IETF Logo Mail Archive

Re: [TLS] simplistic renego protection

David-Sarah Hopwood <david-sarah@jacaranda.org> Thu, 19 November 2009 04:48 UTC

Return-Path: <djhopwood@googlemail.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E0BAF3A68C5 for <tls@core3.amsl.com>; Wed, 18 Nov 2009 20:48:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 61c6KV9Pn37R for <tls@core3.amsl.com>; Wed, 18 Nov 2009 20:48:22 -0800 (PST)
Received: from ey-out-2122.google.com (ey-out-2122.google.com [74.125.78.27]) by core3.amsl.com (Postfix) with ESMTP id B0DE03A6817 for <tls@ietf.org>; Wed, 18 Nov 2009 20:48:21 -0800 (PST)
Received: by ey-out-2122.google.com with SMTP id 25so397829eya.51 for <tls@ietf.org>; Wed, 18 Nov 2009 20:48:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:received:received:sender:message-id:date:from :user-agent:mime-version:to:subject:references:in-reply-to :x-enigmail-version:content-type; bh=qg55O1SA+4oJHUASI6zQ/rivG/50laHqsELMtGgSPX8=; b=r9aFtyOB7FBXxBUvJZYZUtxpqtkRrGBXoL5Ybcfb8FQtsV9jq2NCMvNIoa67V0GwyP Q9B655vEfe1xEi7icn1VqX8dlPuFY+9buhTAFilzaCUqe9LEwt3GyHG9wppDdEC46JX8 pHE03IIJHVfXv67j1INosn/Rcz5QAyWNWLUAc=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=sender:message-id:date:from:user-agent:mime-version:to:subject :references:in-reply-to:x-enigmail-version:content-type; b=eWl6QZ886KwEXRR0fXWmvEALLHy2uBNxIxrA+B4A+uLse2M48dRZ6Dxejr8FLP8boQ HOTncKg9HHCDi+sydQ6G1XsRM+VkPv71cVxNymM2753X24JwAY7oAsZok0EjR/3pyLR1 VbfjCUCjs3ySmK4+yy3quWYvHHENRbZxk4/bs=
Received: by 10.213.24.20 with SMTP id t20mr967184ebb.49.1258606096495; Wed, 18 Nov 2009 20:48:16 -0800 (PST)
Received: from ?192.168.0.2? (5e0212a1.bb.sky.com [94.2.18.161]) by mx.google.com with ESMTPS id 13sm65851ewy.9.2009.11.18.20.48.15 (version=TLSv1/SSLv3 cipher=RC4-MD5); Wed, 18 Nov 2009 20:48:16 -0800 (PST)
Sender: David-Sarah Hopwood <djhopwood@googlemail.com>
Message-ID: <4B04CE03.4010000@jacaranda.org>
Date: Thu, 19 Nov 2009 04:48:03 +0000
From: David-Sarah Hopwood <david-sarah@jacaranda.org>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.8.1.3) Gecko/20070326 Thunderbird/2.0.0.0 Mnenhy/0.7.5.666
MIME-Version: 1.0
To: tls@ietf.org
References: <200911161725.nAGHPWaA014181@fs4113.wdf.sap.corp><089F31C221374096B0FE619F@446E7922C82D299DB29D899F><4B02A084.9030903@cs.tcd.ie> <20091117175000.653E669FBC6@kilo.networkresonance.com> <7E1DF37F1F42AB4E877E492C308E6AC40251FFD4@XCH57YKF.rim.net>
In-Reply-To: <7E1DF37F1F42AB4E877E492C308E6AC40251FFD4@XCH57YKF.rim.net>
X-Enigmail-Version: 0.96.0
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------enig887CC8DC6377705AD0C02CA0"
Subject: Re: [TLS] simplistic renego protection
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Nov 2009 04:48:23 -0000

Robert Dugal wrote:
> I noticed you said this in the jabber log http://www.ietf.org/jabber/logs/tls/2009-11-12.txt 
> 
> [06:31:06] <EKR> It occurred to me the other day that there is a special case where hte server does not need to refuse renegotiation: when the client has sent no data yet.

and the session is not resumed, and the server has sent no data.

Many application protocols have the client sending a command or
"hello" message before the server sends any data, but some don't,
and TLS doesn't depend on that. If the server thinks it has already
sent some data, then it may not send it again in the renegotiated
session, which could confuse the client in that session.

> [06:31:20] <EKR> This would allow step-up/SGC to continue to work 9assuming we cared it)
> 
> Our products do support step-up/SGC and some customers may still be using it, or at least have servers with SGC certificates.
> Since there is no vulnerability is this special case, should some note be added to the draft? 

SGC is not relevant here; it does not use renegotiation.

AFAIK, the only clients that use Step-Up are international versions of
Netscape Communicator 4.02 to 4.72 inclusive [*], and possibly some
very early versions of Mozilla Suite before its official release.
Netscape 4.72 was released in February 2000. Those browsers are completely
insecure and no-one should still be using them, least of all if they
actually need 128-bit encryption.

The fact that a server uses a Step-Up certificate does not cause any
interoperability problem for other clients.


[*] <http://www.verisign.com/static/016585.pdf>

Technical documentation of Step-Up:
<http://marc.info/?l=apache-modssl&m=102520283911746&w=2>

-- 
David-Sarah Hopwood  ⚥  http://davidsarah.livejournal.com

v2.23.0 | Report a Bug | By Email