IETF Logo Mail Archive

Re: [TLS] Interaction between session resumption and negotiated protocol version

David Benjamin <davidben@chromium.org> Fri, 03 April 2015 23:53 UTC

Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D77491AC3D9 for <tls@ietfa.amsl.com>; Fri, 3 Apr 2015 16:53:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.388
X-Spam-Level:
X-Spam-Status: No, score=-1.388 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gf03vyA17OH9 for <tls@ietfa.amsl.com>; Fri, 3 Apr 2015 16:53:20 -0700 (PDT)
Received: from mail-ig0-x231.google.com (mail-ig0-x231.google.com [IPv6:2607:f8b0:4001:c05::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AC7061A87E3 for <tls@ietf.org>; Fri, 3 Apr 2015 16:53:20 -0700 (PDT)
Received: by ignm3 with SMTP id m3so72081295ign.0 for <tls@ietf.org>; Fri, 03 Apr 2015 16:53:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-type; bh=WgV2fzv17tsnHyg4Q27PCqKwg/kytcDje6mkKlzSrys=; b=iLS8zO60KLeSQIs67RJnj7x6dR/NXz4E9zc4IuI0sVQ24RypMUztphrc/wxFspSVCZ JYHUTum0LsNxFrA4qF2n+NwONQhAQ7D9nTiTkm0U5ne9r+zlS03RUCeY8jBVLtTqXvqW /i+Wvw0WESpra5jbGp9/pxfbstqlVSFmcIHB8=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-type; bh=WgV2fzv17tsnHyg4Q27PCqKwg/kytcDje6mkKlzSrys=; b=gBS7n2HghjJoHVdpxIY7cm2viSkJxB042Un7PQZBdB/J3EHjwVSGg8ME46ay6Jy+yv vBaqVZL2/IXjXWIvc+qrc9PxtF/qBO5gp42c4K010rz1PteTzBY50ivkHcEqRvbRWsA/ iYmFnvn5goHyIY9H8XChiOJJRIo3PzdlaEgB5A+kBwnhs9yhl7y/wado8sizYxua5+yO 6cX8I+zFDYPjwF7kRrW9MC0j4Gp8fhPHLESmHKnzDBO6F+2JvPpWT/NRwcFfjfOzkXEO M30GOaMe5RNuS2ZpJQotRKayhJkhGspO/bAhZBcOosIrEgG+kBbIQKpNSzyzoi318yY0 McYg==
X-Gm-Message-State: ALoCoQmCZ/HX/pPKm45+dKzk/qSU0qe9cHnRfZIcpNnRjd6xABGfDFUl0VQ9PTp8nJxltTWueBHF
X-Received: by 10.51.17.40 with SMTP id gb8mr8063550igd.44.1428105200173; Fri, 03 Apr 2015 16:53:20 -0700 (PDT)
MIME-Version: 1.0
References: <CANOyrg9BSVAtVC4y34jMi-OAbK5OHMFsTUOhxRJqgGKGzO41xQ@mail.gmail.com> <BLU177-W41FFC60C00F3D8BAFDC57DC3F10@phx.gbl> <CAF8qwaAqn8mYVP8E95HC_s9jK8dshm-PWALJLO76tBeA1qvZXQ@mail.gmail.com> <201504031933.31280.davemgarrett@gmail.com>
In-Reply-To: <201504031933.31280.davemgarrett@gmail.com>
From: David Benjamin <davidben@chromium.org>
Date: Fri, 03 Apr 2015 23:53:19 +0000
Message-ID: <CAF8qwaCBC8BT164n5x1pSYb_c-AnVYDin4_Q8cCLbJg6+cDgKA@mail.gmail.com>
To: Dave Garrett <davemgarrett@gmail.com>, tls@ietf.org
Content-Type: multipart/alternative; boundary="001a1134c2e228a0b90512daa7e8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/fx9-jAF9bO3SLRb9hmjB6WNvzls>
Subject: Re: [TLS] Interaction between session resumption and negotiated protocol version
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Apr 2015 23:53:22 -0000

On Fri, Apr 3, 2015 at 7:33 PM Dave Garrett <davemgarrett@gmail.com> wrote:

> TLS 1.2 has:
>
> Whenever a client already knows the highest protocol version known to
> a server (for example, when resuming a session), it SHOULD initiate
> the connection in that native protocol.
>
> TLS 1.3 currently has:
>
> A client resuming a session SHOULD initiate the connection using the
> version that was previously negotiated.
>

That new version is also unwise and the entire text just be dropped. It
means you get stuck at that version even if the server gets upgraded later.

It also tends to compound itself with other problems. Maybe you implement a
version fallback, but fail to shard the session cache by fallback type (you
really really should do that if you have a fallback). Now any spurious
callback is sticky and there's no way to get back to the original version
unless the session expires on the client. (Expiring on the server doesn't
help you any. The damage is done before ServerHello.)

I cannot stress enough how much pain and suffering that one little sentence
can cause. :-) I ended up completely redoing the version negotiation logic
in BoringSSL because of how far OpenSSL takes that advice on the client and
how much it breaks.

David

v2.23.0 | Report a Bug | By Email