IETF Logo Mail Archive

[TLS] when is it ok to resume a cached SSL/TLS session

Martin Rex <martin.rex@sap.com> Mon, 15 January 2007 14:02 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1H6SPg-0002LA-B5; Mon, 15 Jan 2007 09:02:16 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1H6SPe-0002L2-Mk for tls@ietf.org; Mon, 15 Jan 2007 09:02:14 -0500
Received: from smtpde02.sap-ag.de ([155.56.68.170]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1H6SPd-0002Fb-9q for tls@ietf.org; Mon, 15 Jan 2007 09:02:14 -0500
Received: from sap-ag.de (smtpde02) by smtpde02.sap-ag.de (out) with ESMTP id PAA16306; Mon, 15 Jan 2007 15:01:56 +0100 (MEZ)
From: Martin Rex <martin.rex@sap.com>
Message-Id: <200701151401.PAA27837@uw1048.wdf.sap.corp>
To: ekr@networkresonance.com
Date: Mon, 15 Jan 2007 15:01:56 +0100
In-Reply-To: <863b6eh9v5.fsf@raman.networkresonance.com> from "Eric Rescorla" at Jan 13, 7 01:53:18 pm
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-SAP: out
X-SAP: out
X-SAP: out
X-Spam-Score: 2.3 (++)
X-Scan-Signature: b4a0a5f5992e2a4954405484e7717d8c
Cc: tls@ietf.org
Subject: [TLS] when is it ok to resume a cached SSL/TLS session
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: martin.rex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org

Eric Rescorla wrote:
> 
> Yes, it's discussed extensively in the SBR04 paper on Client-Side
> Session Caching.
> 
> Shacham, H., Boneh, D., and E. Rescorla, "Client-side
> caching for TLS", Transactions on Information and System
> Security (TISSEC) , Volume 7, Issue 4, November 2004.

Since you didn't include an URL, I assume this isn't available online
anwhere.

We have just been reported by one of our customers what I consider
a bug in the client side SSL/TLS session cache of a popular Browser,
failing on a flawed assumption.

Scenario:  A host running two seperate SSL/TLS secured services
(a J2EE- and a C/C++-built serice) on different TCP-Ports using
seperate SSL/TLS (one is pure Java, the other pure C) implementations
that differ in the highest supported protocol version.

The Service with the newer implementation is the "main service"
or entry point, and it sometimes generates URLs
referencing the other service (same host, different TCP-Port)
with the older SSL/TLS implementation.


The problem: The popular browser, when trying to access the older
SSL/TLS implementation on a different TCP-Port is sending a
session ID from the newer SSL/TLS implementation, apparently trying
to resume an existing SSL session in the client-side session cache.

The server doesn't recognize that session and replies with
a Server Hello containing his highest protocol version, plus
plus server certificate message plus client cert request plus
server hello done.  The popular Web Browser closes the network
connection without sending any kind of SSL alert and shows
"Page cannot be displayed" to the user.


I firmly believe that this is a conceptual flaw on the client
side, making a flawed assumption about when a cached SSL session
can be expected to be resumable.

The problem is not with the client sending an existing session ID,
it is about dealing with the servers reply during the SSL/TLS handshake.
 - a server on a different port might not be sharing the session
   cache with the other
 - a server on a different port migt be using an entirely different
   SSL/TLS protocol implementation supporting different protocol
   versions and extensions
 - a server on a different port might be using a seperate server cert
 - a server on a different port might be sending/using an independent
   list of trusted CAs in a client certificate request

In our customers case, the Browser might be aborting thinking that
the a version rollback attack is being performed, but honestly, I don't
know what the problem is.  The browsers SSL implementation is
extremely poor/broken when reporting errors.


-Martin





_______________________________________________
TLS mailing list
TLS@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email