Re: [TLS] RFC 7366 and resumption
Manuel Pégourié-Gonnard <mpg@polarssl.org> Thu, 06 November 2014 00:09 UTC
Return-Path: <mpg@polarssl.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E973F1ACED1 for <tls@ietfa.amsl.com>; Wed, 5 Nov 2014 16:09:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.997
X-Spam-Level:
X-Spam-Status: No, score=0.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_MISMATCH_COM=0.553, HOST_EQ_NL=1.545, J_CHICKENPOX_55=0.6, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jcygl7fr3fM8 for <tls@ietfa.amsl.com>; Wed, 5 Nov 2014 16:09:13 -0800 (PST)
Received: from vps2.offspark.com (vps2.brainspark.nl [141.138.204.106]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ACB901A03AB for <tls@ietf.org>; Wed, 5 Nov 2014 16:08:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=polarssl.org; s=exim; h=Subject:Content-Transfer-Encoding:Content-Type:In-Reply-To:References:CC:To:MIME-Version:From:Date:Message-ID; bh=Jvhq6rAMgznkGMlF+E4D8Jl6ArzsvQ8H7Sr8cobsdsE=; b=UI4X27N0LP+c5+j0S+KrQQXH0lKMUCKADs2hMjBg2HB5vCq9Afrxjbk3JFh7dJvzpd6+xfY+JkmS34iqKi4vPQsWcB68TxLlm+Ek1S8pIBllmZYKWG7se6M4CVnRQwQcn69+meDvG9BR0S/Pmm11ZziVhcTTCqntwQlWOK2LXm4=;
Received: from mna75-11-88-161-199-191.fbx.proxad.net ([88.161.199.191] helo=[192.168.0.12]) by vps2.offspark.com with esmtpsa (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <mpg@polarssl.org>) id 1XmAd8-0004YK-Ai; Thu, 06 Nov 2014 01:08:50 +0100
Message-ID: <545ABC17.3090406@polarssl.org>
Date: Thu, 06 Nov 2014 01:08:55 +0100
From: Manuel Pégourié-Gonnard <mpg@polarssl.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0
MIME-Version: 1.0
To: mrex@sap.com
References: <20141105224437.8E2081AF95@ld9781.wdf.sap.corp>
In-Reply-To: <20141105224437.8E2081AF95@ld9781.wdf.sap.corp>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 8bit
X-SA-Exim-Connect-IP: 88.161.199.191
X-SA-Exim-Mail-From: mpg@polarssl.org
X-SA-Exim-Version: 4.2.1 (built Mon, 26 Dec 2011 16:24:06 +0000)
X-SA-Exim-Scanned: Yes (on vps2.offspark.com)
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/vgNpOKjoRWkTr4hfweROdQUu2tM
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] RFC 7366 and resumption
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Nov 2014 00:09:15 -0000
On 05/11/2014 23:44, Martin Rex wrote: > Manuel Pégourié-Gonnard wrote: >> Peter Gutmann wrote: >>> Manuel Pégourié-Gonnard <mpg@polarssl.org> writes: >>> >>>> It seems to me that RFC 7366 falls in the same category as "Most current TLS >>>> extensions" above, ie is only relevant when a session is initiated, and on >>>> resumption the server should ignore the extension and restore the state from >>>> the saved session. >>> >>> Yes, it just follows standard practice from RFC 5246, >>> so the server ignores it if present in Client Hello. >> >> Ok, thanks for the confirmation! > > Huh? I believe such behaviour to be partially WRONG (and a bad idea). > > Not returning the extension in ServerHello on resumption seems > to be current worst^Wbest practice, but resuming a session that > was originally negotiated with EtM when the resumption request > is lacking the EtM extension looks like a bad idea to me. > I'm not sure if we're talking about the same thing here. Do we agree that a session that was started using EtM will still be using EtM on resumption, regardless of whether the client sent the extension the second time (and whether the server replied with the extension)? If so, I fail to understand what is bothers you. > Btw. such behaviour means that any rfc5077-style TLS session tickets > will have to accomodate all such properties, and all servers sharing > the session tickets may have to be synchronously updated with a flag > day... > I don't think the behaviour described in RFC 5246 is supposed to apply to RFC 5077, since the former states that In general, the specification of each extension type needs to describe the effect of the extension both during full handshake and session resumption. and RFC 5077 indeed describes explicitly how the extension is supposed to be used both for full handshake and resumed handshakes. > Btw. rfc6066 contains at least one self-inconsistency at this point: > [...] > And the definition of the Server Name Indication extension, that is > part of this RFC 6066, explicitly contradicts the first sentence of > the latter (*>) paragraph. I noticed that too. I guess it's a leftover from the previous version, since Appendix A mentions changes regarding SNI use on resumption since RFC 4366. I would assume the author forgot to change the paragraphs you quote: they should now say something like "all the extensions defined in this document except SNI". > Personally, I would consider it much more logical for the EtM spec > when it would "perform a full handshake instead" if a client proposes > to resume a session that was originally established with EtM, but > fails to include the EtM extension in the resumption request. > > This latter behaviour follows the "principle of least surprise". > Whether the server has already flushed the session from the server-side > cache that the client proposes for resumption should not affect the > properties of the resulting security context. Both RFC 5246 and 6066 say that the client SHOULD include the extensions when attempting to resume a session, since they can't know if resumption or a full handshake will follow. If you're arguing that this SHOULD should be a MUST, I think I'm sympathetic with your argument. Manuel.
- Re: [TLS] RFC 7366 and resumption Martin Rex
- [TLS] RFC 7366 and resumption Manuel Pégourié-Gonnard
- Re: [TLS] RFC 7366 and resumption Peter Gutmann
- Re: [TLS] RFC 7366 and resumption Manuel Pégourié-Gonnard
- Re: [TLS] RFC 7366 and resumption Manuel Pégourié-Gonnard