IETF Logo Mail Archive

Re: [TLS] RFC7301 ALPN conflicting objectives about app-specific server certificates

Andrei Popov <Andrei.Popov@microsoft.com> Tue, 30 June 2015 21:31 UTC

Return-Path: <Andrei.Popov@microsoft.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 175501A9096 for <tls@ietfa.amsl.com>; Tue, 30 Jun 2015 14:31:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y7SLnx2Z4SGc for <tls@ietfa.amsl.com>; Tue, 30 Jun 2015 14:31:26 -0700 (PDT)
Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2on0108.outbound.protection.outlook.com [207.46.100.108]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C07481A9093 for <tls@ietf.org>; Tue, 30 Jun 2015 14:31:26 -0700 (PDT)
Received: from BLUPR03MB1396.namprd03.prod.outlook.com (10.163.81.142) by BLUPR03MB1396.namprd03.prod.outlook.com (10.163.81.142) with Microsoft SMTP Server (TLS) id 15.1.195.15; Tue, 30 Jun 2015 21:31:24 +0000
Received: from BLUPR03MB1396.namprd03.prod.outlook.com ([10.163.81.142]) by BLUPR03MB1396.namprd03.prod.outlook.com ([10.163.81.142]) with mapi id 15.01.0195.005; Tue, 30 Jun 2015 21:31:24 +0000
From: Andrei Popov <Andrei.Popov@microsoft.com>
To: "mrex@sap.com" <mrex@sap.com>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] RFC7301 ALPN conflicting objectives about app-specific server certificates
Thread-Index: AQHQs3MRkef6bIVx+0iShvNHWvsYnZ3FjFPw
Date: Tue, 30 Jun 2015 21:31:24 +0000
Message-ID: <BLUPR03MB1396345FC41E35BC22C5762A8CA90@BLUPR03MB1396.namprd03.prod.outlook.com>
References: <20150630202613.D07251A1AD@ld9781.wdf.sap.corp>
In-Reply-To: <20150630202613.D07251A1AD@ld9781.wdf.sap.corp>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: sap.com; dkim=none (message not signed) header.d=none;
x-originating-ip: [2001:4898:80e8:ee31::5]
x-microsoft-exchange-diagnostics: 1; BLUPR03MB1396; 5:o8KXZHuPSALnSd7CPaU/LyWlIWfYdn5wN1IZmF9YlCxAASxIj4V+4FTiUCcMdJrNJ0vvaHyOnKdauP0YdaXHFvoIvuNWoZMHymklPXiOKoQZNKqukQiqFofg9FCtUq4gWVWmywAEqLpIE2r2Es1udQ==; 24:qbxxOVd1sPJdhw+R/iHgV7MeJ/ErITA43Z0zWjqdUJCJ+1LTAPZbt9A0fT0B8H96qJfKnlxden0MtFtQZOFdcJOoXILUmaoM2R1bpHc5vok=; 20:gEpPxC/UEQelaXyEd11P32KhcoUKnp0vKv9RoPwzHAEI3xVtY2omdDl9HihkskZcElZ3jOYInw3XEHOCwopD+w==
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BLUPR03MB1396;
x-microsoft-antispam-prvs: <BLUPR03MB13966C1B953240EE60E68EF18CA90@BLUPR03MB1396.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401001)(5005006)(3002001); SRVR:BLUPR03MB1396; BCL:0; PCL:0; RULEID:; SRVR:BLUPR03MB1396;
x-forefront-prvs: 06237E4555
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(377454003)(52314003)(13464003)(77156002)(62966003)(50986999)(76176999)(92566002)(74316001)(2950100001)(102836002)(2900100001)(5002640100001)(54356999)(33656002)(107886002)(5001770100001)(5001960100002)(189998001)(106116001)(122556002)(99286002)(2501003)(19580395003)(19580405001)(86362001)(2656002)(87936001)(77096005)(5003600100002)(15975445007)(76576001)(15974865002)(46102003)(7059030)(3826002); DIR:OUT; SFP:1102; SCL:1; SRVR:BLUPR03MB1396; H:BLUPR03MB1396.namprd03.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 30 Jun 2015 21:31:24.7775 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BLUPR03MB1396
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/kipUCsAteGsCx1ls5zKPuJbwk0g>
Subject: Re: [TLS] RFC7301 ALPN conflicting objectives about app-specific server certificates
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Jun 2015 21:31:30 -0000

