Re: [TLS] RFC7301 ALPN conflicting objectives about app-specific server certificates

[Viktor Dukhovni <ietf-dane@dukhovni.org>]

On Fri, Jul 03, 2015 at 10:48:42PM +0200, Martin Rex wrote:

> So rfc7301 + rfc5077 + application-specific certificates is a pig
> that can not fly.

Well, firstly there is no requirement to structure session tickets
exactly as indicated.  They are encrypted, and the server can put
anything it wants in them.

Secondly, just like clients can implement "split" caches (use more
cache lookup attributes than just the transport endpoint), so can
servers.  The server can add a context id into the session ticket,
and only resume sessions that match that context id.

> Btw. there is also a problem for use of TLS extension SNI
> in combination with rfc5077 -- a server using rfc5077 as suggested will
> be unable to prevent "virtual host confusion"
> 
>    https://bh.ht.vc/vhost_confusion.pdf
> 
> and will also be unable to properly implement the checks that rfc6066
> specifies for ression resumption when TLS extension SNI is used.

Since session ticket content is a private matter for the server,
the standard does not preclude implementations that apply all the
relevant checks.  When I write code in this space, I tend to put
more of the responsibility for avoiding virtual host confusion on
the client.

> Nope, these are design characteristics (or failures) of the spec.
> SSL session cache management and session resumption is an area that
> has been underspecified in SSL&TLS from the beginning, and the contents
> of rfc5077 suggests to me, that the amount of folks (and implementors)
> who understand the consequences for caching, when a server has more than
> one server certificate on his hands, might be rather small.

Documenting the care due in more detail sounds like a reasonable idea.

-- 
	Viktor.