Re: [TLS] SNI and Resumption/0-RTT

Ilari Liusvaara <ilariliusvaara@welho.com> Fri, 21 October 2016 14:57 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 975F71295E1 for <tls@ietfa.amsl.com>; Fri, 21 Oct 2016 07:57:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.331
X-Spam-Level:
X-Spam-Status: No, score=-2.331 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.431] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O_Bqim1RbW9q for <tls@ietfa.amsl.com>; Fri, 21 Oct 2016 07:57:15 -0700 (PDT)
Received: from welho-filter3.welho.com (welho-filter3.welho.com [83.102.41.25]) by ietfa.amsl.com (Postfix) with ESMTP id A7D9C12952C for <tls@ietf.org>; Fri, 21 Oct 2016 07:56:41 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter3.welho.com (Postfix) with ESMTP id 48BDA1396B; Fri, 21 Oct 2016 17:56:40 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp2.welho.com ([IPv6:::ffff:83.102.41.85]) by localhost (welho-filter3.welho.com [::ffff:83.102.41.25]) (amavisd-new, port 10024) with ESMTP id dw-5MQrfes21; Fri, 21 Oct 2016 17:56:40 +0300 (EEST)
Received: from LK-Perkele-V2 (87-100-237-87.bb.dnainternet.fi [87.100.237.87]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by welho-smtp2.welho.com (Postfix) with ESMTPSA id 021BA21C; Fri, 21 Oct 2016 17:56:39 +0300 (EEST)
Date: Fri, 21 Oct 2016 17:56:32 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: Martin Rex <mrex@sap.com>
Message-ID: <20161021145632.GA8760@LK-Perkele-V2.elisa-laajakaista.fi>
References: <20161021140310.GB8197@LK-Perkele-V2.elisa-laajakaista.fi> <20161021143512.84D5D1A565@ld9781.wdf.sap.corp>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <20161021143512.84D5D1A565@ld9781.wdf.sap.corp>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/vUM0BKHcqgsxxyKS4EMkpVYODhg>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] SNI and Resumption/0-RTT
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Oct 2016 14:57:17 -0000

On Fri, Oct 21, 2016 at 04:35:12PM +0200, Martin Rex wrote:
> Ilari Liusvaara wrote:
> > On Fri, Oct 21, 2016 at 11:41:59PM +1100, Martin Thomson wrote:
> >> On 21 October 2016 at 19:55, Ilari Liusvaara <ilariliusvaara@welho.com>; wrote:
> >>> Of course, defining the "same certificate" is
> >>> way trickier than it initially seems
> >> 
> >> Not if you think simplistically: same octets in EE ASN1Cert
> >> in both handshakes.
> > 
> > Such behaviour would run into problems with certificate renewal.
> 
> Just the opposite.  You definitely want full handshake on
> certificate renewal.
> 
> I don't know how common it is in TLS servers (and TLS clients) to
> allow replacing of TLS certificates in "full flight". 

Oh, the library I have written definitely does allowing replacing the
server certificate in the flight. All the way to one thread replacing
the certificate while another is handshaking with the old one in the
meantime. And these replaces can happen behind application's and even
the TLS library's back. So no cache flushing.



-Ilari