Re: [TLS] Multiple Session Caches and SNI
Martin Rex <Martin.Rex@sap.com> Fri, 30 October 2009 20:31 UTC
Return-Path: <Martin.Rex@sap.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7D7233A67BD for <tls@core3.amsl.com>; Fri, 30 Oct 2009 13:31:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.196
X-Spam-Level:
X-Spam-Status: No, score=-6.196 tagged_above=-999 required=5 tests=[AWL=0.053, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wkKEHUD31dda for <tls@core3.amsl.com>; Fri, 30 Oct 2009 13:31:02 -0700 (PDT)
Received: from smtpde03.sap-ag.de (smtpde03.sap-ag.de [155.56.68.140]) by core3.amsl.com (Postfix) with ESMTP id C9BB23A6867 for <tls@ietf.org>; Fri, 30 Oct 2009 13:31:01 -0700 (PDT)
Received: from mail.sap.corp by smtpde03.sap-ag.de (26) with ESMTP id n9UKVHVA025735 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 30 Oct 2009 21:31:17 +0100 (MET)
From: Martin Rex <Martin.Rex@sap.com>
Message-Id: <200910302031.n9UKVG2k027818@fs4113.wdf.sap.corp>
To: mike-list@pobox.com
Date: Fri, 30 Oct 2009 21:31:16 +0100
In-Reply-To: <4AEB3DD7.9080501@pobox.com> from "Michael D'Errico" at Oct 30, 9 12:26:15 pm
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal08
X-SAP: out
Cc: tls@ietf.org
Subject: Re: [TLS] Multiple Session Caches and SNI
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Oct 2009 20:31:04 -0000
Michael D'Errico wrote: > > > In addition to cache management aspects, the TLS server should keep > > robustness in mind. e.g. robustness against TLS clients with > > a broken client-side TLS session cache management that will > > recklessly propose a TLS session resume for a session (ID) originally > > established with Mars to just about every earthling they're asked > > to connect to later on. > > Section 7.2.2 of RFC 5246 concerning Error Alerts handles this. If > a connection terminates with a fatal alert, the session associated > with that connection MUST NOT be resumed. So perhaps a server will > try to resume the session once, but it will delete it from its cache > when the handshake fails. Other servers that don't recognize the > session ID will perform full handshakes. That appears to strict to me. I would make the server delete a session from his cache when an attempted resume results in a failure. I can not currently think of an error (i.e. fatal alert) after a mutual successful finished message verification that should cause the server to flush the affected ssl session from his session cache. > > > And before a TLS server checks for existence of a TLS session, > > whose session ID is proposed in a ClientHello, it should determine > > wheter it would be willing to establish a new session through > > a full handshake based on the other information in the ClientHello > > and under what conditions it would do so. > > I do it the other way around -- after retrieving the session, checks > are made to make sure the cipher suite and compression algorithm are > listed in the ClientHello. This is mandatory according to section > 7.4.1.2. The only other check I currently have is for the age of the > session to make sure it is fresh enough. An actual implementation will probably involve certains decisions based more on personal taste than factual requirements. The most important issue is consitent and predictable/deterministic behaviour of the server, even when broken clients are involved. > > > If the TLS server finds a TLS session with the proposed session ID > > in his cache, it should then use the results from the previous > > determination of the ClientHello parameters whether it is OK to > > attempt to resume the cached session, or whether it is advised > > to perform a full SSL handshake, because of a significant mismatch > > of the newly determine session characteristics from those > > of the cachend session identified by the client-proposed Session ID. > > RFC 4366 states: > > - If, on the other hand, the older session is resumed, then the > server MUST ignore the extensions and send a server hello > containing none of the extension types. In this case, the > functionality of these extensions negotiated during the original > session initiation is applied to the resumed session. Correct, but you should not read it backwards. If the server agrees to resume (for whatever reason), the other accompanying information in the ClientHello should NOT be used to modify that cached session. Does rfc-4366 say anywhere that the server _must_not_ involve the parameters and extensions present in a ClientHello in his decision to resume or not resume a cached SSL session when the client includes a session id in the ClientHello handshake message? -Martin
- [TLS] Questions about TLS Server Name Indication … Nelson B Bolyard
- Re: [TLS] Questions about TLS Server Name Indicat… Nelson B Bolyard
- Re: [TLS] Questions about TLS Server Name Indicat… Wan-Teh Chang
- Re: [TLS] Questions about TLS Server Name Indicat… Michael D'Errico
- Re: [TLS] Questions about TLS Server Name Indicat… Nelson B Bolyard
- Re: [TLS] Questions about TLS Server Name Indicat… Michael Gray
- Re: [TLS] Questions about TLS Server Name Indicat… Wan-Teh Chang
- Re: [TLS] Questions about TLS Server Name Indicat… Peter Gutmann
- Re: [TLS] Questions about TLS Server Name Indicat… Martin Rex
- Re: [TLS] Questions about TLS Server Name Indicat… Martin Rex
- Re: [TLS] Questions about TLS Server Name Indicat… Nelson B Bolyard
- Re: [TLS] Questions about TLS Server Name Indicat… Nelson B Bolyard
- Re: [TLS] Questions about TLS Server Name Indicat… Martin Rex
- Re: [TLS] Multiple domain names in SNI (was Quest… Michael D'Errico
- Re: [TLS] Multiple Session Caches and SNI (was Qu… Michael D'Errico
- Re: [TLS] Multiple domain names in SNI (was Quest… Martin Rex
- Re: [TLS] Renegotiation with SNI after initial co… Michael D'Errico
- Re: [TLS] Multiple domain names in SNI (was Quest… Michael D'Errico
- Re: [TLS] Multiple Session Caches and SNI (was Qu… Martin Rex
- Re: [TLS] Multiple domain names in SNI (was Quest… Martin Rex
- Re: [TLS] Questions about TLS Server Name Indicat… Nelson B Bolyard
- Re: [TLS] Multiple Session Caches and SNI Michael D'Errico
- Re: [TLS] Multiple domain names in SNI (was Quest… Michael Gray
- Re: [TLS] Multiple domain names in SNI (was Quest… Michael D'Errico
- Re: [TLS] Requiring SNI for resumption (was Quest… Michael D'Errico
- Re: [TLS] Multiple Session Caches and SNI Martin Rex
- Re: [TLS] Multiple Session Caches and SNI Michael D'Errico
- Re: [TLS] Questions about TLS Server Name Indicat… Michael D'Errico
- Re: [TLS] Questions about TLS Server Name Indicat… Pasi.Eronen