RE: [TLS] Stateless TLS Session Resumption extension and EAP-FAST.
"Joseph Salowey \(jsalowey\)" <jsalowey@cisco.com> Mon, 05 March 2007 22:18 UTC
Return-path: <tls-bounces@lists.ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1HOLVi-0004q2-23; Mon, 05 Mar 2007 17:18:26 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HOLVg-0004pC-91 for tls@ietf.org; Mon, 05 Mar 2007 17:18:24 -0500
Received: from sj-iport-4.cisco.com ([171.68.10.86]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1HOLVd-00065j-T1 for tls@ietf.org; Mon, 05 Mar 2007 17:18:24 -0500
Received: from sj-dkim-3.cisco.com ([171.71.179.195]) by sj-iport-4.cisco.com with ESMTP; 05 Mar 2007 14:18:21 -0800
X-IronPort-AV: i="4.14,251,1170662400"; d="scan'208"; a="45411909:sNHT49577454"
Received: from sj-core-5.cisco.com (sj-core-5.cisco.com [171.71.177.238]) by sj-dkim-3.cisco.com (8.12.11/8.12.11) with ESMTP id l25MILcU021717; Mon, 5 Mar 2007 14:18:21 -0800
Received: from xbh-sjc-231.amer.cisco.com (xbh-sjc-231.cisco.com [128.107.191.100]) by sj-core-5.cisco.com (8.12.10/8.12.6) with ESMTP id l25MIJYU021561; Mon, 5 Mar 2007 22:18:21 GMT
Received: from xmb-sjc-225.amer.cisco.com ([128.107.191.38]) by xbh-sjc-231.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Mon, 5 Mar 2007 14:18:20 -0800
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Subject: RE: [TLS] Stateless TLS Session Resumption extension and EAP-FAST.
Date: Mon, 05 Mar 2007 14:18:19 -0800
Message-ID: <AC1CFD94F59A264488DC2BEC3E890DE5035D58F1@xmb-sjc-225.amer.cisco.com>
In-Reply-To: <45E72ECD.9000603@alcatel-lucent.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [TLS] Stateless TLS Session Resumption extension and EAP-FAST.
Thread-Index: AcdcO18dYchwt6jARjGQj1RE7JzOdgDN6srA
From: "Joseph Salowey (jsalowey)" <jsalowey@cisco.com>
To: Jan Nordqvist <jnordqvist@alcatel-lucent.com>, tls@ietf.org
X-OriginalArrivalTime: 05 Mar 2007 22:18:20.0536 (UTC) FILETIME=[2E8FA780:01C75F74]
DKIM-Signature: v=0.5; a=rsa-sha256; q=dns/txt; l=2082; t=1173133101; x=1173997101; c=relaxed/simple; s=sjdkim3002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=jsalowey@cisco.com; z=From:=20=22Joseph=20Salowey=20\(jsalowey\)=22=20<jsalowey@cisco.com> |Subject:=20RE=3A=20[TLS]=20Stateless=20TLS=20Session=20Resumption=20exte nsion=20and=20EAP-FAST. |Sender:=20; bh=Qggd7ZABo0GN9KtZTbzSRRDoPWNs9e+ON3Puf8EQE9k=; b=BwXNXsSsiqjOXLUDVtcHvHNonjUe9nFdhxUlll6BeDBdR78HLcQyrbYWo9thMrNvotdsr2vS haD5POTqnSBVdn1lLLqiYDtdwTY6JIZUB80yTpl/Ea8zyhyucJoP/piZ;
Authentication-Results: sj-dkim-3; header.From=jsalowey@cisco.com; dkim=pass ( sig from cisco.com/sjdkim3002 verified; );
X-Spam-Score: 0.0 (/)
X-Scan-Signature: d8ae4fd88fcaf47c1a71c804d04f413d
Cc:
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org
Hi Jan, You are correct, there is an issue with current implementation. Thanks for pointing this out. Details follow: Current EAP-FAST implementations do not format the extension correctly as to spec. They leave out one of the length fields. EAP-FAST implementation: struct { uint16 extensionType opaque ticket<0..2^16-1> } SessionTicketExtension Example encoding: 00 23 LL LL TT TT TT ... LL - ticket length TT - ticket RFC4507: > struct { > opaque ticket<0..2^16-1>; > } SessionTicket; > > struct { > uint16 extensionType > opaque SessionTicket<0..2^16-1> > } SessionTicketExtension > Example encoding: 00 23 LN LN LL LL TT TT TT.... LN - length of ticket + 2-bytes Joe > -----Original Message----- > From: Jan Nordqvist [mailto:jnordqvist@alcatel-lucent.com] > Sent: Thursday, March 01, 2007 11:52 AM > To: tls@ietf.org > Subject: [TLS] Stateless TLS Session Resumption extension and > EAP-FAST. > > I apologize if this gets duplicated, I had the wrong address > registered: > > During some recent work incorporating EAP-FAST support into > our TLS stack I have discovered that the devices we use for > testing are violating the format of the stateless session > ticket extension definition per RFC-4507. In all instances I > have seen, the whole SessionTicket is preceded by a two-byte > 'type' field, i.e. the definition is really > > struct { > uint16 type; > opaque ticket<0..2^16-1>; > } SessionTicket; > > I don't know the size of deployments of EAP-FAST devices > versus other implementations using the session ticket > extension, but it seems that either RFC-4507 needs to be > updated to reflect what is actually implemented or perhaps > the extension should be split into two. > > Regards, > Jan Nordqvist > > > _______________________________________________ > TLS mailing list > TLS@lists.ietf.org > https://www1.ietf.org/mailman/listinfo/tls > _______________________________________________ TLS mailing list TLS@lists.ietf.org https://www1.ietf.org/mailman/listinfo/tls
- RE: [TLS] Open issue: Record Version Numbers Pasi.Eronen
- [TLS] Open issue: Record Version Numbers Eric Rescorla
- Re: [TLS] Open issue: Record Version Numbers Eric Rescorla
- Re: [TLS] Open issue: Record Version Numbers Bodo Moeller
- Re: [TLS] Open issue: Record Version Numbers Martin Rex
- Re: [TLS] Open issue: Record Version Numbers Bodo Moeller
- Re: [TLS] Open issue: Record Version Numbers Martin Rex
- Re: [TLS] Open issue: Record Version Numbers Bodo Moeller
- Re: [TLS] Open issue: Record Version Numbers Martin Rex
- Re: [TLS] Open issue: Record Version Numbers Bodo Moeller
- Re: [TLS] Open issue: Record Version Numbers Martin Rex
- Re: [TLS] Open issue: Record Version Numbers Bodo Moeller
- RE: [TLS] Open issue: Record Version Numbers Pasi.Eronen
- Re: [TLS] Open issue: Record Version Numbers Bodo Moeller
- [TLS] TLS 1.1 and static DH Jan Nordqvist
- RE: [TLS] TLS 1.1 and static DH Pasi Eronen
- RE: [TLS] TLS 1.1 and static DH Peter Gutmann
- RE: [TLS] TLS 1.1 and static DH Pasi.Eronen
- Re: [TLS] TLS 1.1 and static DH Bodo Moeller
- Re: [TLS] TLS 1.1 and static DH Dr Stephen Henson
- RE: [TLS] Open issue: Record Version Numbers Pasi.Eronen
- Re: [TLS] Open issue: Record Version Numbers Bodo Moeller
- Re: [TLS] TLS 1.1 and static DH EKR
- RE: [TLS] Open issue: Record Version Numbers Peter Gutmann
- Re: [TLS] TLS 1.1 and static DH Nelson B Bolyard
- Re: [TLS] TLS 1.1 and static DH Nelson B Bolyard
- Re: [TLS] Open issue: Record Version Numbers Nelson B Bolyard
- Re: [TLS] TLS 1.1 and static DH Peter Gutmann
- Re: [TLS] Open issue: Record Version Numbers tom.petch
- RE: [TLS] TLS 1.1 and static DH Pasi.Eronen
- RE: [TLS] TLS 1.1 and static DH Rob Dugal
- Re: [TLS] TLS 1.1 and static DH Jan Nordqvist
- Re: [TLS] TLS 1.1 and static DH Jan Nordqvist
- Re: [TLS] TLS 1.1 and static DH Rob Dugal
- RE: [TLS] Open issue: Record Version Numbers Pasi.Eronen
- [TLS] Stateless TLS Session Resumption extension … Jan Nordqvist
- RE: [TLS] Stateless TLS Session Resumption extens… Joseph Salowey (jsalowey)
- RE: [TLS] Stateless TLS Session Resumption extens… Joseph Salowey (jsalowey)