Re: [TLS] RFC 7366 and resumption
mrex@sap.com (Martin Rex) Wed, 05 November 2014 22:44 UTC
Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D5BEF1A00B9 for <tls@ietfa.amsl.com>; Wed, 5 Nov 2014 14:44:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.651
X-Spam-Level:
X-Spam-Status: No, score=-5.651 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, J_CHICKENPOX_55=0.6, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jeNw3UDq6BZ3 for <tls@ietfa.amsl.com>; Wed, 5 Nov 2014 14:44:40 -0800 (PST)
Received: from smtpde01.smtp.sap-ag.de (smtpde01.smtp.sap-ag.de [155.56.68.170]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C54FF1A008C for <tls@ietf.org>; Wed, 5 Nov 2014 14:44:39 -0800 (PST)
Received: from mail05.wdf.sap.corp (mail05.sap.corp [194.39.131.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtpde01.smtp.sap-ag.de (Postfix) with ESMTPS id F044C3A18C; Wed, 5 Nov 2014 23:44:37 +0100 (CET)
Received: from ld9781.wdf.sap.corp (ld9781.wdf.sap.corp [10.21.82.193]) by mail05.wdf.sap.corp (Postfix) with ESMTP id 98AE841D13; Wed, 5 Nov 2014 23:44:37 +0100 (CET)
Received: by ld9781.wdf.sap.corp (Postfix, from userid 10159) id 8E2081AF95; Wed, 5 Nov 2014 23:44:37 +0100 (CET)
In-Reply-To: <545A8F49.70203@polarssl.org>
To: Manuel Pégourié-Gonnard <mpg@polarssl.org>
Date: Wed, 05 Nov 2014 23:44:37 +0100
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="ISO-8859-1"
Message-Id: <20141105224437.8E2081AF95@ld9781.wdf.sap.corp>
From: mrex@sap.com
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/kAr9bNfKL6RwAhAbhuHBZ3Ys6Zo
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] RFC 7366 and resumption
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Nov 2014 22:44:42 -0000
Manuel Pégourié-Gonnard wrote: > Peter Gutmann wrote: >> Manuel Pégourié-Gonnard <mpg@polarssl.org> writes: >> >>> It seems to me that RFC 7366 falls in the same category as "Most current TLS >>> extensions" above, ie is only relevant when a session is initiated, and on >>> resumption the server should ignore the extension and restore the state from >>> the saved session. >> >> Yes, it just follows standard practice from RFC 5246, >> so the server ignores it if present in Client Hello. > > Ok, thanks for the confirmation! Huh? I believe such behaviour to be partially WRONG (and a bad idea). Not returning the extension in ServerHello on resumption seems to be current worst^Wbest practice, but resuming a session that was originally negotiated with EtM when the resumption request is lacking the EtM extension looks like a bad idea to me. Btw. such behaviour means that any rfc5077-style TLS session tickets will have to accomodate all such properties, and all servers sharing the session tickets may have to be synchronously updated with a flag day... Btw. rfc6066 contains at least one self-inconsistency at this point: rfc6066 on the bottom of page 4 reads: *> Note also that all the extensions defined in this document are *> relevant only when a session is initiated. A client that requests session resumption does not in general know whether the server will accept this request, and therefore it SHOULD send the same extensions as it would send if it were not attempting resumption. When a client includes one or more of the defined extension types in an extended client hello while requesting session resumption: - The server name indication extension MAY be used by the server when deciding whether or not to resume a session as described in Section 3. - If the resumption request is denied, the use of the extensions is negotiated as normal. *> - If, on the other hand, the older session is resumed, then the *> server MUST ignore the extensions and send a server hello *> containing none of the extension types. In this case, the *> functionality of these extensions negotiated during the original *> session initiation is applied to the resumed session. And the definition of the Server Name Indication extension, that is part of this RFC 6066, explicitly contradicts the first sentence of the latter (*>) paragraph. But agrees with the second sentence: A server that implements this extension MUST NOT accept the request to resume the session if the server_name extension contains a different name. Instead, it proceeds with a full handshake to establish a new session. When resuming a session, the server MUST NOT include a server_name extension in the server hello. Personally, I would consider it much more logical for the EtM spec when it would "perform a full handshake instead" if a client proposes to resume a session that was originally established with EtM, but fails to include the EtM extension in the resumption request. This latter behaviour follows the "principle of least surprise". Whether the server has already flushed the session from the server-side cache that the client proposes for resumption should not affect the properties of the resulting security context. Otherwise the behaviour will become strangely non-deterministic, and the only part of one's software that should exhibit non-deterministic behaviour are those few functions that are officially labelled as random number generators. -Martin
- Re: [TLS] RFC 7366 and resumption Martin Rex
- [TLS] RFC 7366 and resumption Manuel Pégourié-Gonnard
- Re: [TLS] RFC 7366 and resumption Peter Gutmann
- Re: [TLS] RFC 7366 and resumption Manuel Pégourié-Gonnard
- Re: [TLS] RFC 7366 and resumption Manuel Pégourié-Gonnard