Re: [TLS] draft-ietf-tls-renegotation: next steps
Eric Rescorla <ekr@networkresonance.com> Wed, 16 December 2009 19:08 UTC
Return-Path: <ekr@networkresonance.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DCB5B3A6842; Wed, 16 Dec 2009 11:08:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.734
X-Spam-Level:
X-Spam-Status: No, score=-1.734 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_HOST_EQ_D_D_D_D=0.765, RDNS_DYNAMIC=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s5wvfNmw0mMZ; Wed, 16 Dec 2009 11:08:21 -0800 (PST)
Received: from kilo.networkresonance.com (dhcp-128-107-47-89.cisco.com [128.107.47.89]) by core3.amsl.com (Postfix) with ESMTP id 0C3713A6833; Wed, 16 Dec 2009 11:08:21 -0800 (PST)
Received: from kilo.local (localhost [127.0.0.1]) by kilo.networkresonance.com (Postfix) with ESMTP id 71BF56C823C; Wed, 16 Dec 2009 11:08:11 -0800 (PST)
Date: Wed, 16 Dec 2009 11:08:10 -0800
From: Eric Rescorla <ekr@networkresonance.com>
To: Pasi.Eronen@nokia.com
In-Reply-To: <808FD6E27AD4884E94820BC333B2DB774F31F17456@NOK-EUMSG-01.mgdnok.nokia.com>
References: <808FD6E27AD4884E94820BC333B2DB774F31F17456@NOK-EUMSG-01.mgdnok.nokia.com>
User-Agent: Wanderlust/2.15.5 (Almost Unreal) Emacs/22.3 Mule/5.0 (SAKAKI)
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20091216190811.71BF56C823C@kilo.networkresonance.com>
Cc: ietf@ietf.org, tls@ietf.org
Subject: Re: [TLS] draft-ietf-tls-renegotation: next steps
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Dec 2009 19:08:22 -0000
At Wed, 16 Dec 2009 10:53:37 +0100, <Pasi.Eronen@nokia.com> wrote: > - The current draft doesn't clearly say what should be included in > legacy (insecure) renegotiation ClientHellos. I am not sure if we have > enough clear opinions to call consensus, but keeping it aligned with > the initial ClientHello (either MSCV or extension) seems to be one > simple approach (but I hope to see the actual text). Attached is some candidate text that attempts to implement this. It is possible that un-upgraded servers will request that the client renegotiate. It is RECOMMENDED that clients refuse this renegotiation request. Clients which do so MUST respond to such requests with a "no_renegotiation" alert [RFC 5246 requires this alert to be at the "warning" level.] It is possible that the apparently un-upgraded server is in fact an attacker who is then allowing the client to renegotiate with a different, legitimate, upgraded server. In order to detect this attack, clients which choose to renegotiate MUST provide either the TLS_RENEGO_PROTECTION_REQUEST SCSV or "renegotiation_info" in their ClientHello. In a legitimate renegotiation with an un-upgraded server, either of these signals will be ignored by the server. However, if the server (incorrectly) fails to ignore extensions, sending the "renegotiation_info" extension may cause a handshake failure. Thus, it is permitted, though NOT RECOMMENDED, for the client to simply send the SCSV. This is the only situation in which clients are permitted to not send the "renegotiation_info" extension in a ClientHello which is used for renegotiation. Note that in the case of this downgrade attack attack above, if this is the initial handshake from the server's perspective, then use of the SCSV from the client precludes detection of this attack by the server. However, the attack will be detected by the client when the server sends an empty "renegotiation_info" extension and the client is expecting one containing the previous verify data. By contrast, if the client sends the "renegotiation_info" extension, then the server will immediately detect the attack. After flip-flopping on this in my head a few times, however, my personal view, is that I think this goes too far in the direction of accomodating broken servers. Sending RI in this instance only creates an interop problem when a server (1) is doing something we know to be really unsafe and (2) can't even ignore extensions correctly. We've seen a number of suggestions that we actually forbid renegotiation in case (1) and while I suspect WG consensus doesn't go that far, it's not clear to me that we need to not only allow it but also compensate for servers which are broken in other respects. So, my preference would be to simply mandate RI with the previous verify_data here as in all other cases. > I've asked the document editor to update the draft as soon as > possible. The IESG will discuss this document this Thursday (December > 17), and I hope we can have an approved specification before > Christmas. I'm working on revisions now. -Ekr
- [TLS] draft-ietf-tls-renegotation: next steps Pasi.Eronen
- Re: [TLS] draft-ietf-tls-renegotation: next steps Martin Rex
- Re: [TLS] draft-ietf-tls-renegotation: next steps Paul Hoffman
- Re: [TLS] draft-ietf-tls-renegotation: next steps Michael D'Errico
- Re: [TLS] draft-ietf-tls-renegotation: next steps Martin Rex
- Re: [TLS] draft-ietf-tls-renegotation: next steps Marsh Ray
- Re: [TLS] draft-ietf-tls-renegotation: next steps Eric Rescorla
- Re: [TLS] [POSSIBLE SPAM] Re: draft-ietf-tls-rene… Kemp, David P.
- Re: [TLS] draft-ietf-tls-renegotation: next steps Marsh Ray
- Re: [TLS] draft-ietf-tls-renegotation: next steps Martin Rex
- Re: [TLS] [POSSIBLE SPAM] Re: draft-ietf-tls-rene… Martin Rex
- Re: [TLS] [POSSIBLE SPAM] Re: draft-ietf-tls-rene… Marsh Ray
- [TLS] Generic process issues (Re: Re: draft-ietf-… Nicolas Williams
- Re: [TLS] [POSSIBLE SPAM] Re: draft-ietf-tls-rene… Martin Rex
- Re: [TLS] [POSSIBLE SPAM] Re: draft-ietf-tls-rene… Martin Rex
- Re: [TLS] [POSSIBLE SPAM] Re: draft-ietf-tls-rene… Marsh Ray
- Re: [TLS] [POSSIBLE SPAM] Re: draft-ietf-tls-rene… Martin Rex
- Re: [TLS] draft-ietf-tls-renegotation: next steps David-Sarah Hopwood
- Re: [TLS] draft-ietf-tls-renegotation: next steps David-Sarah Hopwood
- Re: [TLS] draft-ietf-tls-renegotation: next steps Martin Rex
- Re: [TLS] [POSSIBLE SPAM] Re: draft-ietf-tls-rene… Marsh Ray
- Re: [TLS] draft-ietf-tls-renegotation: next Pasi.Eronen
- Re: [TLS] [POSSIBLE SPAM] Re: draft-ietf-tls-rene… Martin Rex
- Re: [TLS] [POSSIBLE SPAM] Re: draft-ietf-tls-rene… Martin Rex
- Re: [TLS] draft-ietf-tls-renegotation: next Martin Rex
- Re: [TLS] draft-ietf-tls-renegotation: next Martin Rex
- Re: [TLS] draft-ietf-tls-renegotation: next Marsh Ray
- Re: [TLS] draft-ietf-tls-renegotation: next Kyle Hamilton
- Re: [TLS] draft-ietf-tls-renegotation: next Martin Rex
- Re: [TLS] draft-ietf-tls-renegotation: next Michael D'Errico
- Re: [TLS] draft-ietf-tls-renegotation: next David-Sarah Hopwood