IETF Logo Mail Archive

Re: [TLS] TLSrenego - current summary of semantics and possibilities

Steve Dispensa <dispensa@phonefactor.com> Tue, 10 November 2009 19:37 UTC

Return-Path: <dispensa@phonefactor.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 16D6328C15A for <tls@core3.amsl.com>; Tue, 10 Nov 2009 11:37:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fgRdqEBSOfoI for <tls@core3.amsl.com>; Tue, 10 Nov 2009 11:37:03 -0800 (PST)
Received: from na3sys009aog108.obsmtp.com (na3sys009aog108.obsmtp.com [74.125.149.199]) by core3.amsl.com (Postfix) with SMTP id C67CC3A67EA for <tls@ietf.org>; Tue, 10 Nov 2009 11:37:02 -0800 (PST)
Received: from source ([204.13.120.8]) by na3sys009aob108.postini.com ([74.125.148.12]) with SMTP ID DSNKSvnA+QeQe1qD2N4otEOXBvwczd8JgsAj@postini.com; Tue, 10 Nov 2009 11:37:30 PST
Received: from 10.10.9.106 ([10.10.9.106]) by pos-exch1.corp.positivenetworks.net ([204.13.120.8]) with Microsoft Exchange Server HTTP-DAV ; Tue, 10 Nov 2009 19:35:37 +0000
User-Agent: Microsoft-Entourage/12.20.0.090605
Date: Tue, 10 Nov 2009 13:37:27 -0600
From: Steve Dispensa <dispensa@phonefactor.com>
To: mrex@sap.com, Michael D'Errico <mike-list@pobox.com>
Message-ID: <C71F1D17.251AC%dispensa@phonefactor.com>
Thread-Topic: [TLS] TLSrenego - current summary of semantics and possibilities
Thread-Index: AcpiPTvXuQF4GNyNjEOph1qMO6f3fA==
In-Reply-To: <200911101928.nAAJSGjI020038@fs4113.wdf.sap.corp>
Mime-version: 1.0
Content-type: text/plain; charset="US-ASCII"
Content-transfer-encoding: 7bit
Cc: tls@ietf.org
Subject: Re: [TLS] TLSrenego - current summary of semantics and possibilities
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Nov 2009 19:37:04 -0000

On 11/10/09 1:28 PM, "Martin Rex" <mrex@sap.com> wrote:
>   - if a TLS client (any protocol version, including SSLv3) performs
>     renegotiation (i.e. sends a ClientHello over an established
>     TLS session with a ciphersuite other than TLS_NULL_WITH_NULL_NULL),
>     then it SHOULD always and unconditionally use the TLS extension
>     Renegotiation_Info containing the verify_data of the client.finished
>     handshake message from the active TLS session,
>     The TLS client should do that even when it did not send the
>     TLS extension Renegotiation_Info with and empty extension data
>     in the initial TLS handshake on a connection!
> 
>     Lacking application level re-connect provisions for forward-incompatible
>     SSL/TLS servers, a TLS client might not want to sent the TLS extension
>     in the initial ClientHello of a connection.

This was discussed a bit at the Sept. 29 meeting. I had originally suggested
that the extension need not be present during initial negotiations at all,
but it was pointed out that network management systems might want to
inventory patched clients and servers.

> Overloading ("abusing") the semantics of other regular elements
> of an SSL/TLS handshake that have a lesser likelihood to upset
> legacy servers.

This is an interesting potential solution to the network monitoring problem,
if nothing else. 

 -Steve

v2.23.0 | Report a Bug | By Email