Re: [TLS] #445: Enhanced New Session Ticket
Ilari Liusvaara <ilariliusvaara@welho.com> Sun, 08 May 2016 13:12 UTC
Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 601B512B004 for <tls@ietfa.amsl.com>; Sun, 8 May 2016 06:12:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.896
X-Spam-Level:
X-Spam-Status: No, score=-2.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.996] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UfEYMj6LmRcv for <tls@ietfa.amsl.com>; Sun, 8 May 2016 06:12:09 -0700 (PDT)
Received: from welho-filter1.welho.com (welho-filter1.welho.com [83.102.41.23]) by ietfa.amsl.com (Postfix) with ESMTP id DCB1212D09E for <tls@ietf.org>; Sun, 8 May 2016 06:12:05 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter1.welho.com (Postfix) with ESMTP id 70C0C366B for <tls@ietf.org>; Sun, 8 May 2016 16:12:03 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp2.welho.com ([IPv6:::ffff:83.102.41.85]) by localhost (welho-filter1.welho.com [::ffff:83.102.41.23]) (amavisd-new, port 10024) with ESMTP id v55f-p0ni04r for <tls@ietf.org>; Sun, 8 May 2016 16:12:03 +0300 (EEST)
Received: from LK-Perkele-V2 (87-100-155-121.bb.dnainternet.fi [87.100.155.121]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by welho-smtp2.welho.com (Postfix) with ESMTPSA id 1C9E0289 for <tls@ietf.org>; Sun, 8 May 2016 16:12:03 +0300 (EEST)
Date: Sun, 08 May 2016 16:12:01 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: tls@ietf.org
Message-ID: <20160508131201.GA4844@LK-Perkele-V2.elisa-laajakaista.fi>
References: <20160428193252.GA16096@LK-Perkele-V2.elisa-laajakaista.fi>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <20160428193252.GA16096@LK-Perkele-V2.elisa-laajakaista.fi>
User-Agent: Mutt/1.6.0 (2016-04-01)
Sender: ilariliusvaara@welho.com
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/UMc02vMOkHf_VG2dt5XD0acbmvk>
Subject: Re: [TLS] #445: Enhanced New Session Ticket
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 08 May 2016 13:12:11 -0000
On Thu, Apr 28, 2016 at 10:32:52PM +0300, Ilari Liusvaara wrote: > > - The requirement for server to validate its extensions... Hopefully > there is no security reason for that... I really don't see it being > implemented correctly (and the description looks completely screwy[1]). Thinking some more about this, I now consider such validation to be a bad idea for _any_ current extension. Take all current extensions. Drop the following categories: - Connection control (ServerHello or hint for future) - Server auth control (no server auth) - Client auth control (CertificateRequest can alter things in all sorts of ways). - Disallowed in TLS 1.3. As these categories pretty obviously don't need to match. This leaves the following: 1) use_srtp 2) heartbeat 3) token_binding 4) application_layer_protocol_negotiation 5) server_name Looking into each in turn: 1) use_srtp This extension is arguably very much connection control (it negotiates if use of TLS-EXPORTER and TLS-MUX is OK and crypto algorithms for sideband data). It does not appear to have anything to do with 0-RTT. The type of extension in TLS 1.2 is unknown (couldn't find it in the spec). Presumably connection-type. 2) heartbeat Oh yes, this infamous extension... Also arguably very much connection control (negotiates if heartbeat mechnaism can be used). The type of extension in TLS 1.2 is unknown (couldn't find it in the spec). Presumably connection-type. 3) token_binding This extension is negotiating application-layer matters (it is TLS extension only to imporove performance). It is explicitly connection- type for TLS 1.2 (so forget reusing "session cache"). Applying this extension to 0-RTT runs into obvious difficulties, and I would not be happy to see complications in base TLS to handle the mess. It isn't published RFC yet, either. 4) application_layer_protocol_negotiation This is connection-type in TLS 1.2. Also the fact that accepted 0-RTT locks the ALP, while this extension negotiates ALP is a good reason why this extension MUST NOT be allowed in presence of accepted 0-RTT. That is, the ALP of the 0-RTT context needs to become the ALP of the new connection that accepts the context without negotiation, because there is exactly one ALP that can possibly work. 5) server_name Now this is a fun one... Serverside, this is merely ACK'd, so one would have to look at client request, not server response. This also seems like that if you get some problems with 0-RTT with different SNI, you get the same problem with just PSK without 0-RTT with different SNI. To make matters more fun, this interacts with <swearing>middleboxes </swearing> that sometimes route connections based on this. -Ilari
- [TLS] #445: Enhanced New Session Ticket Ilari Liusvaara
- Re: [TLS] #445: Enhanced New Session Ticket Eric Rescorla
- Re: [TLS] #445: Enhanced New Session Ticket Martin Thomson
- Re: [TLS] #445: Enhanced New Session Ticket Eric Rescorla
- Re: [TLS] #445: Enhanced New Session Ticket Ilari Liusvaara
- Re: [TLS] #445: Enhanced New Session Ticket Eric Rescorla
- Re: [TLS] #445: Enhanced New Session Ticket Ilari Liusvaara
- Re: [TLS] #445: Enhanced New Session Ticket Martin Thomson
- Re: [TLS] #445: Enhanced New Session Ticket Ilari Liusvaara
- Re: [TLS] #445: Enhanced New Session Ticket Eric Rescorla
- Re: [TLS] #445: Enhanced New Session Ticket Ilari Liusvaara
- Re: [TLS] #445: Enhanced New Session Ticket Ilari Liusvaara
- Re: [TLS] #445: Enhanced New Session Ticket Eric Rescorla
- Re: [TLS] #445: Enhanced New Session Ticket Ilari Liusvaara