Re: [TLS] RFC 7366 and resumption

Manuel Pégourié-Gonnard <> Thu, 06 November 2014 00:09 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id E973F1ACED1 for <>; Wed, 5 Nov 2014 16:09:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 0.997
X-Spam-Status: No, score=0.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_MISMATCH_COM=0.553, HOST_EQ_NL=1.545, J_CHICKENPOX_55=0.6, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id jcygl7fr3fM8 for <>; Wed, 5 Nov 2014 16:09:13 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id ACB901A03AB for <>; Wed, 5 Nov 2014 16:08:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;; s=exim; h=Subject:Content-Transfer-Encoding:Content-Type:In-Reply-To:References:CC:To:MIME-Version:From:Date:Message-ID; bh=Jvhq6rAMgznkGMlF+E4D8Jl6ArzsvQ8H7Sr8cobsdsE=; b=UI4X27N0LP+c5+j0S+KrQQXH0lKMUCKADs2hMjBg2HB5vCq9Afrxjbk3JFh7dJvzpd6+xfY+JkmS34iqKi4vPQsWcB68TxLlm+Ek1S8pIBllmZYKWG7se6M4CVnRQwQcn69+meDvG9BR0S/Pmm11ZziVhcTTCqntwQlWOK2LXm4=;
Received: from ([] helo=[]) by with esmtpsa (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <>) id 1XmAd8-0004YK-Ai; Thu, 06 Nov 2014 01:08:50 +0100
Message-ID: <>
Date: Thu, 06 Nov 2014 01:08:55 +0100
From: Manuel Pégourié-Gonnard <>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0
MIME-Version: 1.0
References: <>
In-Reply-To: <>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 8bit
X-SA-Exim-Version: 4.2.1 (built Mon, 26 Dec 2011 16:24:06 +0000)
X-SA-Exim-Scanned: Yes (on
Cc: "<>" <>
Subject: Re: [TLS] RFC 7366 and resumption
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 06 Nov 2014 00:09:15 -0000

On 05/11/2014 23:44, Martin Rex wrote:
> Manuel Pégourié-Gonnard wrote:
>> Peter Gutmann wrote:
>>> Manuel Pégourié-Gonnard <> writes:
>>>> It seems to me that RFC 7366 falls in the same category as "Most current TLS
>>>> extensions" above, ie is only relevant when a session is initiated, and on
>>>> resumption the server should ignore the extension and restore the state from
>>>> the saved session.
>>> Yes, it just follows standard practice from RFC 5246,
>>> so the server ignores it if present in Client Hello.
>> Ok, thanks for the confirmation!
> Huh?  I believe such behaviour to be partially WRONG (and a bad idea).
> Not returning the extension in ServerHello on resumption seems
> to be current worst^Wbest practice, but resuming a session that
> was originally negotiated with EtM when the resumption request
> is lacking the EtM extension looks like a bad idea to me.
I'm not sure if we're talking about the same thing here. Do we agree that a
session that was started using EtM will still be using EtM on resumption,
regardless of whether the client sent the extension the second time (and whether
the server replied with the extension)? If so, I fail to understand what is
bothers you.

> Btw. such behaviour means that any rfc5077-style TLS session tickets
> will have to accomodate all such properties, and all servers sharing
> the session tickets may have to be synchronously updated with a flag
> day...
I don't think the behaviour described in RFC 5246 is supposed to apply to RFC
5077, since the former states that

   In general, the specification of each extension type needs to
   describe the effect of the extension both during full handshake and
   session resumption.

and RFC 5077 indeed describes explicitly how the extension is supposed to be
used both for full handshake and resumed handshakes.

> Btw. rfc6066 contains at least one self-inconsistency at this point:
> [...]
> And the definition of the Server Name Indication extension, that is
> part of this RFC 6066, explicitly contradicts the first sentence of
> the latter (*>) paragraph.

I noticed that too. I guess it's a leftover from the previous version, since
Appendix A mentions changes regarding SNI use on resumption since RFC 4366. I
would assume the author forgot to change the paragraphs you quote: they should
now say something like "all the extensions defined in this document except SNI".

> Personally, I would consider it much more logical for the EtM spec
> when it would "perform a full handshake instead" if a client proposes
> to resume a session that was originally established with EtM, but
> fails to include the EtM extension in the resumption request.
> This latter behaviour follows the "principle of least surprise".
> Whether the server has already flushed the session from the server-side
> cache that the client proposes for resumption should not affect the
> properties of the resulting security context.

Both RFC 5246 and 6066 say that the client SHOULD include the extensions when
attempting to resume a session, since they can't know if resumption or a full
handshake will follow. If you're arguing that this SHOULD should be a MUST, I
think I'm sympathetic with your argument.