IETF Logo Mail Archive

Re: [TLS] RFC7301 ALPN conflicting objectives about app-specific server certificates

mrex@sap.com (Martin Rex) Fri, 03 July 2015 20:48 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A82941A87B3 for <tls@ietfa.amsl.com>; Fri, 3 Jul 2015 13:48:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.551
X-Spam-Level:
X-Spam-Status: No, score=-6.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2RN6OneSywUC for <tls@ietfa.amsl.com>; Fri, 3 Jul 2015 13:48:45 -0700 (PDT)
Received: from smtpde02.smtp.sap-ag.de (smtpde02.smtp.sap-ag.de [155.56.68.140]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DEAAE1A87AB for <tls@ietf.org>; Fri, 3 Jul 2015 13:48:44 -0700 (PDT)
Received: from mail05.wdf.sap.corp (mail05.sap.corp [194.39.131.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtpde02.smtp.sap-ag.de (Postfix) with ESMTPS id 8835944BA2; Fri, 3 Jul 2015 22:48:42 +0200 (CEST)
X-purgate-ID: 152705::1435956522-00005316-5AEB258B/0/0
X-purgate-size: 2740
X-purgate: clean
X-purgate: This mail is considered clean (visit http://www.eleven.de for further information)
X-purgate-Ad: Categorized by eleven eXpurgate (R) http://www.eleven.de
X-purgate-type: clean
X-SAP-SPAM-Status: clean
Received: from ld9781.wdf.sap.corp (ld9781.wdf.sap.corp [10.21.82.193]) by mail05.wdf.sap.corp (Postfix) with ESMTP id 7806842748; Fri, 3 Jul 2015 22:48:42 +0200 (CEST)
Received: by ld9781.wdf.sap.corp (Postfix, from userid 10159) id 6ED111A1B3; Fri, 3 Jul 2015 22:48:42 +0200 (CEST)
In-Reply-To: <BLUPR03MB1396CB5B90F8F921981A7CF78CA80@BLUPR03MB1396.namprd03.prod.outlook.com>
To: Andrei Popov <Andrei.Popov@microsoft.com>
Date: Fri, 03 Jul 2015 22:48:42 +0200
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20150703204842.6ED111A1B3@ld9781.wdf.sap.corp>
From: mrex@sap.com
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/tkn280NjPt8R3Gj1kP8-UGXjus8>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] RFC7301 ALPN conflicting objectives about app-specific server certificates
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Jul 2015 20:48:47 -0000

Andrei Popov wrote:
>
> I agree with Victor that there is no conflict. If the server chooses
> to offer different certificates for different application protocols,
> such server needs to consider the negotiated ALPN ID while making the
> resumption decision.

You're oversimplifying the problem.

Recall the specifics of the design-flaw in rfc7301:

   Unlike many other TLS extensions, this extension does not establish
   properties of the session, only of the connection.  When session
   resumption or session tickets [RFC5077] are used, the previous
   contents of this extension are irrelevant, and only the values in the
   new handshake messages are considered.

and then look at the data that rfc5077 proposes to carry along in
session_tickets -- there is *NO* pointer to the server certificate
that was used to establish this session:


   https://tools.ietf.org/html/rfc5077#page-11

      struct {
          ProtocolVersion protocol_version;
          CipherSuite cipher_suite;
          CompressionMethod compression_method;
          opaque master_secret[48];
          ClientIdentity client_identity;
          uint32 timestamp;
      } StatePlaintext;

      enum {
         anonymous(0),
         certificate_based(1),
         psk(2)
     } ClientAuthenticationType;

      struct {
          ClientAuthenticationType client_authentication_type;
          select (ClientAuthenticationType) {
              case anonymous: struct {};
              case certificate_based:
                  ASN.1Cert certificate_list<0..2^24-1>;
              case psk:
                  opaque psk_identity<0..2^16-1>;   /* from [RFC4279] */
          };
       } ClientIdentity;


So rfc7301 + rfc5077 + application-specific certificates is a pig
that can not fly.

Btw. there is also a problem for use of TLS extension SNI
in combination with rfc5077 -- a server using rfc5077 as suggested will
be unable to prevent "virtual host confusion"

   https://bh.ht.vc/vhost_confusion.pdf

and will also be unable to properly implement the checks that rfc6066
specifies for ression resumption when TLS extension SNI is used.


> 
> To me, these are implementation details, and probably not something a
> mainstream implementation will support.


Nope, these are design characteristics (or failures) of the spec.
SSL session cache management and session resumption is an area that
has been underspecified in SSL&TLS from the beginning, and the contents
of rfc5077 suggests to me, that the amount of folks (and implementors)
who understand the consequences for caching, when a server has more than
one server certificate on his hands, might be rather small.


-Martin

v2.23.0 | Report a Bug | By Email