Re: [TLS] Re: when is it ok to resume a cached SSL/TLS session
<home_pw@msn.com> Mon, 15 January 2007 18:57 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1H6X1o-0001Q3-Js; Mon, 15 Jan 2007 13:57:56 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1H6X1n-0001Px-Dl for tls@ietf.org; Mon, 15 Jan 2007 13:57:55 -0500
Received: from bay0-omc2-s27.bay0.hotmail.com ([65.54.246.163]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1H6X1l-0002LV-Nw for tls@ietf.org; Mon, 15 Jan 2007 13:57:55 -0500
Received: from hotmail.com ([65.55.131.13]) by bay0-omc2-s27.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668); Mon, 15 Jan 2007 10:57:53 -0800
Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Mon, 15 Jan 2007 10:57:52 -0800
Message-ID: <BAY126-DAV3FB5F2BEE682A4281A02A92B50@phx.gbl>
Received: from 70.142.20.165 by BAY126-DAV3.phx.gbl with DAV; Mon, 15 Jan 2007 18:57:51 +0000
X-Originating-IP: [70.142.20.165]
X-Originating-Email: [home_pw@msn.com]
X-Sender: home_pw@msn.com
From: home_pw@msn.com
To: martin.rex@sap.com, ekr@networkresonance.com
References: <200701151803.TAA01170@uw1048.wdf.sap.corp>
Subject: Re: [TLS] Re: when is it ok to resume a cached SSL/TLS session
Date: Mon, 15 Jan 2007 10:57:50 -0800
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="iso-8859-1"; reply-type="original"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Windows Live Mail desktop 8.0.1223
X-MimeOLE: Produced By Microsoft MimeOLE V8.0.1223
X-OriginalArrivalTime: 15 Jan 2007 18:57:52.0915 (UTC) FILETIME=[0F4C9630:01C738D7]
X-Spam-Score: 0.2 (/)
X-Scan-Signature: b280b4db656c3ca28dd62e5e0b03daa8
Cc: tls@ietf.org
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org
>> > You say choked, I say graceful fail. >> >> No, I don't agree with this analysis. The server being >> unwilling >> to resume a session is normal behavior. The TLS state >> machine >> explicitly handles such cases. Implementations which >> choke >> rather than doing a full handshake are broken. > > I fully agree with Eric that a client MUST deal gracefully > with > a server that does not resume a proposes SSL session (ID) > for > whatever reason. Show me the text in the standard that says MUST (or even half hints MUST from the English wording). Tell me it MUST apply to EAP-TLS, too. More importantly, tell me what "appropriate" and "graceful" then mean, for packets on the wire. Tell me what the server MUST do, if the client does not comply. Your both making this out to be security- or interoperability- critical (it's a MUST, Peter!!) Eric is clear that this is not a new concept (for novel discussion); but an ancient one. It must be pretty obviously disclosed, or have been improved (by now) due to the years of text review. Now, for my part, I already pointed out text that says, I the implementer have 100% control over open and closing connections. NOTHING IN THIS STANDARD SHALL ... Now, I will also listen to any decent appeal. I'm willing to be convinced (just show me some half reasonable basis from the standard), as the text I'm quoting was admittedly highly contextualized. But, it was also an adamant, general claim. So, give me some SSl2, SSL3, TLS1.x text (not argument) to weigh against it. Concerning the evidence:- "The particular problem in the scenario that I listed might be that the client, by retrieving a cached session from its cache thought he had several parameter (including the protocol version) already established and treated the response from the server (who didn't resume as proposed) probably more like a renegotiation rather than a new handshake, and therefore might have considered the unavailablility of the previous higher protocol version a rollback attack." VERY LIKELY! This is in MY purview - as a implementer - to decide; Martin, you are making my point for me. My implementations don't support ANY of the fallback practices, either, by default! Now that implementation may or may not have a good attack signature algorithm; perhaps its intentionally non-conforming in its TLS handling of protocol version negotiation, even. But, my only point is: its for EITHER PEER to decide (right or wrong) on whether it closes a connection abruptly. We cannot assume otherwise in any case, since the IDS may interdict packet flow anyways, for its own reasons. E.g. If you even propose NullWithNull in a non private-mode EAP-TLS handshake, you will be dropped by my IDS. Period. Now if I'm am even half convinced that the standard specifies what you both assert, I will properly eat crow, but I will not actually change my default security policy: Ill simply disclose non-conforming (default) behavior. Gaining Interoperability in open systems OFTEN DOES demand a lowering of absolute thesh-holds - but at the user's discretion. _______________________________________________ TLS mailing list TLS@lists.ietf.org https://www1.ietf.org/mailman/listinfo/tls
- [TLS] Question on Stateless TLS Session Resumption Narayanan, Vidya
- Re: [TLS] Question on Stateless TLS Session Resum… Eric Rescorla
- Re: [TLS] Question on Stateless TLS Session Resum… Lakshminath Dondeti
- Re: [TLS] Question on Stateless TLS Session Resum… Eric Rescorla
- Re: [TLS] Question on Stateless TLS Session Resum… Lakshminath Dondeti
- Re: [TLS] Question on Stateless TLS Session Resum… Eric Rescorla
- Re: [TLS] Question on Stateless TLS Session Resum… Lakshminath Dondeti
- [TLS] when is it ok to resume a cached SSL/TLS se… Martin Rex
- [TLS] when is it ok to resume a cached SSL/TLS se… Martin Rex
- [TLS] Re: when is it ok to resume a cached SSL/TL… Eric Rescorla
- Re: [TLS] Re: when is it ok to resume a cached SS… home_pw
- Re: [TLS] Re: when is it ok to resume a cached SS… Eric Rescorla
- Re: [TLS] Re: when is it ok to resume a cached SS… home_pw
- Re: [TLS] Re: when is it ok to resume a cached SS… Eric Rescorla
- Re: [TLS] Re: when is it ok to resume a cached SS… home_pw
- Re: [TLS] Re: when is it ok to resume a cached SS… Eric Rescorla
- Re: [TLS] Re: when is it ok to resume a cached SS… Martin Rex
- Re: [TLS] Re: when is it ok to resume a cached SS… home_pw
- Re: [TLS] Re: when is it ok to resume a cached SS… Eric Rescorla
- Re: [TLS] Re: when is it ok to resume a cached SS… Martin Rex
- Re: [TLS] Re: when is it ok to resume a cached SS… home_pw
- Re: [TLS] Re: when is it ok to resume a cached SS… home_pw
- Re: [TLS] Re: when is it ok to resume a cached SS… home_pw
- Re: [TLS] Re: when is it ok to resume a cached SS… Kyle Hamilton
- Re: [TLS] Re: when is it ok to resume a cached SS… home_pw
- Re: [TLS] Re: when is it ok to resume a cached SS… Martin Rex
- RE: [TLS] Question on Stateless TLS Session Resum… Narayanan, Vidya
- Re: [TLS] when is it ok to resume a cached SSL/TL… Martin Rex