Re: [TLS] Summarizing identity change discussion so far
Martin Rex <mrex@sap.com> Thu, 10 December 2009 00:04 UTC
Return-Path: <mrex@sap.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id F104328C140 for <tls@core3.amsl.com>; Wed, 9 Dec 2009 16:04:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.193
X-Spam-Level:
X-Spam-Status: No, score=-6.193 tagged_above=-999 required=5 tests=[AWL=0.056, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ydOtDP1eig-H for <tls@core3.amsl.com>; Wed, 9 Dec 2009 16:04:44 -0800 (PST)
Received: from smtpde01.sap-ag.de (smtpde01.sap-ag.de [155.56.68.171]) by core3.amsl.com (Postfix) with ESMTP id 4B54C3A6A9E for <tls@ietf.org>; Wed, 9 Dec 2009 16:04:42 -0800 (PST)
Received: from mail.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id nBA04SCP018067 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 10 Dec 2009 01:04:28 +0100 (MET)
From: Martin Rex <mrex@sap.com>
Message-Id: <200912100004.nBA04REb017724@fs4113.wdf.sap.corp>
To: marsh@extendedsubset.com
Date: Thu, 10 Dec 2009 01:04:27 +0100
In-Reply-To: <4B202BCD.40500@extendedsubset.com> from "Marsh Ray" at Dec 9, 9 04:59:25 pm
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal05
X-SAP: out
Cc: tls@ietf.org
Subject: Re: [TLS] Summarizing identity change discussion so far
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Dec 2009 00:04:46 -0000
Marsh Ray wrote: > > > I guess an even worse example would be something like this: > > > > conn = openTlsConnection(host, port) > > if not verifyCertChain(conn.getPeerCert()): > > raise "Not a valid cert" > > if conn.getPeerCert().getName() != expected_name: > > raise "Name in certificate doesn't match" > > # continue... > > _After_ renegotation is fixed (and/or disabled by default) though, how > is this a problem? RI proves the data has come from the same remote > endpoint. That same remote endpoint has proven that he can supply an > acceptable cert, too. > > In order for this example to be a problem, the legitimate client would > have to renegotiate specifically for the purpose of dropping certain > cert credentials. This would seem to imply that the application code was > expecting cert changes. The above code sample provide by Pasi is about client-side code, as indicated by "openTlsConnection" and the comparison "conn.getPeerCert().getName() != expected_name" So this is more about server certificates changing then clients using different credentials. And it is about apps coding above TLS, and not about details of TLS implementations. Since a non-negligible amount of clients will need allow old renegotiation for a little while, one might want to think about mitigating unexpected changes the server certificate. > > This is not to say that there's no application that could be confused by > such a change, only that I haven't seen any real examples. Nelson > suggested a test tool used internally with NSS might do something > agressive with certs and renegotiation like that. > > I don't think it's inherently broken. It seems reasonable to me for one > party to say "By the initial handshake and two subsequent renegotiations > I have proven posession of the private keys for these three certificates". There are a lot of applications scenarios where this either doesn't make any sense or will cause endless problems, support calls and confusion. Would you want your browser to send *ALL* your WWW-authenticate credentials to every server and let the server pick (AFAIK the protocol doesn't even allow that). In most Audit log facilities, you can only log *ONE* identity for which an operation was attempted (and failed or succeeded), and not an arbitrary set of identites. As soon as you have larger distributed systems, your TLS endpoint might be a reverse proxy at the perimeter of the backend server farm. The reverse proxy is going to forward the initially authenticated cert to the backend application, the backend application will perform an authentication, create a backend session and issue a session identifier. >From that point on, all requests carrying that session ID will be processed under this backend session context, and the reverse proxy will often forward all requests with that session identifier to the same backend host (because of the backend state identified by the session id). To the backend server, it is entirely irrelevant how many TCP connections there are established between a client and the revers proxy -- and for protocols like HTTPS, these will be terminated quite often. For HTTPS, a client that shows a different cert after renegotiation just doesn't make any sense most of the time. If the client wants to use a different cert, he should open a new network connection. If the reverse proxy or the backend wants to mitigate session-id-stealing it might employ a memcmp() on the certificates forwarded by the reverse proxy, and will rightfully abort if that changes. A client architecture which allows the