[TLS] Avoiding first use of RI in ClientHello
Eric Rescorla <ekr@networkresonance.com> Wed, 25 November 2009 22:34 UTC
Return-Path: <ekr@networkresonance.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 123923A67AE for <tls@core3.amsl.com>; Wed, 25 Nov 2009 14:34:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.328
X-Spam-Level:
X-Spam-Status: No, score=0.328 tagged_above=-999 required=5 tests=[AWL=0.310, BAYES_00=-2.599, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, HELO_MISMATCH_COM=0.553, HOST_MISMATCH_NET=0.311, RDNS_DYNAMIC=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id arE1nI0A5ZI3 for <tls@core3.amsl.com>; Wed, 25 Nov 2009 14:34:32 -0800 (PST)
Received: from kilo.networkresonance.com (74-95-2-169-SFBA.hfc.comcastbusiness.net [74.95.2.169]) by core3.amsl.com (Postfix) with ESMTP id 2BBED3A67AA for <tls@ietf.org>; Wed, 25 Nov 2009 14:34:32 -0800 (PST)
Received: from kilo.local (localhost [127.0.0.1]) by kilo.networkresonance.com (Postfix) with ESMTP id 4265B6C3285 for <tls@ietf.org>; Wed, 25 Nov 2009 14:35:02 -0800 (PST)
Date: Wed, 25 Nov 2009 14:35:02 -0800
From: Eric Rescorla <ekr@networkresonance.com>
To: tls@ietf.org
User-Agent: Wanderlust/2.15.5 (Almost Unreal) Emacs/22.3 Mule/5.0 (SAKAKI)
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20091125223502.4265B6C3285@kilo.networkresonance.com>
Subject: [TLS] Avoiding first use of RI in ClientHello
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Nov 2009 22:34:33 -0000
Folks, I wanted to try to resolve what I see as the major technical concern people have about draft-ietf-tls-renegotiation-00, namely that the client cannot offer secure renegotiation and be sure that it won't cause a connection failure with a downrev (extension noncompliant) server. There's been a lot of discussion of whether this is a serious problem, but it's clear that minimal risk of breaking things that currently work (which some folks think requires not using extensions in the initial ClientHello) is important for the timely deployment of the fix, and with the current draft, that may require fall-back to extension-less handshake. It's unclear how often such fall-back logic would actually be needed, and I do find Nelson's "tough love" approach here sort of appealing, but it does seem to be a problem that you don't necessarily know for sure whether you need it or not until you've actually shipped the product with extensions, and possibly broken applications that currently work. It's especially concerning that fall-back can't be implemented reliably inside the TLS library, e.g., if you just get a filehandle, so changes to the app logic are required. The rest of this message describes a simple modification [*] to draft-ietf-tls-negotiation which I think addresses this compatibility issue without requiring fall-back. The idea is to use a magic cipher suite to signal that the client can securely renegotiate (as described in draft-mrex-tls-secure-renegotiation). However, the server treats this EXACTLY as if the client had offered an empty RI extension, and responds with its own RI extension (or if it doesn't implement the full extension framework, just adds a known byte string to the end of the ServerHello). In other words: Client Server ------------------------------------------------------ ClientHello + TLS_RENEGO_PROTECTION_REQUEST -> <- ServerHello + Empty RI At this point, the client now knows that the server supports secure renegotiation and can simply send RI in any renegotiation handshake (and if the client doesn't implement the full extensions framework, it could just add a known byte string to the end of the ClientHello, without requiring full extension support). Note that this is reminiscent of the SSLv2->SSLv3 transition where clients would initially offer backward compatibility handshakes but once they knew the server was SSLv3-capable would offer the new ClientHello. What about 5246 and unsolicited extensions? As far as I can tell, the major argument against using extensions for S->C signalling is the 5246 prohibition against the server providing unsolicited extensions. However, that was clearly intended to prevent the server from sending extensions the client didn't expect and that's not the case here. Moreover, we're updating 5246 so we can relax the restriction for this extension (though I would think not in general). What about not putting the verify data in the extension? I think that issue is separable from the question of how we signal support, so would like to deal with it separately. (It seems this won't make any difference for the bigger questions like can deploying the fix break things that currently work, or whether you can implement the fix purely inside the TLS library) What about SSLv3? Obviously, the ClientHello is compatible with SSLv3. (and the magic cipher suite can be offered even in SSLv2 backward compatible hello---ugh!). Although SSLv3 does not have the TLS extension framework, we could also specify that the server (once it sees the magic cipher suite indicating the client supports this draft) just appends the relevant fixed-length byte string to the end of the ServerHello. What do people think about this approach? -Ekr [*] I didn't invent this approach, I'm just reproposing it to try to focus discussion.
