IETF Logo Mail Archive

Re: [TLS] Triple Handshake Fix.

Alfredo Pironti <alfredo@pironti.eu> Tue, 29 April 2014 21:31 UTC

Return-Path: <alfredo@pironti.eu>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3988F1A08F0 for <tls@ietfa.amsl.com>; Tue, 29 Apr 2014 14:31:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.378
X-Spam-Level:
X-Spam-Status: No, score=-1.378 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5ETvFYmlsozy for <tls@ietfa.amsl.com>; Tue, 29 Apr 2014 14:31:35 -0700 (PDT)
Received: from mail-oa0-x22e.google.com (mail-oa0-x22e.google.com [IPv6:2607:f8b0:4003:c02::22e]) by ietfa.amsl.com (Postfix) with ESMTP id D5D521A02AC for <tls@ietf.org>; Tue, 29 Apr 2014 14:31:34 -0700 (PDT)
Received: by mail-oa0-f46.google.com with SMTP id i4so255282oah.5 for <tls@ietf.org>; Tue, 29 Apr 2014 14:31:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pironti.eu; s=google; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=FjkzW/AapWIanwI5G4J9qfKjLJlKRWZPGDn7JN8at0k=; b=ZLLoov2IVzgxKERKTcUDHWByA1jDOCnTriIyXFyPsxEYzC5koGWt8pNNR+DmtFkpls up9hiCwIa6Td3NRtGhV1g6maf7LgSq5bObmItz92oqVjJNACZ2MP6dH+P9nOz7hSDDVR 4e0VRSh3sARXCmY7fpp4EOCr9Fxm7k4CR3790=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=FjkzW/AapWIanwI5G4J9qfKjLJlKRWZPGDn7JN8at0k=; b=HUX9Uy9lqWHJ+v7nJI2IHoXMJEXDHgi5R+k7tpmmplJefDGqi2ZZsDctCHle1+7v+j a1/CMKJ23xp107SUuRn2D3kSHFrptTplyRA+gsMIXaSeIkCnhkDPHNxsvQdvkSedZBnk Dnzb0Q6jpvXeFpV1lgKg5Z89lDs59pE47tIsZ99HYPikfE0pln5hhkQTvSFGbxR5FBto WhN9ZcTOcJOSD8xTaAqRcW4JvWNcRJku16CfTzEdv1X+QzyciULVZp0CbiRQbOLAmhqI lpEvELmrKTaphs3ZaDR/esXaf71kxkGkBGsKsk/9hJaekOziRsrak7WrcnqcTvdcIl7n fCVQ==
X-Gm-Message-State: ALoCoQlagCDgZe0MqQblkGA0jmuUV6PAu32ZFM2RFLpk1cuLW+zncT22+Igf+yMifz34GxP2z9ac
MIME-Version: 1.0
X-Received: by 10.60.103.210 with SMTP id fy18mr1536227oeb.75.1398807092981; Tue, 29 Apr 2014 14:31:32 -0700 (PDT)
Received: by 10.76.24.168 with HTTP; Tue, 29 Apr 2014 14:31:32 -0700 (PDT)
X-Originating-IP: [82.224.193.99]
In-Reply-To: <CAL9PXLyGjM0R-NRdqzbfKWOvbLjT+mwE9uT0BQTpiFt5p27ATQ@mail.gmail.com>
References: <CAL9PXLyGjM0R-NRdqzbfKWOvbLjT+mwE9uT0BQTpiFt5p27ATQ@mail.gmail.com>
Date: Tue, 29 Apr 2014 23:31:32 +0200
Message-ID: <CALR0ui+RfdFiQ4-1Odb8DKa3Kc_Ont__eBnpMNa9Obm1FeCi2A@mail.gmail.com>
From: Alfredo Pironti <alfredo@pironti.eu>
To: Adam Langley <agl@google.com>
Content-Type: multipart/alternative; boundary="089e0115ee7ce3045404f8352712"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/YmT4RE1yAaHhVVl84yEiqmf9bEg
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Triple Handshake Fix.
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Apr 2014 21:31:36 -0000

I've uploaded the draft to the IETF repository [1].

A tentative implementation of the fix for OpenSSL is available at [2].
(This patch currently also includes a "secure resumption" extension, which
would become unnecessary if the master secret derivation is fixed; I'm
willing to cleanup the patch if there's interest in it).

Cheers,
Alfredo

[1] http://www.ietf.org/id/draft-bhargavan-tls-session-hash-00.txt
[2]
https://secure-resumption.com/patches/OpenSSL1_0_1e-session_hash-extended_ms-secure_resumption.patch

On Tue, Apr 29, 2014 at 11:05 PM, Adam Langley <agl@google.com> wrote:

> Without a fix for the Triple Handshake issues[1], TLS Channel Bindings
> (at least tls-unique) have a significant problem, not to mention
> client-auth.
>
> Microsoft and ourselves are looking to implement the proposed fix[2]
> soon. I'd like to request that the WG adopt the draft and that the
> process for early codepoint assignment for the TLS extension start.
>
> I think the change to the master secret calculation is relatively
> uncontroversial (and is probably what the master secret should always
> have been). People might have differing opinions on the SCSV, but that
> doesn't affect whether a TLS extension number will ultimately be
> allocated for it.
>
>
> [1] https://secure-resumption.com
> [2] https://secure-resumption.com/draft-bhargavan-tls-session-hash-00.txt
>
>
> Cheers
>
> AGL
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>

v2.23.0 | Report a Bug | By Email