use of different client certificates on different connects and does not reliably distinguish TLS sessions established with different client properties (anonymous, client cert A, client cert B, ...) is probably broken. > > With renegotiation fixed, credentials supplied on different handshakes > may legitimately be treated as additive. This is how https client > certificates often work: an initial anon-client connection adds a client > cert to the connection by renegotiating. Nope, that is not how it works. A client that has not been previously authenticated performs a client cert authentication. That is a highlander operation. Which of the TLS implementation actually keeps a set of certs/cert-chains for a TLS peer crowd created through renegotiation and has API calls to iterate through them? The implementations that I know have only APIs to request "THE" peer certificate. So if there actually are apps today that can handle a multitude of client identites on a SSL/SecurityContext handle, they will likely have to implement that at the app layer, because very few, if any TLS implementations provide "a set of TLS peers". -Martin
- [TLS] Summarizing identity change discussion so f… Pasi.Eronen
- Re: [TLS] Summarizing identity change discussion … Blumenthal, Uri - 0662 - MITLL
- Re: [TLS] Summarizing identity change discussion … Stephen Farrell
- Re: [TLS] Summarizing identity change discussion … Pasi.Eronen
- Re: [TLS] Summarizing identity change discussion … Eric Rescorla
- Re: [TLS] Summarizing identity change discussion … Marsh Ray
- Re: [TLS] Summarizing identity change discussion … Marsh Ray
- Re: [TLS] Summarizing identity change discussion … Martin Rex
- Re: [TLS] Summarizing identity change discussion … Stefan Santesson
- Re: [TLS] Summarizing identity change discussion … Pasi.Eronen
- Re: [TLS] Summarizing identity change discussion … Pasi.Eronen
- Re: [TLS] Summarizing identity change discussion … Martin Rex
- Re: [TLS] Summarizing identity change discussion … Michael Gray
- Re: [TLS] Summarizing identity change discussion … Marsh Ray
- Re: [TLS] Summarizing identity change discussion … Martin Rex
- Re: [TLS] Summarizing identity change discussion … Pasi.Eronen
- Re: [TLS] Summarizing identity change discussion … Pasi.Eronen
- Re: [TLS] Summarizing identity change discussion … Pasi.Eronen
- Re: [TLS] Summarizing identity change discussion … Marsh Ray
- Re: [TLS] Summarizing identity change discussion … Martin Rex
- Re: [TLS] Summarizing identity change discussion … Pasi.Eronen
- Re: [TLS] Summarizing identity change discussion … Pasi.Eronen
- Re: [TLS] Summarizing identity change discussion … Kyle Hamilton
- Re: [TLS] Summarizing identity change discussion … Martin Rex
- Re: [TLS] Summarizing identity change discussion … Marsh Ray
- Re: [TLS] Summarizing identity change discussion … Pasi.Eronen
- Re: [TLS] Summarizing identity change discussion … Michael Gray
- Re: [TLS] Summarizing identity change discussion … Martin Rex
- Re: [TLS] Summarizing identity change discussion … Michael Gray
- Re: [TLS] Summarizing identity change discussion … Marsh Ray
- Re: [TLS] Summarizing identity change discussion … Martin Rex
- Re: [TLS] Summarizing identity change discussion … Michael Gray
- Re: [TLS] Summarizing identity change discussion … Kyle Hamilton
- [TLS] OpenPGP Certs for TLS [was: Re: Summarizing… Daniel Kahn Gillmor
- Re: [TLS] Summarizing identity change discussion … Martin Rex
- Re: [TLS] Summarizing identity change discussion … Blumenthal, Uri - 0662 - MITLL
- Re: [TLS] Summarizing identity change discussion … Kyle Hamilton
- Re: [TLS] Summarizing identity change discussion … Martin Rex
- Re: [TLS] Summarizing identity change discussion … Kyle Hamilton
- Re: [TLS] Summarizing identity change discussion … Peter Saint-Andre
- Re: [TLS] Summarizing identity change discussion … Peter Saint-Andre
- Re: [TLS] Summarizing identity change discussion … Peter Saint-Andre
- Re: [TLS] Summarizing identity change discussion … Peter Saint-Andre
- Re: [TLS] Summarizing identity change discussion … David-Sarah Hopwood
- Re: [TLS] Summarizing identity change discussion … Blumenthal, Uri - 0662 - MITLL
- Re: [TLS] Summarizing identity change discussion … Marsh Ray
- Re: [TLS] Summarizing identity change discussion … Joseph Salowey (jsalowey)
- Re: [TLS] Summarizing identity change discussion … Stephen Farrell
- Re: [TLS] Summarizing identity change discussion … Martin Rex
- Re: [TLS] Summarizing identity change discussion … Nelson B Bolyard
- Re: [TLS] Summarizing identity change discussion … Nasko Oskov
- Re: [TLS] Summarizing identity change discussion … David-Sarah Hopwood
- Re: [TLS] Summarizing identity change discussion … David-Sarah Hopwood
- Re: [TLS] Summarizing identity change discussion … Joseph Salowey (jsalowey)
- Re: [TLS] Summarizing identity change discussion … Pasi.Eronen
- Re: [TLS] Summarizing identity change discussion … Joseph Salowey (jsalowey)