IETF Logo Mail Archive

Re: [TLS] RFC7301 ALPN conflicting objectives about app-specific server certificates

mrex@sap.com (Martin Rex) Tue, 30 June 2015 23:00 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D32F91AD0B4 for <tls@ietfa.amsl.com>; Tue, 30 Jun 2015 16:00:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.551
X-Spam-Level:
X-Spam-Status: No, score=-6.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EgRGYu31cyne for <tls@ietfa.amsl.com>; Tue, 30 Jun 2015 16:00:46 -0700 (PDT)
Received: from smtpde01.smtp.sap-ag.de (smtpde01.smtp.sap-ag.de [155.56.68.170]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E338C1ACDE1 for <tls@ietf.org>; Tue, 30 Jun 2015 16:00:45 -0700 (PDT)
Received: from mail05.wdf.sap.corp (mail05.sap.corp [194.39.131.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtpde01.smtp.sap-ag.de (Postfix) with ESMTPS id EDD3D2A7CA; Wed, 1 Jul 2015 01:00:42 +0200 (CEST)
X-purgate-ID: 152705::1435705242-00000B48-24FCA13E/0/0
X-purgate-size: 3185
X-purgate: clean
X-purgate: This mail is considered clean (visit http://www.eleven.de for further information)
X-purgate-Ad: Categorized by eleven eXpurgate (R) http://www.eleven.de
X-purgate-type: clean
X-SAP-SPAM-Status: clean
Received: from ld9781.wdf.sap.corp (ld9781.wdf.sap.corp [10.21.82.193]) by mail05.wdf.sap.corp (Postfix) with ESMTP id C1DA742FEB; Wed, 1 Jul 2015 01:00:42 +0200 (CEST)
Received: by ld9781.wdf.sap.corp (Postfix, from userid 10159) id B82C71A1AD; Wed, 1 Jul 2015 01:00:42 +0200 (CEST)
In-Reply-To: <BLUPR03MB1396345FC41E35BC22C5762A8CA90@BLUPR03MB1396.namprd03.prod.outlook.com>
To: Andrei Popov <Andrei.Popov@microsoft.com>
Date: Wed, 01 Jul 2015 01:00:42 +0200
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20150630230042.B82C71A1AD@ld9781.wdf.sap.corp>
From: mrex@sap.com
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/Ym4qxJx1AWspJ9ZMLh-_Kfsime0>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] RFC7301 ALPN conflicting objectives about app-specific server certificates
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Jun 2015 23:00:51 -0000

Andrei Popov wrote:
>> 
>> If the server uses distict server certificates per application protocol
>> and properly(!!) performs a full handshake if the server certificate
>> does not fit the requested application protocol, then alternating
>> requests with two different protocols to the same server will result
>> in constant full TLS handshakes.
> 
> Yes, if a client negotiates a different application protocol on a
> subsequent connection, the server may reject resumption (which the
> server can always do anyway, regardless of ALPN).

Correct, the server may decide for a full handshake for a number of reasons.
But in general, I want TLS session caching to work and expect to see
a session resumption vs. full handshake rate of >> 10:1 on healthy servers.


>  
>> But what can also easily happen, is that the server is inappropriately
>> sharing the server-side session cache an incorrectly resuming sessions
>> associated with the wrong server certificate (a different certificate
>> than what the server would select if it would perform a full TLS
>>  handshake), ...
> 
> This would be a server bug indeed.

No, not right now.  It would be a server implementing a defective
specification as written, due to the last paragraph in section 3.1
of rfc7301.


> 
>> Essentially, I believe that tagging of the session with the ALPN
>> negotiated protocol to result in more "predictable" behaviour,
>> because it will not interfere with client-side session cache
>> management and not result in occasional confusion should other
>> server implementors ever make their servers use different server
>> certificates for different ALPN-negotiated protocols.
> 
> Can you describe how such tagging would work in more detail?

For the client, I will memorize the app-requested ALPN list in
the client-side session cache and attempt resumption only when
the application supplies the same ALPN list.

For the server, two possible approaches are conceivable.

(1) an extension specific approach, where the server includes the
    chosen app protocol in the server-side session cache and
    checks for a match on attempted resumption.

(2) a generally robust approach that solves this and all related issues
    once and for all (but may not integrate easily with certain
    protocol stack implementations...)

    The server processes ClientHello always in the same fashion as
    it would do for a full TLS handshake, and only if it done with
    deciding all negotiation, it checks for a proposal to resume an
    old session.  If there is a resumption proposal, the server
    compares the attributes of the newly negotiated parameters
    with that of the resumed session, and if the properties
    differ (in particular, if the new handshake would use a different
    server certificate than the cached session had used), the
    server will perform a full handshake instead of a session resume
    and the resulting server behaviour will bear the lowest risk of
    surprises (i.e. the session caching only results in speedup, but
    not in sessions with different properties or different identites).


-Martin

v2.23.0 | Report a Bug | By Email