Re: [TLS] Questions about TLS Server Name Indication extension
Martin Rex <Martin.Rex@sap.com> Fri, 30 October 2009 15:04 UTC
Return-Path: <Martin.Rex@sap.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EE0E13A692D for <tls@core3.amsl.com>; Fri, 30 Oct 2009 08:04:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.143
X-Spam-Level:
X-Spam-Status: No, score=-6.143 tagged_above=-999 required=5 tests=[AWL=0.106, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D-EjQA5M7XDj for <tls@core3.amsl.com>; Fri, 30 Oct 2009 08:04:20 -0700 (PDT)
Received: from smtpde03.sap-ag.de (smtpde03.sap-ag.de [155.56.68.140]) by core3.amsl.com (Postfix) with ESMTP id B620A3A68C1 for <tls@ietf.org>; Fri, 30 Oct 2009 08:04:19 -0700 (PDT)
Received: from mail.sap.corp by smtpde03.sap-ag.de (26) with ESMTP id n9UF4Ww3014332 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 30 Oct 2009 16:04:32 +0100 (MET)
From: Martin Rex <Martin.Rex@sap.com>
Message-Id: <200910301504.n9UF4Vi1009766@fs4113.wdf.sap.corp>
To: nelson@bolyard.me
Date: Fri, 30 Oct 2009 16:04:31 +0100
In-Reply-To: <4AEA7117.7050309@bolyard.me> from "Nelson B Bolyard" at Oct 29, 9 09:52:39 pm
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal06
X-SAP: out
Cc: Alexei.Volkov@sun.com, tls@ietf.org
Subject: Re: [TLS] Questions about TLS Server Name Indication extension
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Oct 2009 15:04:21 -0000
Nelson B Bolyard wrote: > > On 2009-10-29 16:26 PDT, Martin Rex wrote: > > Nelson B Bolyard wrote: > >> There's another issue that arises with both the SNI extension and a single > >> session ID space for the entire physical server. Which takes precedence? If the SNI made a difference in the server credential when the session was originally created, then the SNI MUST make the same difference for resume. The a requirement for consistency and reproducable behaviour. If the SNI did not make a difference when the cached session was originally created (e.g. the server doesn't support SNI), then it does not need to make a difference on resume. > >> > >> Consider this scenario: > >> Physical host has two virtual hosts, A and B. > >> First handshake: > >> client sends SNI with host name A, empty session ID. > >> server does full handshake, session ID 1. > >> Second handshake (renegotiation): > >> client sends SNI with host name B and session ID 1, > > > > That client is obviously broken. > > Perhaps, but the question is what does the server do about it? Compensate for the broken client and perform a full SSL handshake. A broken client is no excuse for inconsistent or non-predictable server behaviour. Since most real server limit the size of their session cache, you will, depending on the load of the server, not be able to predict at what point the server will have purged the cached session from his cache and will have to perform a full TLS handshake. If that full handshake will result in a TLS session with substantially different characteristics, or even with a completely different server credential, then the server behaviour will effectively become inconsistent and non-predictable if the server agrees to resume sessions that substantially differ from other session characteristics specified in the ClientHello. A server implementation that will behave inconsistent and non-predictable is always a bad idea. It does not matter that the spec fails to discourage or prohibit such a behaviour. It remains a pretty a bad idea and a sign of a broken server even when the spec does something stupid like recommending such inconsistent and non-predictable behaviour. > > >> Session ID 1 implicitly identifies host A. > >> > >> The server could > >> A) Honor the session ID and ignore the SNI. > >> B) Compare the host name in the SNI with the host name for session ID 1, > >> observe the mismatch, and do a new FULL handshake for host B. > >> C) Compare the host name in the SNI with the host name for session ID 1, > >> observe the mismatch, and return a fatal error alert. > > > > If the server supports virtual hosting through SNI, > > that's a given for this exercise > > > it should look up the session ID of the client only in the session cache > > associated with the hostname A. > > And it should choose hostname A because why? Remember that in the above > example, the SNI bears host name B. Sorry for my mistake. A session resume request with SNI B should be looked up in the session cache associated with SNI B, of course. (if the server supports SNI). > > > If a TLS session resume proposal with [an] SNI for B arrives, > > there will be no cached session with that session ID in the > > TLS session cache tied to credential for A, so it must result > > in a full TLS handshake. > > So, you're proposing that the server should look in the SNI first to see > which host name is there, and use that info to decide which virtual host's > server session cache to examine for the numbered session? Correct. > In other words, > each virtual host has its own separate session cache with fully overlapping > spaces of session ID numbers, disambiguated by the SNI host name, yes? > In this model, an SNI would be absolutely required to resume a session that > had been established with an SNI, yes? Correct. > > > A server that has different credentials for A and B (and would > > use them based on SNI > > The whole point of SNI is to have different credentials for different > virtual hosts. If you don't have different credentials for different > virtual hosts, (e.g. if you have a single certificate for all your > virtual hosts) then you don't need SNI. If a server supports SNI, but shares a single credential for several (or all) virtual hosts, then there would be no consistency or non-predictability problem if the server shared the TLS session caches in the same fashion. In my architecture, the SSL session cache of the server is tied to the server credential. If the architecture permits updating the server credentials while the server is running under full load, then you really want to be able to flush exactly and efficiently the cached TLS sessions related to that specific previous credential and leave the rest of the cached TLS sessions assiciated with other, still unchanged credentials, untouched. -Martin
- [TLS] Questions about TLS Server Name Indication … Nelson B Bolyard
- Re: [TLS] Questions about TLS Server Name Indicat… Nelson B Bolyard
- Re: [TLS] Questions about TLS Server Name Indicat… Wan-Teh Chang
- Re: [TLS] Questions about TLS Server Name Indicat… Michael D'Errico
- Re: [TLS] Questions about TLS Server Name Indicat… Nelson B Bolyard
- Re: [TLS] Questions about TLS Server Name Indicat… Michael Gray
- Re: [TLS] Questions about TLS Server Name Indicat… Wan-Teh Chang
- Re: [TLS] Questions about TLS Server Name Indicat… Peter Gutmann
- Re: [TLS] Questions about TLS Server Name Indicat… Martin Rex
- Re: [TLS] Questions about TLS Server Name Indicat… Martin Rex
- Re: [TLS] Questions about TLS Server Name Indicat… Nelson B Bolyard
- Re: [TLS] Questions about TLS Server Name Indicat… Nelson B Bolyard
- Re: [TLS] Questions about TLS Server Name Indicat… Martin Rex
- Re: [TLS] Multiple domain names in SNI (was Quest… Michael D'Errico
- Re: [TLS] Multiple Session Caches and SNI (was Qu… Michael D'Errico
- Re: [TLS] Multiple domain names in SNI (was Quest… Martin Rex
- Re: [TLS] Renegotiation with SNI after initial co… Michael D'Errico
- Re: [TLS] Multiple domain names in SNI (was Quest… Michael D'Errico
- Re: [TLS] Multiple Session Caches and SNI (was Qu… Martin Rex
- Re: [TLS] Multiple domain names in SNI (was Quest… Martin Rex
- Re: [TLS] Questions about TLS Server Name Indicat… Nelson B Bolyard
- Re: [TLS] Multiple Session Caches and SNI Michael D'Errico
- Re: [TLS] Multiple domain names in SNI (was Quest… Michael Gray
- Re: [TLS] Multiple domain names in SNI (was Quest… Michael D'Errico
- Re: [TLS] Requiring SNI for resumption (was Quest… Michael D'Errico
- Re: [TLS] Multiple Session Caches and SNI Martin Rex
- Re: [TLS] Multiple Session Caches and SNI Michael D'Errico
- Re: [TLS] Questions about TLS Server Name Indicat… Michael D'Errico
- Re: [TLS] Questions about TLS Server Name Indicat… Pasi.Eronen