Re: [TLS] RFC7301 ALPN conflicting objectives about app-specific server certificates
mrex@sap.com (Martin Rex) Wed, 01 July 2015 16:18 UTC
Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0F4A31A9147 for <tls@ietfa.amsl.com>; Wed, 1 Jul 2015 09:18:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.551
X-Spam-Level:
X-Spam-Status: No, score=-6.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZdHmxE5lCZx0 for <tls@ietfa.amsl.com>; Wed, 1 Jul 2015 09:18:53 -0700 (PDT)
Received: from smtpde01.smtp.sap-ag.de (smtpde01.smtp.sap-ag.de [155.56.68.170]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 288641A9136 for <tls@ietf.org>; Wed, 1 Jul 2015 09:18:53 -0700 (PDT)
Received: from mail05.wdf.sap.corp (mail05.sap.corp [194.39.131.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtpde01.smtp.sap-ag.de (Postfix) with ESMTPS id 1C2672ACAD for <tls@ietf.org>; Wed, 1 Jul 2015 18:18:51 +0200 (CEST)
X-purgate-ID: 152705::1435767531-00005316-018284C9/0/0
X-purgate-size: 6095
X-purgate: clean
X-purgate: This mail is considered clean (visit http://www.eleven.de for further information)
X-purgate-Ad: Categorized by eleven eXpurgate (R) http://www.eleven.de
X-purgate-type: clean
X-SAP-SPAM-Status: clean
Received: from ld9781.wdf.sap.corp (ld9781.wdf.sap.corp [10.21.82.193]) by mail05.wdf.sap.corp (Postfix) with ESMTP id 15FC040276 for <tls@ietf.org>; Wed, 1 Jul 2015 18:18:52 +0200 (CEST)
Received: by ld9781.wdf.sap.corp (Postfix, from userid 10159) id 22FE31A1B2; Wed, 1 Jul 2015 18:18:51 +0200 (CEST)
In-Reply-To: <20150630235340.GI14121@mournblade.imrryr.org>
To: tls@ietf.org
Date: Wed, 01 Jul 2015 18:18:51 +0200
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20150701161851.22FE31A1B2@ld9781.wdf.sap.corp>
From: mrex@sap.com
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/YNo292BiM03Ek8NgGKFvcfzo6cY>
Subject: Re: [TLS] RFC7301 ALPN conflicting objectives about app-specific server certificates
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Jul 2015 16:18:56 -0000
Viktor Dukhovni wrote: > On Tue, Jun 30, 2015 at 10:26:13PM +0200, Martin Rex wrote: >> is in conflict with >> >> Section 3.1, last paragraph >> https://tools.ietf.org/html/rfc7301#page-5 >> >> Unlike many other TLS extensions, this extension does not establish >> properties of the session, only of the connection. When session >> resumption or session tickets [RFC5077] are used, the previous >> contents of this extension are irrelevant, and only the values in the >> new handshake messages are considered. > > I don't think there's a conflict here. All that's said is that > ALPN is not a session property, and its value for a previous > connection is not directly relevant for a new connection. Each > connection signals its own ALPN value. There is a very clear conflict here. A TLS session resume skips the exchange of credentials&identities (such as certificates), so as a result of a session resumption the session will have the _cached_ certificates from the original full TLS handshake as session attributes. This is in direct conflict with the idea of selecting protocol-specific certificates through ALPN and describing ALPN as connection-specific rather than session-specific. Another issue is renegotiation: it makes little sense to allow ALPN to change the negotiated protocol during the renegotiation handshake, because this would cause extreme complexity and all kinds of problems, in particular because of two issues: - rfc5746 urges TLS implementations to not allow change of (server)certificate during renegotiation without an explicit opt-in by the application, because most application will not be able to properly deal with this--most even don't know or realize that it happens/happend, such as HTTP-based apps on a blocking OpenSSL-Style interface (SSL_read()) that are forced through a renegotiation by the server (who is asking for a client certificate with renegotiation), and do not actually realize that there was a renegotiation during the blocking SSL_read() operation while they were waiting for a response. - how would the change in the negotiated protocol affect the application layer protocol. e.g. what would it mean if the client offers http/1.1 and h2 through ALPN on both handshakes (initial and renegotiation) and the server would pick "http/1.1" on the inital handshake and "h2" on the renegotiation for "using renego to request a client cert after having seen the request" for the application layer protocol semantics. Will a client app that enables ALPN suddenly have to check the "current" ALPN protocol for every single SSL_read() operation that returns app data, because there may have been a transparent renegotation under the cover and the protocol may have changed? -Martin - How would a change in the ALPN protocol > > Now to the extent that a new connection elects a different protocol > and thus a different server certificate chain, or the server's > configuration has changed and the same ALPN protocol is now associated > with a new certificate chain, the server needs to perform a full > handshake, so that the client sees the correct certificate chain. > > > Currently, my client-side session cache management, and the decision whether > > to propose a TLS session to the server for resumption, is based on a match > > of the application supplied "target name" which is usually an fqdn hostname, > > but could also be an abbreviated hostname or an IP address. > > Postfix has had solved a similar issue some time ago, because > multiple SMTP destination domains can use the same MX host, but > the sending MTA administrator TLS policy may differ between domains > and these domains might use distinct "transports" (instances of > SMTP delivery channels, roughly analogous to a Sendmail "mailer"), > where each transport has different trust-anchors or other relevant > TLS settings. > > Therefore, the client cache is indexed by multiple properties that > extract the enough detail from the security policy to make sure we > are reaching the right server at the right security level. The > relevant attributes are: > > * Postfix "transport name". Different transports > have potentially very different base TLS settings, and it is > simplest to not mix session caches accross "transports" > > * Nexthop domain (with port), MX hostname and target IP address. > Some MX hosts that appear to be a single multi-homed host are > in fact multiple hosts with separate caches, so each IP address > gets a different parallel cache. > > * The EHLO name of the remote SMTP server, this detects split > caches (multiple SMTP servers) behind a load balancer. > > C: EHLO client-name > S: 250-<server-name> > ... > 250 STARTTLS > > Google's pool of MX hosts at any given IP address, has a > shared session cache, and a common EHLO name, so session > caching works well across the load balancer. Some providers > have shared caches, but fail to return a common HELO name, > and the client cache is then not nearly as effective. > > * ... > > > Essentially, I believe that tagging of the session with the ALPN > > negotiated protocol to result in more "predictable" behaviour, because > > it will not interfere with client-side session cache management > > and not result in occasional confusion should other server implementors > > ever make their servers use different server certificates for > > different ALPN-negotiated protocols. > > So, yes include all TLS security-relevant attributes in some manner > in the client cache lookup key to avoid mixing cached sessions with > incompatible security requirements. > > -- > Viktor. > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls
- [TLS] RFC7301 ALPN conflicting objectives about a… Martin Rex
- Re: [TLS] RFC7301 ALPN conflicting objectives abo… Andrei Popov
- Re: [TLS] RFC7301 ALPN conflicting objectives abo… Martin Rex
- Re: [TLS] RFC7301 ALPN conflicting objectives abo… Viktor Dukhovni
- Re: [TLS] RFC7301 ALPN conflicting objectives abo… Martin Rex
- Re: [TLS] RFC7301 ALPN conflicting objectives abo… Viktor Dukhovni
- Re: [TLS] RFC7301 ALPN conflicting objectives abo… Andrei Popov
- Re: [TLS] RFC7301 ALPN conflicting objectives abo… Martin Rex
- Re: [TLS] RFC7301 ALPN conflicting objectives abo… Viktor Dukhovni