, 11 Jun 2014 12:41:55 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 5CD8F1B289B for <>; Wed, 11 Jun 2014 12:41:55 -0700 (PDT)
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.959.24; Wed, 11 Jun 2014 19:41:54 +0000
Received: from ([]) by ([]) with mapi id 15.00.0954.000; Wed, 11 Jun 2014 19:41:54 +0000
From: Andrei Popov <>
To: Nikos Mavrogiannopoulos <>, "Salz, Rich" <>
Thread-Topic: [TLS] Proposed text for removing renegotiation
Date: Wed, 11 Jun 2014 19:41:53 +0000
Message-ID: <>
References: <> <> <> <> <> <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: [2001:4898:80e8:ed31::2]
x-microsoft-antispam: BCL:0;PCL:0;RULEID:
x-forefront-prvs: 0239D46DB6
x-forefront-antispam-report: SFV:NSPM; SFS:(6009001)(428001)(377454003)(24454002)(199002)(189002)(377424004)(51704005)(13464003)(77096999)(79102001)(50986999)(54356999)(77982001)(76176999)(86612001)(76576001)(46102001)(87936001)(33646001)(2656002)(86362001)(21056001)(4396001)(92566001)(74316001)(81342001)(80022001)(15975445006)(83072002)(19580395003)(81542001)(19580405001)(83322001)(101416001)(99396002)(99286001)(31966008)(20776003)(76482001)(74502001)(74662001)(85852003)(64706001)(93886003)(24736002); DIR:OUT; SFP:; SCL:1; SRVR:BL2PR03MB420;; FPR:; MLV:sfv; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (: does not designate permitted sender hosts)
authentication-results: spf=none (sender IP is );
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "" <>
Subject: Re: [TLS] Proposed text for removing renegotiation
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 11 Jun 2014 19:41:57 -0000

In any case, the triple handshake vulnerability has to be fixed, at least in TLS1.2 and below. The same fix would likely apply to TLS1.3, so IMHO triple handshake does not necessitate the removal of renegotiation from TLS1.3.



-----Original Message-----
From: TLS [] On Behalf Of Nikos Mavrogiannopoulos
Sent: Tuesday, June 10, 2014 9:04 AM
To: Salz, Rich
Subject: Re: [TLS] Proposed text for removing renegotiation

On Tue, 2014-06-10 at 10:53 -0400, Salz, Rich wrote:
> > Could you please cite these security issues. In the 17 years of the protocol I have only seen one.
> Which one are you omitting -- Marsh's  or triple-handshake?

The triple handshake identified many issues in TLS but no issue in the renegotiation. Renegotiation cannot solve the protocol's vulnerability the triple handshake exploits.

Nevertheless, you can see the importance of renegotiation in the triple handshake attack  by checking the preconditions for the attack. The authors on their website clarify on the vulnerabilities they identified and quoting them for renegotiation: "During renegotiation, both the server and client certificates can change. This is allowed by TLS (and supported in its main implementations) but no definitive guidance is given to applications on how to deal with such changes".

Mentioning the lack of application level guidance (for applications that need and make use of it) as a reason to drop renegotiation, is a bit far fetched.


TLS mailing list