- Re: [TLS] Verify data in the RI extension? Stefan Santesson
- [TLS] Avoiding first use of RI in ClientHello Eric Rescorla
- Re: [TLS] Avoiding first use of RI in ClientHello Stefan Santesson
- Re: [TLS] Avoiding first use of RI in ClientHello Dr Stephen Henson
- Re: [TLS] Avoiding first use of RI in ClientHello Robert Relyea
- Re: [TLS] Avoiding first use of RI in ClientHello Eric Rescorla
- Re: [TLS] Avoiding first use of RI in ClientHello Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [TLS] Avoiding first use of RI in ClientHello peter.robinson
- Re: [TLS] Avoiding first use of RI in ClientHello Min Huang
- Re: [TLS] Verify data in the RI extension? Yoav Nir
- Re: [TLS] Avoiding first use of RI in ClientHello Pasi.Eronen
- Re: [TLS] Avoiding first use of RI in ClientHello Pasi.Eronen
- [TLS] Verify data in the RI extension? Stefan Santesson
- Re: [TLS] Verify data in the RI extension? Stefan Santesson
- Re: [TLS] Avoiding first use of RI in ClientHello Eric Rescorla
- [TLS] Perhaps there's another way. Was: Verify da… Marsh Ray
- Re: [TLS] Perhaps there's another way. Was: Verif… Dr Stephen Henson
- Re: [TLS] Avoiding first use of RI in ClientHello Stefan Santesson
- [TLS] What would be the point of removing signall… David-Sarah Hopwood
- Re: [TLS] Perhaps there's another way. Was: Verif… Marsh Ray
- Re: [TLS] Perhaps there's another way. Was: Verif… Dr Stephen Henson
- Re: [TLS] What would be the point of removing sig… Stefan Santesson
- Re: [TLS] What would be the point of removing sig… Marsh Ray
- Re: [TLS] What would be the point of removing sig… Bodo Moeller
- Re: [TLS] Perhaps there's another way. Was: Verif… Nelson B Bolyard
- Re: [TLS] What would be the point of removing sig… Nelson B Bolyard
- Re: [TLS] What would be the point of removing sig… Stefan Santesson
- Re: [TLS] Verify data in the RI extension? Pasi.Eronen
- Re: [TLS] Verify data in the RI extension? Simon Josefsson
- Re: [TLS] Verify data in the RI extension? Stefan Santesson
- Re: [TLS] Verify data in the RI extension? Pasi.Eronen
- Re: [TLS] Verify data in the RI extension? Pasi.Eronen
- Re: [TLS] Verify data in the RI extension? Martin Rex
- Re: [TLS] Verify data in the RI extension? Nikos Mavrogiannopoulos
- Re: [TLS] Verify data in the RI extension? Stefan Santesson
- Re: [TLS] Verify data in the RI extension? Eric Rescorla
- Re: [TLS] Verify data in the RI extension? Stefan Santesson
- Re: [TLS] Verify data in the RI extension? Eric Rescorla
- Re: [TLS] Verify data in the RI extension? Martin Rex
- Re: [TLS] Verify data in the RI extension? Eric Rescorla
- Re: [TLS] Verify data in the RI extension? Martin Rex
- Re: [TLS] Verify data in the RI extension? Martin Rex
- Re: [TLS] Verify data in the RI extension? Martin Rex
- Re: [TLS] Verify data in the RI extension? Stefan Santesson
- Re: [TLS] Verify data in the RI extension? Eric Rescorla
- Re: [TLS] Verify data in the RI extension? Eric Rescorla
- Re: [TLS] Verify data in the RI extension? Martin Rex
- Re: [TLS] Verify data in the RI extension? Eric Rescorla
- Re: [TLS] Verify data in the RI extension? Martin Rex
- Re: [TLS] Verify data in the RI extension? Martin Rex
- Re: [TLS] Verify data in the RI extension? Pasi.Eronen
- Re: [TLS] Verify data in the RI extension? Martin Rex
- Re: [TLS] Verify data in the RI extension? Eric Rescorla
- Re: [TLS] Verify data in the RI extension? Martin Rex
- Re: [TLS] Verify data in the RI extension? Pasi.Eronen
- Re: [TLS] Avoiding first use of RI in ClientHello Bodo Moeller
- Re: [TLS] Verify data in the RI extension? Bodo Moeller
- Re: [TLS] Verify data in the RI extension? Michael D'Errico
- Re: [TLS] What would be the point of removing sig… David-Sarah Hopwood
- Re: [TLS] What would be the point of removing sig… David-Sarah Hopwood
- Re: [TLS] What would be the point of removing sig… David-Sarah Hopwood
- Re: [TLS] Verify data in the RI extension? David-Sarah Hopwood
- Re: [TLS] Verify data in the RI extension? Michael D'Errico
- Re: [TLS] Verify data in the RI extension? David-Sarah Hopwood
- Re: [TLS] Verify data in the RI extension? Michael D'Errico
- Re: [TLS] Verify data in the RI extension? David-Sarah Hopwood
- Re: [TLS] Verify data in the RI extension? Bodo Moeller
- Re: [TLS] What would be the point of removing sig… Bodo Moeller
- Re: [TLS] Verify data in the RI extension? Michael D'Errico
- Re: [TLS] Verify data in the RI extension? Michael D'Errico
- Re: [TLS] Verify data in the RI extension? David-Sarah Hopwood
- Re: [TLS] Verify data in the RI extension? Marsh Ray
- Re: [TLS] Verify data in the RI extension? Stefan Santesson
- Re: [TLS] Verify data in the RI extension? Yoav Nir