Re: [TLS] SNI and tickets and resumption

Antoine Delignat-Lavaud <antoine@delignat-lavaud.fr> Mon, 11 August 2014 04:29 UTC

Return-Path: <antoine@delignat-lavaud.fr>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B9A051A02DF for <tls@ietfa.amsl.com>; Sun, 10 Aug 2014 21:29:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oyeOhJL8810m for <tls@ietfa.amsl.com>; Sun, 10 Aug 2014 21:29:04 -0700 (PDT)
Received: from argon.maxg.info (argon.maxg.info [IPv6:2001:41d0:2:7f22::1]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D90AA1A02E0 for <tls@ietf.org>; Sun, 10 Aug 2014 21:29:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=delignat-lavaud.fr; s=dkim; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:References:Subject:CC:To:MIME-Version:From:Date:Message-ID; bh=k23xZ8mZ+6TEwLVJmBJ61uT1829NWIzr9FseFj6OAfI=; b=i2pDPF1TMw5PWzxWnukOJO1aB6yc387OsMUzgGAQMu1xQdKoVE7mDi/K0J6vK7eO9F1tgWPkBE5XtWdQMgo2kJcKlWAH/2ihBRsnDlW1L62qTEtHkAb6pMwC5FOd74lx;
Received: from localhost (authenticated.user.IP.removed [::1]) by argon.maxg.info with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (envelope-from <antoine@delignat-lavaud.fr>) id 1XGhDx-0003gG-3h ; Mon, 11 Aug 2014 06:28:45 +0200
Message-ID: <53E8467B.2090609@delignat-lavaud.fr>
Date: Mon, 11 Aug 2014 05:28:43 +0100
From: Antoine Delignat-Lavaud <antoine@delignat-lavaud.fr>
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: Brian Sniffen <bsniffen@akamai.com>, Martin Rex <mrex@sap.com>
References: <20140808232503.6480A1ADFC@ld9781.wdf.sap.corp> <m28umvy8qs.fsf@usma1mc-0csx92.kendall.corp.akamai.com>
In-Reply-To: <m28umvy8qs.fsf@usma1mc-0csx92.kendall.corp.akamai.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/vNRwqMJJ3axpYHfeGEOPIuEmQVs
Cc: Adam Langley <agl@imperialviolet.org>, "TLS@ietf.org \(tls@ietf.org\)" <tls@ietf.org>
Subject: Re: [TLS] SNI and tickets and resumption
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Aug 2014 04:29:05 -0000

Le 8/11/2014 5:02 AM, Brian Sniffen a écrit :
>> Essentially, whenever a full handshake would result in the use of the
>> same server certificate as the resumption proposed by the client,
>> my server will perform session resumption, and ingnore SNI mismatches.
> So if a server has a giant SAN cert for `eff.org` and `nsa.gov`, and a
> session with one is resumed to the other---that's unsurprising?  I don't
> see a path all the way through to an attack, but it leads me to worry
> about a web app and a web server interacting in this way.

Yes, it *is* indeed unsurprising: this behavior is the standard in SPDY 
and in the current HTTP2 draft even though it goes against the spirit of 
RFC 6066 -- see my message in the thread "inter-protocol attacks".
Moreover, current webservers will also proceed with resumption even if 
the SNI provided by the client would have resulted in the server picking 
a different certificate. This is why resumption can be used to bypass 
certificate validation - this problem is related to yet another TLS API 
problem with the SNI callback. In many cases, the application may not 
even get to see the certificate selection callback from TLS when doing 
resumption.

Best,

Antoine Delignat-Lavaud