Re: [TLS] SNI and tickets and resumption
Antoine Delignat-Lavaud <antoine@delignat-lavaud.fr> Mon, 11 August 2014 04:29 UTC
Return-Path: <antoine@delignat-lavaud.fr>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B9A051A02DF for <tls@ietfa.amsl.com>; Sun, 10 Aug 2014 21:29:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oyeOhJL8810m for <tls@ietfa.amsl.com>; Sun, 10 Aug 2014 21:29:04 -0700 (PDT)
Received: from argon.maxg.info (argon.maxg.info [IPv6:2001:41d0:2:7f22::1]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D90AA1A02E0 for <tls@ietf.org>; Sun, 10 Aug 2014 21:29:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=delignat-lavaud.fr; s=dkim; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:References:Subject:CC:To:MIME-Version:From:Date:Message-ID; bh=k23xZ8mZ+6TEwLVJmBJ61uT1829NWIzr9FseFj6OAfI=; b=i2pDPF1TMw5PWzxWnukOJO1aB6yc387OsMUzgGAQMu1xQdKoVE7mDi/K0J6vK7eO9F1tgWPkBE5XtWdQMgo2kJcKlWAH/2ihBRsnDlW1L62qTEtHkAb6pMwC5FOd74lx;
Received: from localhost (authenticated.user.IP.removed [::1]) by argon.maxg.info with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (envelope-from <antoine@delignat-lavaud.fr>) id 1XGhDx-0003gG-3h ; Mon, 11 Aug 2014 06:28:45 +0200
Message-ID: <53E8467B.2090609@delignat-lavaud.fr>
Date: Mon, 11 Aug 2014 05:28:43 +0100
From: Antoine Delignat-Lavaud <antoine@delignat-lavaud.fr>
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: Brian Sniffen <bsniffen@akamai.com>, Martin Rex <mrex@sap.com>
References: <20140808232503.6480A1ADFC@ld9781.wdf.sap.corp> <m28umvy8qs.fsf@usma1mc-0csx92.kendall.corp.akamai.com>
In-Reply-To: <m28umvy8qs.fsf@usma1mc-0csx92.kendall.corp.akamai.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/vNRwqMJJ3axpYHfeGEOPIuEmQVs
Cc: Adam Langley <agl@imperialviolet.org>, "TLS@ietf.org (tls@ietf.org)" <tls@ietf.org>
Subject: Re: [TLS] SNI and tickets and resumption
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Aug 2014 04:29:05 -0000
Le 8/11/2014 5:02 AM, Brian Sniffen a écrit : >> Essentially, whenever a full handshake would result in the use of the >> same server certificate as the resumption proposed by the client, >> my server will perform session resumption, and ingnore SNI mismatches. > So if a server has a giant SAN cert for `eff.org` and `nsa.gov`, and a > session with one is resumed to the other---that's unsurprising? I don't > see a path all the way through to an attack, but it leads me to worry > about a web app and a web server interacting in this way. Yes, it *is* indeed unsurprising: this behavior is the standard in SPDY and in the current HTTP2 draft even though it goes against the spirit of RFC 6066 -- see my message in the thread "inter-protocol attacks". Moreover, current webservers will also proceed with resumption even if the SNI provided by the client would have resulted in the server picking a different certificate. This is why resumption can be used to bypass certificate validation - this problem is related to yet another TLS API problem with the SNI callback. In many cases, the application may not even get to see the certificate selection callback from TLS when doing resumption. Best, Antoine Delignat-Lavaud
- [TLS] SNI and tickets and resumption Salz, Rich
- Re: [TLS] SNI and tickets and resumption Adam Langley
- Re: [TLS] SNI and tickets and resumption Salz, Rich
- Re: [TLS] SNI and tickets and resumption Martin Thomson
- Re: [TLS] SNI and tickets and resumption Martin Rex
- Re: [TLS] SNI and tickets and resumption Martin Rex
- Re: [TLS] SNI and tickets and resumption Adam Langley
- Re: [TLS] SNI and tickets and resumption Martin Rex
- Re: [TLS] SNI and tickets and resumption Sajeev S
- Re: [TLS] SNI and tickets and resumption Brian Sniffen
- Re: [TLS] SNI and tickets and resumption Antoine Delignat-Lavaud
- Re: [TLS] SNI and tickets and resumption Martin Rex
- Re: [TLS] SNI and tickets and resumption Martin Rex
- Re: [TLS] SNI and tickets and resumption Viktor Dukhovni
- Re: [TLS] SNI and tickets and resumption Viktor Dukhovni