IETF Logo Mail Archive

Re: [TLS] Summary of discussion regarding spontaneuous authentication

mrex@sap.com (Martin Rex) Wed, 22 October 2014 15:19 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E596E1ACD6A for <tls@ietfa.amsl.com>; Wed, 22 Oct 2014 08:19:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.652
X-Spam-Level:
X-Spam-Status: No, score=-4.652 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dMOLmcoocwdi for <tls@ietfa.amsl.com>; Wed, 22 Oct 2014 08:19:09 -0700 (PDT)
Received: from smtpde02.smtp.sap-ag.de (smtpde02.smtp.sap-ag.de [155.56.68.140]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7A75A1ACD51 for <tls@ietf.org>; Wed, 22 Oct 2014 08:18:21 -0700 (PDT)
Received: from mail05.wdf.sap.corp (mail05.sap.corp [194.39.131.55]) by smtpde02.smtp.sap-ag.de (Postfix) with ESMTPS id 5758172077; Wed, 22 Oct 2014 17:18:19 +0200 (CEST)
Received: from ld9781.wdf.sap.corp (ld9781.wdf.sap.corp [10.21.82.193]) by mail05.wdf.sap.corp (Postfix) with ESMTP id 4F2E34227D; Wed, 22 Oct 2014 17:18:19 +0200 (CEST)
Received: by ld9781.wdf.sap.corp (Postfix, from userid 10159) id 44A791AF05; Wed, 22 Oct 2014 17:18:19 +0200 (CEST)
In-Reply-To: <CABkgnnXAk+HU2yaUJdOQ0w-heHwYrPK6Zf3HrH5tU+2Tk7_cCA@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
Date: Wed, 22 Oct 2014 17:18:19 +0200
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20141022151819.44A791AF05@ld9781.wdf.sap.corp>
From: mrex@sap.com
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/bocXKQeqKtuRNDoKKT89dZ1okGQ
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Summary of discussion regarding spontaneuous authentication
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Oct 2014 15:19:14 -0000

Martin Thomson wrote:
> 
> We discussed the removal of the CertificateRequest and we will permit
> the client to unilaterally send authentication.
> 
> The theory here is that clients tend to know whether they need to
> authenticate.

This looks like a bad idea to me.
The by far most important information in the current CertificateRequest
handshake message is the "certification_authorities" field, which indicates
certificate issuers which the server considers acceptable.
In SSLv3 and TLSv1.0 the certificate_authorities field was required
to be non-empty and no (server) behaviour was defined for the meaning
of an empty certification_authorities field in CertificateRequest.

The TLSv1.1 and TLSv1.2 specification contain a defect in that they
modified the PDU definition to allow an empty certification_authorities
field in CertificateRequest, but failed to define (require) a server
behaviour when the server does not send this information.
Without the requirement, that the serer MUST NOT abort the TLS handshake
when sending an empty certificate_authorities and receiving a certificate
which it does not trust, the use of an empty certificate_authorities
field does not make sense.


With recent versions of Lync, Microsoft seems to automatically create a
Lync-specific "SSL client identity" that works for nothing but Lync, but
will successfully interfere with SSL client credentials selections when
browsers are using an SSL client identity for accessing regular Web sites.

To make SSL client certificate authentication work reasonably
a CertificateRequest that conveys acceptable certificate_authorities
for the specific handshake is absolutely necessary.

Apple Safari seems to be notoriously broken when it comes to SSL client
certificate selection, because it fails to process the certificate_authorities
field from a CertificateRequest handshake message and remove obviously
unacceptable certs from the list of credentials that the user is
presented to select from.   I've had customers report connection
failures to our AppServers, and from the server-side error messages
I could see that the client was trying to connect with some appleid
certificate that our server didn't trust (and certainly never announced
in the CertificateRequest.certificate_authorities field.

Microsoft had a similar problem in WinHTTP in 2005
http://support.microsoft.com/kb/909425/en

After WinHTTP was fixed to provide the necessary information
to application callers, it is still necessary for application callers
to actually _use_ that information to select only acceptable certificates,
and that seems to take years to happen.
This is the fix for Office/WebDAV:
http://support.microsoft.com/kb/2647954/en

And Apple Safari 4 Windows also still has this bug today.


With the certificate_authorities field in the current CertificateRequest
handshake message, these are only (fixable) bugs.  With the removal
of the CertificateRequest handshake message, this problem would be
promoted to a TLSv1.3 protocol design flaw, and become unfixable.


-Martin

v2.23.0 | Report a Bug | By Email