Re: [TLS] WGLC for draft-ietf-tls-sni-encryption
mrex@sap.com (Martin Rex) Wed, 17 October 2018 23:41 UTC
Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A4386130E1A for <tls@ietfa.amsl.com>; Wed, 17 Oct 2018 16:41:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jve7Givzo_7z for <tls@ietfa.amsl.com>; Wed, 17 Oct 2018 16:41:12 -0700 (PDT)
Received: from smtpde01.smtp.sap-ag.de (smtpde01.smtp.sap-ag.de [155.56.68.170]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 946DD130E03 for <tls@ietf.org>; Wed, 17 Oct 2018 16:41:12 -0700 (PDT)
Received: from mail07.wdf.sap.corp (mail04.sap.corp [194.39.131.56]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtpde01.smtp.sap-ag.de (Postfix) with ESMTPS id 42b7wk4Z4vzydN; Thu, 18 Oct 2018 01:41:10 +0200 (CEST)
X-purgate-ID: 152705::1539819670-00000211-64696636/0/0
X-purgate-size: 5298
X-purgate: clean
X-purgate: This mail is considered clean (visit http://www.eleven.de for further information)
X-purgate-Ad: Categorized by eleven eXpurgate (R) http://www.eleven.de
X-purgate-type: clean
X-SAP-SPAM-Status: clean
Received: from ld9781.wdf.sap.corp (ld9781.wdf.sap.corp [10.21.82.193]) by mail07.wdf.sap.corp (Postfix) with ESMTP id 42b7wk23MTzGqb1; Thu, 18 Oct 2018 01:41:10 +0200 (CEST)
Received: by ld9781.wdf.sap.corp (Postfix, from userid 10159) id 39D36404C; Thu, 18 Oct 2018 01:41:10 +0200 (CEST)
In-Reply-To: <CABcZeBPCz39L0LQBXUM-yhhN3FmccNwQRvYNT+-ChfxRcPdD+g@mail.gmail.com>
References: <9DE64F7F-4740-4410-A004-373D8919920B@sn3rd.com> <20181017170236.DA9D1404C@ld9781.wdf.sap.corp> <CABcZeBPCz39L0LQBXUM-yhhN3FmccNwQRvYNT+-ChfxRcPdD+g@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 18 Oct 2018 01:41:10 +0200
CC: mrex@sap.com, Sean Turner <sean@sn3rd.com>, "<tls@ietf.org>" <tls@ietf.org>
Reply-To: mrex@sap.com
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20181017234110.39D36404C@ld9781.wdf.sap.corp>
From: mrex@sap.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/uxFxT7FGALUqXnYmv4lh7UFb5Eg>
Subject: Re: [TLS] WGLC for draft-ietf-tls-sni-encryption
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Oct 2018 23:41:16 -0000
Eric Rescorla <ekr@rtfm.com> wrote: > Martin Rex <mrex@sap.com> wrote: > > > Sean Turner <sean@sn3rd.com> wrote: > > > > > > This is the working group last call for the > > > "Issues and Requirements for SNI Encryption in TLS" > > > draft available at > > > http://datatracker.ietf.org/doc/draft-ietf-tls-sni-encryption/. > > > Please review the document and send your comments to the list > > > by 2359 UTC on 31 October 2018. > > > > > > I think the idea of encrypted SNI is inherently flawed in its concept. > > > > It's pretty late to raise this point Nope, I've raised this *EVERY* time on the list when the dead horse was newly beaten. > >> As it is, there are a number of servers which desperately require >> the presence of TLS extension SNI, or will fail TLS handshakes either >> by choking and dropping connections (Microsoft IIS 8.5+) or by >> very unhelpful alerts (several others), and also HTTP/2.0 requires >> unconditional cleartext presence of TLS extension SNI. Any kind of >> heuristics-based approach for clients to guess whether or not to >> send TLS extension SNI is flawed from the start. If a network >> middlebox can make a client present a cleartext TLS extension SNI >> by refusing connections without cleartext TLS extension SNI, >> the entire effort becomes pretty useless. > > Yes, clients must not fall back to cleartext SNI in this case. Please give a clear deterministic algorithm how a client can tell apart a server that requires cleartext SNI from a server that does not want cleartext SNI. > > It is necessary > > that the client knows reliably that a hostname must not be sent > > in the clear, including when the connection fails for unknown reasons, > > and only a new URI method will reliably provide such a clear distinction. > > > > I don't agree with this claim, given that we