Re: [TLS] TLS Proxy Server Extension

Yoav Nir <> Mon, 01 August 2011 07:16 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 3331721F8548 for <>; Mon, 1 Aug 2011 00:16:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -10.483
X-Spam-Status: No, score=-10.483 tagged_above=-999 required=5 tests=[AWL=0.116, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 8hmmrd-ujC6m for <>; Mon, 1 Aug 2011 00:16:11 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 5EF7521F853E for <>; Mon, 1 Aug 2011 00:16:10 -0700 (PDT)
X-CheckPoint: {4E366047-8-1B221DC2-FFFF}
Received: from ( []) by (8.13.8/8.13.8) with ESMTP id p717G0Ge028225; Mon, 1 Aug 2011 10:16:00 +0300
Received: from ( by ( with Microsoft SMTP Server (TLS) id; Mon, 1 Aug 2011 10:16:00 +0300
Received: from ([]) by ([]) with mapi; Mon, 1 Aug 2011 10:16:00 +0300
From: Yoav Nir <>
To: Marsh Ray <>, David McGrew <>
Date: Mon, 1 Aug 2011 10:15:59 +0300
Thread-Topic: [TLS] TLS Proxy Server Extension
Thread-Index: AcxQGt1e/bSJMaKCSNKc2kOs42RMRg==
Message-ID: <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
user-agent: Microsoft-MacOutlook/
acceptlanguage: en-US
x-kse-antivirus-interceptor-info: scan successful
x-kse-antivirus-info: Clean
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "" <>, "" <>
Subject: Re: [TLS] TLS Proxy Server Extension
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 01 Aug 2011 07:16:12 -0000

On 8/1/11 9:28 AM, "Marsh Ray" <> wrote:

>> The intent of the authors is to enable TLS to be
>> used when an proxy is present,
>But the intent of TLS is to prevent man-in-the-middle attacks, i.e., to
>prevent you from proxying it.
>Just because you can exploit it almost reliably with a custom root CA on
>today's clients doesn't mean that it's not deeply contrary to the
>security architecture of TLS.
>Design a secure way for the legitimate endpoints to agree to share some
>session key material with you in a way that doesn't impersonate anyone.
>I might even support such an extension (but good luck convincing the
>servers of the world).

Actually, with this extension, the proxy does not need to generate a "fake
certificate". It's fine for the proxy to present a certificate for
"" and convey the real certificate in the
extension. Of course, clients would have to explicitly trust the proxy,
but that can be added as part of adding support for the extension.

As for servers, it's possible to change the tls-proxy format in
ClientHello to have a "role" field that could be either "client" or
"proxy". Then the servers would be able to reject connections from
proxies. Would that make it more acceptable?

>> and to make clients informed about both
>> the proxy and the server, and to provide cryptographically strong
>> authentication of both.
>This concept of polyamorous TLS is more radical than its proponents want
>to accept.

Practically, I don't see this happening. The IETF generally does not
radically alter protocols to fit the needs of middleboxes, it's the
middleboxes that have to adapt at least at first. Later we do see how the
active mode of FTP replaces the passive mode because it fits NAT better.