Re: [TLS] Server validation of a second ClientHello
Eric Rescorla <ekr@rtfm.com> Wed, 13 February 2019 00:32 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 757E6130E30 for <tls@ietfa.amsl.com>; Tue, 12 Feb 2019 16:32:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 35RaWqMT2aWP for <tls@ietfa.amsl.com>; Tue, 12 Feb 2019 16:32:21 -0800 (PST)
Received: from mail-lf1-x130.google.com (mail-lf1-x130.google.com [IPv6:2a00:1450:4864:20::130]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3A5F1130E16 for <tls@ietf.org>; Tue, 12 Feb 2019 16:32:20 -0800 (PST)
Received: by mail-lf1-x130.google.com with SMTP id q11so434126lfd.3 for <tls@ietf.org>; Tue, 12 Feb 2019 16:32:20 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=RpVUf4G3PEU87j2/+U8fnhTrYWG6wel8PaN6b5YWaI8=; b=gM2QnG2+BeyuKi8jnITW5fwP77uc2LICKFa0Gaq77LtGIGFszolF70VFhTBib2DEYK oXFWamX6DHSwmDaPrrJ5uffwy46YDaf1iFuDAOzVs9CY25Y0OP1+X6HgIAX5BEsErZsQ piXScY9TWFGjl0BnMFsdyQ3bO6sHb4nixeYXHMEeDkqFHJ2IHsik1qt/e3oqgSgFURLI lz3kXPRJ7YBkGllKCRhFEiF9rxxsrmVerTZIeiD8Go90IhHYI8+LqQ0QWaZoeNQ88/SB YqJsz3hy6LDWLTRbhV7B3LC4YGxdBTIMHvj49VrcE56zRbSJicDSjUyo1BoD+HJ/e04+ 6rFA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=RpVUf4G3PEU87j2/+U8fnhTrYWG6wel8PaN6b5YWaI8=; b=HOs56C7up8+wneSs0OyrpzHjuTusGE7yFVthKHLOtNZhkjXpj9Xtr7uDQOyXrca5lg Ragno3D6L3VrWvNXKtK+WxfWW/JgGIFvp0M+viTDA/pzcd7pvbW86ijkgT/s0zKkR6rq Vu/ddV7kzzDG9VJIOFM3UrfmuMNeiJT9lt5HmQGpO40DMfjyrthV2Zcot2na04gzESqG Px5AOKzcgFda7E9ONVUCmk8QhUb3HZ3iPObsG+zwY+g+fajFoalT8JXNMh9IpAS/iE7W 90lATDURtPZLwbjFGz3vlBOKSGtRS5SUtYRZ50owA3E1s/8Z08kULYQ3IOjX6f/lfGNy nudw==
X-Gm-Message-State: AHQUAuYBzcjlftbCbqRAjiqGCrn7TLg9TmBlLEA4mIia/qpQUC1PQH65 HPvCjqQWLw3L2hll8fG9DSmyPeJdlh7NUKSgn1dkaQ==
X-Google-Smtp-Source: AHgI3IZKaqIWFQYH+gi7PgreffQLGq3m4Tt7Ebd6C03Bj40T902Nq0f0B6IcPtWVaPV8pGzTi/8MJ2CmCRJXB1+qXNE=
X-Received: by 2002:a19:911c:: with SMTP id t28mr3055181lfd.78.1550017938307; Tue, 12 Feb 2019 16:32:18 -0800 (PST)
MIME-Version: 1.0
References: <1549596678.898774.1653407000.2B2ACE8E@webmail.messagingengine.com> <3192766.6rApcoU5jf@pintsize.usersys.redhat.com> <1549842219.465443.1655100776.7BADB4DA@webmail.messagingengine.com> <1549980018.5oto7EOJll@pintsize.usersys.redhat.com>
In-Reply-To: <1549980018.5oto7EOJll@pintsize.usersys.redhat.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Tue, 12 Feb 2019 16:31:41 -0800
Message-ID: <CABcZeBNZJp+KiLEuaRZR0nO1PPEr_qcCJ9MypU104qTm6v8tcA@mail.gmail.com>
To: Hubert Kario <hkario@redhat.com>
Cc: Martin Thomson <mt@lowentropy.net>, "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000009bd4ce0581bbacf0"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/dG5ZiCKUi_NtXfawzQFBH-BRbLU>
Subject: Re: [TLS] Server validation of a second ClientHello
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Feb 2019 00:32:23 -0000
I concur with what I take to be MT's position here: 1. The client is clearly prohibited from changing most elements of the CH (except for listed exceptions). 2. It's reasonable to check for and fail the handshake on any spec violation except those where checking is explicitly forbidden (e.g., Must Be Zero but Must be Ignored) 3. Nothing in the spec requires the server to check for this condition. -Ekr On Tue, Feb 12, 2019 at 4:53 AM Hubert Kario <hkario@redhat.com> wrote: > On Monday, 11 February 2019 00:43:39 CET Martin Thomson wrote: > > On Fri, Feb 8, 2019, at 23:53, Hubert Kario wrote: > > > the cookie can be up to 2^16 bytes long, even if client sends all 50 > > > extensions and spaces them with unknown extensions between, that's at > most > > > 20 bytes per extension = 1000 bytes total extra space needed in cookie > > > (32 bytes and 1600 bytes if you want to be very conservative) > > > > Yeah, that's ridiculously large. With quite a few extensions supported, > and > > many more unknown to us, the only way we might realistically ensure that > > the ClientHello doesn't change is to save a hash snapshot at every > boundary > > where the cookie extension might be inserted or where an extension might > be > > changed. SHA-2 has a fairly small state to capture, but that's still > > nearly unbounded state. With an amplification factor of up to 8, meaning > > that it could be more efficient to send the client its entire ClientHello > > in the cookie. > > I definitely won't claim that it is easy or straight-forward to do, I do > claim > that it is possible. Yes, sometimes it may mean that sending the literal > CH in > cookie may be more bandwidth efficient. > > And regarding the specific extension in question, to verify that it didn't > change between Hello's it is only 2 bytes extra in cookie. If that is too > much > already, I don't think that stateless HRR is something we will see in > implementations for years to come. > > -- > Regards, > Hubert Kario > Senior Quality Engineer, QE BaseOS Security team > Web: www.cz.redhat.com > Red Hat Czech s.r.o., Purkyňova 115, 612 00 Brno, Czech > Republic_______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- [TLS] Server validation of a second ClientHello Martin Thomson
- Re: [TLS] Server validation of a second ClientHel… Hubert Kario
- Re: [TLS] Server validation of a second ClientHel… Martin Thomson
- Re: [TLS] Server validation of a second ClientHel… Hubert Kario
- Re: [TLS] Server validation of a second ClientHel… Eric Rescorla
- Re: [TLS] Server validation of a second ClientHel… Hubert Kario
- Re: [TLS] Server validation of a second ClientHel… Eric Rescorla
- Re: [TLS] Server validation of a second ClientHel… Ilari Liusvaara
- Re: [TLS] Server validation of a second ClientHel… Benjamin Kaduk
- Re: [TLS] Server validation of a second ClientHel… Hubert Kario
- Re: [TLS] Server validation of a second ClientHel… Benjamin Kaduk
- Re: [TLS] Server validation of a second ClientHel… Eric Rescorla
- Re: [TLS] Server validation of a second ClientHel… Hubert Kario
- Re: [TLS] Server validation of a second ClientHel… Eric Rescorla
- Re: [TLS] Server validation of a second ClientHel… Hubert Kario
- Re: [TLS] Server validation of a second ClientHel… Eric Rescorla