Hi Martin,

> If the server uses distict server certificates per application protocol and properly(!!) performs a full handshake if the server certificate does not fit the requested application protocol, then alternating requests with two different protocols to the same server will result in constant full TLS handshakes.

Yes, if a client negotiates a different application protocol on a subsequent connection, the server may reject resumption (which the server can always do anyway, regardless of ALPN).
 
> But what can also easily happen, is that the server is inappropriately sharing the server-side session cache an incorrectly resuming sessions associated with the wrong server certificate (a different certificate than what the server would select if it would perform a full TLS handshake), ...

This would be a server bug indeed.

> Essentially, I believe that tagging of the session with the ALPN negotiated protocol to result in more "predictable" behaviour, because it will not interfere with client-side session cache management and not result in occasional confusion should other server implementors ever make their servers use different server certificates for different ALPN-negotiated protocols.

Can you describe how such tagging would work in more detail?

Cheers,

Andrei

-----Original Message-----
From: TLS [mailto:tls-bounces@ietf.org] On Behalf Of Martin Rex
Sent: Tuesday, June 30, 2015 1:26 PM
To: tls@ietf.org
Subject: [TLS] RFC7301 ALPN conflicting objectives about app-specific server certificates

I'm currently implementing support for ALPN in our middlware, and I'm wondering how to account for ALPN in the client side session caching management, because rfc7301 describes two mutually exclusive objectives and the ALPN protocol does not provide a means for the server to disambiguate the desired semantics in the ServerHello response.


rfc7301,
   https://tools.ietf.org/html/rfc7301#section-1

Section 1. last sentence of paragraph 2 (end of page 2):

                                           Further, it would be
   advantageous to allow certificate selection based on the negotiated
   application protocol.
 
Section 1, last sentence of paragraph 4 (last paragraph):

                         The application protocol negotiation can thus
   be accomplished within the TLS handshake, without adding network
   round-trips, and allows the server to associate a different
   certificate with each application protocol, if desired.

is in conflict with

Section 3.1, last paragraph
   https://tools.ietf.org/html/rfc7301#page-5

   Unlike many other TLS extensions, this extension does not establish
   properties of the session, only of the connection.  When session
   resumption or session tickets [RFC5077] are used, the previous
   contents of this extension are irrelevant, and only the values in the
   new handshake messages are considered.


Currently, my client-side session cache management, and the decision whether to propose a TLS session to the server for resumption, is based on a match of the application supplied "target name" which is usually an fqdn hostname, but could also be an abbreviated hostname or an IP address.

When the server does not resume the proposed session, and performs a full handshake instead, my client purges the previous cached session and adds the newly established session to the client-side session cache instead.


If the server uses distict server certificates per application protocol and properly(!!) performs a full handshake if the server certificate does not fit the requested application protocol, then alternating requests with two different protocols to the same server will result in constant full TLS handshakes.

But what can also easily happen, is that the server is inappropriately sharing the server-side session cache an incorrectly resuming sessions associated with the wrong server certificate (a different certificate than what the server would select if it would perform a full TLS handshake), and if the different server certificate attributes are relevant to the application protocol, then this would result in random client-side errors (failed server certificate validation) when there is already a session for the _other_ app in the client-side session cache.

I've seen incorrect server-side session cache pooling before, e.g.
a few years ago between docs.google.com and www.google.com.

Essentially, I believe that tagging of the session with the ALPN negotiated protocol to result in more "predictable" behaviour, because it will not interfere with client-side session cache management and not result in occasional confusion should other server implementors ever make their servers use different server certificates for different ALPN-negotiated protocols.


-Martin

_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email