Re: [TLS] SNI and tickets and resumption

Viktor Dukhovni <> Mon, 11 August 2014 17:52 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 985D31A049D for <>; Mon, 11 Aug 2014 10:52:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.3
X-Spam-Status: No, score=-1.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_24=0.6] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id TJ6lz3f8iYZf for <>; Mon, 11 Aug 2014 10:52:03 -0700 (PDT)
Received: from ( []) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E08611A048D for <>; Mon, 11 Aug 2014 10:52:02 -0700 (PDT)
Received: by (Postfix, from userid 1034) id EA3D72AB2BD; Mon, 11 Aug 2014 17:52:00 +0000 (UTC)
Date: Mon, 11 Aug 2014 17:52:00 +0000
From: Viktor Dukhovni <>
Message-ID: <>
References: <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.5.23 (2014-03-12)
Subject: Re: [TLS] SNI and tickets and resumption
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 11 Aug 2014 17:52:06 -0000

On Mon, Aug 11, 2014 at 12:02:03AM -0400, Brian Sniffen wrote:

> > Essentially, whenever a full handshake would result in the use of the
> > same server certificate as the resumption proposed by the client,
> > my server will perform session resumption, and ingnore SNI mismatches.
> So if a server has a giant SAN cert for `` and ``, and a
> session with one is resumed to the other---that's unsurprising?  I don't
> see a path all the way through to an attack, but it leads me to worry
> about a web app and a web server interacting in this way.

With DANE TLSA records of the form: IN CNAME IN CNAME IN TLSA DANE-EE(3) SPKI(1) SHA2-256(1) {blob}

and supposing that at some future date, browsers support RFC 6698
and updates, the name in the server certificate is entirely
irrelevant, the name to key binding is in DNS.  The HTTPS server
is then authenticated by its public key alone.  The clients will
then send SNI with either "" or "" (on the
off chance that the server cares), but there is nothing a-priori
wrong with a single certificate associated with multiple domains
(as unlikely as it may seem that and would choose
the same hosting provider).

> On the other hand, RFC 6066 also says:
>    A server that implements [SNI] MUST NOT accept the request
>    to resume the session if the server_name extension contains a
>    different name.  Instead, it proceeds with a full handshake to
>    establish a new session. 

Some client caches are poorly designed, and their cache lookup key
might be only the peer IP:port and not the associated domain or
other relevant data.  Servers should tolerate this at least to the
extent performing a full handshake instead of resumption.

Resuming with mismatched SNI is perhaps in conflict with 6066, but
seems harmless from a server perspective, the error is on the client
side, and if there are security consequences, it seems to me that
the exposure is there as soon as the client offers to resumt the
mismatched session.

I think it is the client that SHOULD NOT resume sessions across
mismatched SNI values, since it can no longer be sure it is connected
to the intended server.  I see little harm in the server saying
yes if the certificate is the same in either case.