Re: [TLS] TLS renegotiation issue

Nicolas Williams <Nicolas.Williams@sun.com> Thu, 05 November 2009 20:32 UTC

Return-Path: <Nicolas.Williams@sun.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BBBC23A69C0 for <tls@core3.amsl.com>; Thu, 5 Nov 2009 12:32:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.015
X-Spam-Level:
X-Spam-Status: No, score=-6.015 tagged_above=-999 required=5 tests=[AWL=0.031, BAYES_00=-2.599, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WXIpuKTvRMJb for <tls@core3.amsl.com>; Thu, 5 Nov 2009 12:32:44 -0800 (PST)
Received: from sca-ea-mail-1.sun.com (sca-ea-mail-1.Sun.COM [192.18.43.24]) by core3.amsl.com (Postfix) with ESMTP id 532C43A69E1 for <tls@ietf.org>; Thu, 5 Nov 2009 12:32:44 -0800 (PST)
Received: from dm-central-02.central.sun.com ([129.147.62.5]) by sca-ea-mail-1.sun.com (8.13.7+Sun/8.12.9) with ESMTP id nA5KX20w006034 for <tls@ietf.org>; Thu, 5 Nov 2009 20:33:02 GMT
Received: from binky.Central.Sun.COM (binky.Central.Sun.COM [129.153.128.104]) by dm-central-02.central.sun.com (8.13.8+Sun/8.13.8/ENSMAIL, v2.2) with ESMTP id nA5KX2Og015310 for <tls@ietf.org>; Thu, 5 Nov 2009 13:33:02 -0700 (MST)
Received: from binky.Central.Sun.COM (localhost [127.0.0.1]) by binky.Central.Sun.COM (8.14.3+Sun/8.14.3) with ESMTP id nA5KLVao009353; Thu, 5 Nov 2009 14:21:31 -0600 (CST)
Received: (from nw141292@localhost) by binky.Central.Sun.COM (8.14.3+Sun/8.14.3/Submit) id nA5KLVvR009352; Thu, 5 Nov 2009 14:21:31 -0600 (CST)
X-Authentication-Warning: binky.Central.Sun.COM: nw141292 set sender to Nicolas.Williams@sun.com using -f
Date: Thu, 5 Nov 2009 14:21:31 -0600
From: Nicolas Williams <Nicolas.Williams@sun.com>
To: Eric Rescorla <ekr@rtfm.com>
Message-ID: <20091105202130.GH1105@Sun.COM>
References: <73843DF9-EFCB-4B8D-913E-FE2235E5BDD3@rtfm.com> <d3aa5d00911051016p7a0cc508q2090b86de30a50d5@mail.gmail.com> <20091105184615.GG1105@Sun.COM> <d3aa5d00911051109r3d5dae33jef42e9dd2db1b0b@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <d3aa5d00911051109r3d5dae33jef42e9dd2db1b0b@mail.gmail.com>
User-Agent: Mutt/1.5.7i
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] TLS renegotiation issue
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Nov 2009 20:32:45 -0000

On Thu, Nov 05, 2009 at 11:09:51AM -0800, Eric Rescorla wrote:
> On Thu, Nov 5, 2009 at 10:46 AM, Nicolas Williams
> <Nicolas.Williams@sun.com>; wrote:
> > On Thu, Nov 05, 2009 at 10:16:11AM -0800, Eric Rescorla wrote:
> >> I now have a draft extension up at:
> >>
> >> https://svn.resiprocate.org/rep/ietf-drafts/ekr/draft-rescorla-tls-renegotiate.txt
> >> https://svn.resiprocate.org/rep/ietf-drafts/ekr/draft-rescorla-tls-renegotiate.xml
> >
> > Initial comments based on a brief skim:
> >
> >  - Please add a normative reference to RFC5056.
> 
> There's no need for a normative reference here. This mechanism is
> self-contained.
> I'd be happy to add an informative reference.

That's also true about draft-altman-tls-channel-bindings then, but you
have a normative reference to it.  I'm happy with an informative
reference.

> >  - There's no real need for the ServerHello to include both of the
> >   Finished messages from the outer TLS connection.  (I think there's no
> >   real need for the ServerHello to include either of them, actually,
> >   but I've not thought enough about that.)  But it's OK as is, of
> >   course.
> 
> The general consensus was that it was harmless and might potentially
> avoid some reflection logic errors.

If the server sends anything other than a mere acknowledgement, it
should send its Finished message from the outer connection -- the client
can then check that to see that the server really does understand this
-- and the doc should say that the client must check this (but I think
it does say this).  The server sending the client's Finished message
back is superfluous, but I agree that it's harmless.

> >  - You call for each TLS handshake to bind to the one immediately
> >   outside it.
> >
> >   Would it be better to bind to the outer-most one instead?
> >
> >   (In practice there's probably never more than one outer and one inner
> >   handshake, right?)
> 
> Why do you think this is an improvement.

Either way the binding would ultimately be to the outer-most connection,
therefore this way there's less state to track.  A minor point, I agree.

> >  - There is a way for clients to protect themselves even when servers
> >   don't implement this extension:
> >
> >   a) clients MUST NOT ever send any application-level messages without
> >      TLS protection if they are willing to negotiate a TLS connection
> >      after sending any application-level messages,
> >
> >   _and_,
> >
> >   b) if a server requests re-negotiation then the client MUST ensure
> >      that the outer and inner TLS connection handshakes used a server
> >      certificate, and, specifically, the _same_ server certificate,
> >      otherwise the client MUST abort without ever completing the
> >      second/inner handshake.
> 
> This isn't enough. If you look at the diagram you can see that the
> client never experiences a renegotiation.

That's one diagram.  There's other cases, but even in the case you
described, if the client never experiences a re-negotiation then it will
not have authenticated itself, or, if it has authenticated itself then
it will/should also have authenticated the server to the client, in
which case the MITM can't be.  As a result the MITM gets nothing.  (My
rules cover the case where a client would send a request unprotected,
then negotiates TLS when the server requires authentication -- my rules
forbid that.)

> >  - Might as well update RFC5246 to indicate that the Finished messages
> >   for any connection MUST be exported to applications.  Better get this
> >   done now.
> 
> This sort of interface issue seems out of scope for the TLS spec.

Let me re-phrase: the finished messages should be added to
SecurityParameters (Martin evidently takes that to be something should
be exported to apps; I don't entirely agree with Martin on that point).

Nico
--