IETF Logo Mail Archive

Re: [TLS] #445: Enhanced New Session Ticket

Ilari Liusvaara <ilariliusvaara@welho.com> Sun, 08 May 2016 13:12 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 601B512B004 for <tls@ietfa.amsl.com>; Sun, 8 May 2016 06:12:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.896
X-Spam-Level:
X-Spam-Status: No, score=-2.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.996] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UfEYMj6LmRcv for <tls@ietfa.amsl.com>; Sun, 8 May 2016 06:12:09 -0700 (PDT)
Received: from welho-filter1.welho.com (welho-filter1.welho.com [83.102.41.23]) by ietfa.amsl.com (Postfix) with ESMTP id DCB1212D09E for <tls@ietf.org>; Sun, 8 May 2016 06:12:05 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter1.welho.com (Postfix) with ESMTP id 70C0C366B for <tls@ietf.org>; Sun, 8 May 2016 16:12:03 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp2.welho.com ([IPv6:::ffff:83.102.41.85]) by localhost (welho-filter1.welho.com [::ffff:83.102.41.23]) (amavisd-new, port 10024) with ESMTP id v55f-p0ni04r for <tls@ietf.org>; Sun, 8 May 2016 16:12:03 +0300 (EEST)
Received: from LK-Perkele-V2 (87-100-155-121.bb.dnainternet.fi [87.100.155.121]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by welho-smtp2.welho.com (Postfix) with ESMTPSA id 1C9E0289 for <tls@ietf.org>; Sun, 8 May 2016 16:12:03 +0300 (EEST)
Date: Sun, 08 May 2016 16:12:01 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: tls@ietf.org
Message-ID: <20160508131201.GA4844@LK-Perkele-V2.elisa-laajakaista.fi>
References: <20160428193252.GA16096@LK-Perkele-V2.elisa-laajakaista.fi>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <20160428193252.GA16096@LK-Perkele-V2.elisa-laajakaista.fi>
User-Agent: Mutt/1.6.0 (2016-04-01)
Sender: ilariliusvaara@welho.com
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/UMc02vMOkHf_VG2dt5XD0acbmvk>
Subject: Re: [TLS] #445: Enhanced New Session Ticket
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 08 May 2016 13:12:11 -0000

On Thu, Apr 28, 2016 at 10:32:52PM +0300, Ilari Liusvaara wrote:
>
> - The requirement for server to validate its extensions... Hopefully
>   there is no security reason for that... I really don't see it being
>   implemented correctly (and the description looks completely screwy[1]).

Thinking some more about this, I now consider such validation to be a
bad idea for _any_ current extension.

Take all current extensions. Drop the following categories:
- Connection control (ServerHello or hint for future)
- Server auth control (no server auth)
- Client auth control (CertificateRequest can alter things in all
  sorts of ways).
- Disallowed in TLS 1.3.

As these categories pretty obviously don't need to match.

This leaves the following:
1) use_srtp
2) heartbeat
3) token_binding
4) application_layer_protocol_negotiation 
5) server_name

Looking into each in turn:

1) use_srtp

This extension is arguably very much connection control (it negotiates
if use of TLS-EXPORTER and TLS-MUX is OK and crypto algorithms for
sideband data). It does not appear to have anything to do with 0-RTT.

The type of extension in TLS 1.2 is unknown (couldn't find it in the
spec). Presumably connection-type.

2) heartbeat

Oh yes, this infamous extension... Also arguably very much connection
control (negotiates if heartbeat mechnaism can be used).

The type of extension in TLS 1.2 is unknown (couldn't find it in the
spec). Presumably connection-type.


3) token_binding

This extension is negotiating application-layer matters (it is TLS
extension only to imporove performance). It is explicitly connection-
type for TLS 1.2 (so forget reusing "session cache"). Applying this
extension to 0-RTT runs into obvious difficulties, and I would not be
happy to see complications in base TLS to handle the mess. It isn't
published RFC yet, either.


4) application_layer_protocol_negotiation

This is connection-type in TLS 1.2. Also the fact that accepted 0-RTT
locks the ALP, while this extension negotiates ALP is a good reason why
this extension MUST NOT be allowed in presence of accepted 0-RTT.

That is, the ALP of the 0-RTT context needs to become the ALP of the
new connection that accepts the context without negotiation, because
there is exactly one ALP that can possibly work.


5) server_name

Now this is a fun one... Serverside, this is merely ACK'd, so one
would have to look at client request, not server response.

This also seems like that if you get some problems with 0-RTT with
different SNI, you get the same problem with just PSK without 0-RTT
with different SNI.

To make matters more fun, this interacts with <swearing>middleboxes
</swearing> that sometimes route connections based on this.



-Ilari

v2.23.0 | Report a Bug | By Email