Re: [TLS] More clarity on resumption and session hash

Karthikeyan Bhargavan <> Mon, 25 May 2015 17:45 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 3ABD51A1A13 for <>; Mon, 25 May 2015 10:45:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.56
X-Spam-Status: No, score=-6.56 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_FR=0.35, RCVD_IN_DNSWL_HI=-5, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id X8l-todogAKW for <>; Mon, 25 May 2015 10:45:10 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 8ED181A036B for <>; Mon, 25 May 2015 10:45:09 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="5.13,493,1427752800"; d="asc'?scan'208";a="154369643"
Received: from (HELO []) ([]) by with ESMTP/TLS/AES128-SHA; 25 May 2015 19:45:07 +0200
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
Content-Type: multipart/signed; boundary="Apple-Mail=_2CAEE669-3137-4279-9F4E-695B9011C4A1"; protocol="application/pgp-signature"; micalg=pgp-sha512
X-Pgp-Agent: GPGMail 2.5b6
From: Karthikeyan Bhargavan <>
In-Reply-To: <>
Date: Mon, 25 May 2015 19:45:05 +0200
Message-Id: <>
References: <>
To: Eric Rescorla <>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: <>
Cc: "" <>
Subject: Re: [TLS] More clarity on resumption and session hash
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 25 May 2015 17:45:12 -0000

Right, there was discussion on this and here’s the current rationale.

If the original handshake used the extended master secret,
then even if the resumption handshake does not, it is still protected
by the key derivation in the original handshake.

The only situation when I can see this happening is when the resumption handshake goes to different
endpoints than the original handshake (e.g. in WPA), but maybe someone on the list knows better whether the following is a reasonable use case.

The client connects to an access point which forwards the (EAP-TLS) connection to the (Radius) server.
The server speaks TLS + extended master secret and the client and server agree upon a master secret.
The server installs the master secret at the access point, which itself does not support extended master secret.
The client can now communicate directly with the access point,  and also resume (EAP fast reauth) connections directly with access points without the need to recontact the Radius server

A similar scenario can perhaps be envisioned in cases where a server farm of front-ends directs initial connections to a powerful server that supports extended master secret, but resumption handshakes (via session tickets) can be handled by any (legacy) server.

Far fetched?

On 25 May 2015, at 19:35, Eric Rescorla <> wrote:

> I'm updating the NSS session hash implementation to conform to the new spec
> and I see that it's very clear on what happens when you have a resumption
> where the original handshake did not include the extension and the new one
> does (thanks David and Martin)
>   o  If the original session did not use an extended master secret but
>       the new ClientHello does contain the "extended_master_secret"
>       extension, the server MUST NOT perform the abbreviated handshake.
>       Instead, it SHOULD continue with a full handshake to negotiate a
>       new session.
> However, it's less clear on what happens when the original handshake included
> the extension and the new one does not:
>    o  If the new ClientHello does not contain the
>       "extended_master_secret" extension, the server SHOULD abort the
>       handshake.  If it continues with an abbreviated handshake in order
>       to interoperate with legacy peers, then the considerations in
>       Section 5.4 apply.
> This doesn't seem to distinguish between the two cases (original session
> did and did not use the extension), but they seem different, since the
> original session not using session hash is a common case (legacy) whereas
> an extension->no extension transition is an anomaly. Note that the client
> *is* required to send it, so I think there's a reasonably strong
> argument that the server should require it.
> The two main options appear to be:
>     1. Fall back to a full handshake.
>     2. Abort the connection
> The argument for the first appears to be interop. The argument for the
> second appears to be that it's likely there is an error or a mid-flight
> reconfiguration on the client (which seems not good). My mild preference
> is for abort but I think it's important in any case that the draft be
> clear.
> Similarly, the text about the client side doesn't seem to draw this
> distinction:
>       If the new ServerHello does not contain the
>       "extended_master_secret" extension, the client SHOULD abort the
>       handshake.  If it continues with an abbreviated handshake in order
>       to interoperate with legacy peers, then the considerations in
>       Section 5.4 apply.
> Because above the server is required to provide the extension when
> resuming a session where the extension was negotiated, it seems like
> we should require the client to fail in that case (that's the sense
> of the MUST).
> I see there was some discussion on the list 3/10 but it was inconclusive.
> -Ekr
> _______________________________________________
> TLS mailing list