have a number of other proposed > mechanisms for the client to know when ESNI is allowed, including DNS. DNS is a non-starter for several reasons. Ever heard of firewalled networks, private DNS universes and HTTP CONNECT proxies? Then the TLS implementation itself may be completely free of blocking network IO. > >> By sending TLS extension SNI in the clear to a server, the client >> tells that server: I am going to perform an rfc2818 "HTTP over TLS" >> section 3.1 "Server Endpoint Identification" matching > > I don't know where you get this from, given that RFC 6066 doesn't > even cite 2818. Simply to avoid a downref. I should not have to explain this to you. rfc2818, section 3.1: 3.1. Server Identity In general, HTTP/TLS requests are generated by dereferencing a URI. As a consequence, the hostname for the server is known to the client. If the hostname is available, the client MUST check it against the server's identity as presented in the server's Certificate message, in order to prevent man-in-the-middle attacks. rfc6066, section 3: 3. Server Name Indication TLS does not provide a mechanism for a client to tell a server the name of the server it is contacting. It may be desirable for clients to provide this information to facilitate secure connections to servers that host multiple 'virtual' servers at a single underlying network address. It looks blatantly obvious to me that rfc2818: "check the hostname of the server agains the server's identity as presented in the server's Certifcate messag" and rfc6066: "a mechanism for a client to tell a server the name of the server it is contacting" refers to the VERY SAME THING, and that the check urged by rfc2818 section 3.1 is the reason why the server responding with the _wrong_ certificate is a problem. > > In protocol version SSLv3->TLSv1.2, encryption keys are only established > >> *AFTER* successful authentication of the server through its server >> certificate. So it was obviously impossible to encrypt the information >> whose only purpose it was to allow the server to decide *which* TLS Server >> certificate to use for authentication (hen-and-egg). > > This isn't really correct: the mechanism for encrypting SNI itself would > actually work fine in previous versions of TLS as well. Actually, no, it will not work at all in TLSv1.2 (this would not be TLSv1.2 anymore, or an entirely different TLS extension) My server-side implementation of TLS extension SNI is entirely outside of the TLS protocol stack. My middleware selects the Server certificate, and my middleware also provides the convenience function for rfc2818 section 3.1 server endpoint identification as well as the client-side SSL session cache management, because you essentially can not do this within TLS, and rfc5246 even clearly says, your implementatin shouldn't (acutally it is pretty close to a TLS must not, rfc5246, top of page 5): The TLS standard, however, does not specify how protocols add security with TLS; the decisions on how to initiate TLS handshaking and how to interpret the authentication certificates exchanged are left to the judgment of the designers and implementors of protocols that run on top of TLS. -Martin
- [TLS] WGLC for draft-ietf-tls-sni-encryption Sean Turner
- Re: [TLS] WGLC for draft-ietf-tls-sni-encryption Sean Turner
- Re: [TLS] WGLC for draft-ietf-tls-sni-encryption Martin Thomson
- Re: [TLS] WGLC for draft-ietf-tls-sni-encryption Stephen Farrell
- Re: [TLS] WGLC for draft-ietf-tls-sni-encryption Martin Rex
- Re: [TLS] WGLC for draft-ietf-tls-sni-encryption Eric Rescorla
- Re: [TLS] WGLC for draft-ietf-tls-sni-encryption Martin Rex
- Re: [TLS] WGLC for draft-ietf-tls-sni-encryption Eric Rescorla
- Re: [TLS] WGLC for draft-ietf-tls-sni-encryption Geoffrey Keating
- Re: [TLS] WGLC for draft-ietf-tls-sni-encryption David Fifield
- Re: [TLS] WGLC for draft-ietf-tls-sni-encryption Salz, Rich
- Re: [TLS] WGLC for draft-ietf-tls-sni-encryption Mark O