Re: [TLS] Draft 18 review : Message splitting and interleaving
Eric Rescorla <ekr@rtfm.com> Tue, 22 November 2016 23:24 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 431FB1297A8 for <tls@ietfa.amsl.com>; Tue, 22 Nov 2016 15:24:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ti1iDE2aj7uI for <tls@ietfa.amsl.com>; Tue, 22 Nov 2016 15:24:47 -0800 (PST)
Received: from mail-yw0-x22e.google.com (mail-yw0-x22e.google.com [IPv6:2607:f8b0:4002:c05::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AA02112961F for <tls@ietf.org>; Tue, 22 Nov 2016 15:24:45 -0800 (PST)
Received: by mail-yw0-x22e.google.com with SMTP id r204so28121027ywb.0 for <tls@ietf.org>; Tue, 22 Nov 2016 15:24:45 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=dGlY9WYq2HyCgzuSOCT+L+oIJFyiWenFSbCEWk6tLxg=; b=JeYjGUEQH14N+wLBH2LWgzvjohZ3tGvBrEzxvKf2bJoB+c8GO7NukQnLIXX0VOeau+ 03A4RXWXkELNbwZIWYImpGWNyOMaU/9i/lhnT4rnqzYAo0ub1SDP3kwR9LlvpX6Bsoi8 aXrCh4Jv5a6Ti6jC8C+KivBzELmeHBIXN7pH6cBLn4fpQc4x6BPZsAQNZ5Dm4xDr7bY6 9zpoLq8Q1ru8JNLrDidgsn7dPgJlrYhCCDTvMQaP4Z4LhHGLZkVS5Gp8eJqe/985pFZD Q+n2Tf8QdBhDYAzyXMRXGdksX8Ue21uVXiLfpiU2J8LlyEG+GIc7zkOFs3sptthuytiU W8HQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=dGlY9WYq2HyCgzuSOCT+L+oIJFyiWenFSbCEWk6tLxg=; b=XQt4/yvXb5qQ2Zm5T1ktMp2SFFFvqdsxYz5WKeuKVoMx6ZWv9obLhqKKlyWyloEbN9 9bNM4BHcCUu7qfZ+EGnvBLsVFvHnEwThNGtI9OevaXhBqYFPmnNm8ozXDNX6eJdokful SAS3WcoaIuTY+u8sNub3KsjUoeFc2I3teXuwOsay44EOtUy2pJDve3/c3Vdgy6zl2qhr rpg2T52PwM1fIB3VOG5U6R6qQL+e2nWNwAqOFgcKIzSlzVUtiQfY5YfHGq6pppihiRuq +lYlc0K0HtfiqeSBkE+D2Lk8w+pwK/rkoG51w7MwCaPMFAU7/4TbODUwjicORMjsWCLi Wz/g==
X-Gm-Message-State: AKaTC01++QvauF3A3Gh4gJT7dYIBpP6fmX2r9vW7Z1J3dFHzNBDB8KKpQpd+ZEgMIaoAFL6BQXW7eaMchVlCtA==
X-Received: by 10.129.78.71 with SMTP id c68mr160047ywb.21.1479857084962; Tue, 22 Nov 2016 15:24:44 -0800 (PST)
MIME-Version: 1.0
Received: by 10.129.159.141 with HTTP; Tue, 22 Nov 2016 15:24:04 -0800 (PST)
In-Reply-To: <CAF8qwaDxGH0xEPE7600yCnkJgLG51yJAyjVx2irNfhvptdT9Dw@mail.gmail.com>
References: <20161122190822.GH19978@neoplankton.picty.org> <CAF8qwaDxGH0xEPE7600yCnkJgLG51yJAyjVx2irNfhvptdT9Dw@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Tue, 22 Nov 2016 15:24:04 -0800
Message-ID: <CABcZeBPTD13hrS1oFVMikBeXWHgLjwqBbZZmR9LvxN-2fYSJ1Q@mail.gmail.com>
To: David Benjamin <davidben@chromium.org>
Content-Type: multipart/alternative; boundary="001a114dac9cde5ffa0541ec13b9"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/wIL9_W5MODUvIQYZar9ciB20H5M>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Draft 18 review : Message splitting and interleaving
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Nov 2016 23:24:49 -0000
On Tue, Nov 22, 2016 at 2:18 PM, David Benjamin <davidben@chromium.org> wrote: > On Tue, Nov 22, 2016 at 2:05 PM Olivier Levillain < > olivier.levillain@ssi.gouv.fr> wrote: > >> Hi list, >> >> I am sorry for the very late answer concerning draft 18, but we >> (ANSSI) have several remarks after proof-reading the current >> specification. >> >> We are sorry for the multiple long messages. >> >> If the WG is interested by some of our concerns/proposals, we would be >> glad to propose some PRs. >> >> >> = Message splitting and interleaving = >> >> How to split and interleave subprotocols in TLS has not been clearly >> specified in the past, and it would be useful to be crystal clear on >> this point. >> >> In the specification, the subject is first presented in 4.5 (P.61): >> Handshake messages sent after the handshake MUST NOT be interleaved >> with other record types. That is, if a message is split over two or >> more handshake records, there MUST NOT be any other records between >> them. >> But I am wondering why this text only concern "messages after the >> handshake". It should always be the case! >> >> It is next present in section 4.5.3 (P.64): >> Handshake messages MUST NOT span key changes. Because the >> ServerHello, Finished, and KeyUpdate messages signal a key change, >> upon receiving these messages a receiver MUST verify that the end of >> these messages aligns with a record boundary; if not, then it MUST >> terminate the connection with an "unexpected_message" alert. >> >> And then in section 5 (mostly P.64 and P.65) plus a repetition P.69. >> >> >> It is worth noting that this specific point was (at least partially) >> the origin of several security issues: >> - the alert attack (https://www.mitls.org/pages/attacks/Alert); >> - Heartbleed (where OpenSSL answered with a fragmented record whereas >> it was not the spirit of the spec); >> - the OpenSSL Downgrade attack in 2014. >> >> Some of this is covered in the current specification, but it might be >> worth being even stricter: >> - regarding splitting/merging, they should be forbidden by default; >> - the default would apply to alerts (currently, the spec states that >> alerts MUST not be split, but they should not be merged either >> for simplicity's sake and since it is useless); >> > > +1. We (BoringSSL) and I believe NSS already forbid this for alerts at all > versions. > > This rule is actually implied by TLS 1.3 already, because we've gotten rid > of warning alerts. All alerts terminate the connection, except for > end_of_early_data, and end_of_early_data immediately signals a key change. > So it is not legal to send two alerts in the same epoch, much less in the > same record. (Being explicit about this is good, of course.) > This seems fine. I would take a PR for this. - incidentally, the default behaviour would apply to Heartbeat, as >> was the intent of the specification; >> - ApplicationData should be considered as a stream with possibly >> 0-length records >> - Handshake messages should either come as a sequence of multiple >> *entire* messages, or as a fraction of *one* message. That is, >> the number of HS messages inside one record should either be a >> round number or strictly less than 1. >> > > What simplifications were you expecting out of this? It seems to me this > would be a nuisance to both enforce as a receiver and honor as a sender. > > Our implementation doesn't try to pack handshake messages into records, > but I believe NSS does. NSS folks should confirm, but I expect such > implementations just buffer the messages up and flush when the buffer > exceeds the records size. That means all kinds of splits are plausible: > > [EncryptedExtensions Certifi] > [cateRequest Certificate Cer] > [tificateVerify Finished] > Yeah, that's how this works in NSS. I'm not seeing a real benefit in prohibiting this behavior. -Ekr I share your dislike of the way handshake messages and record boundaries > interact (or, rather, don't), but I'm not sure how this rule helps. > > >> These constraints can be expressed in 5.1 and cover most of the >> problematic cases. They are easy to check and to enforce. >> >> >> However, the problem of the OpenSSL Downgrade flaw (where the first >> record containing the beginning of the ClientHello was cut before the >> ClientHello.version field) will still stand, but there is no simple >> way to fix this, since version negotiation can now happen anywhere in >> the ClientHello extensions, so it might be impossible to enforce that >> the client versions are sent in the first record. >> >> I might volunteer some text if there is an interest of the WG. >> >> >> Olivier Levillain >> >> _______________________________________________ >> TLS mailing list >> TLS@ietf.org >> https://www.ietf.org/mailman/listinfo/tls >> > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > >
- [TLS] Draft 18 review : Message splitting and int… Olivier Levillain
- Re: [TLS] Draft 18 review : Message splitting and… David Benjamin
- Re: [TLS] Draft 18 review : Message splitting and… Eric Rescorla
- Re: [TLS] Draft 18 review : Message splitting and… Martin Thomson
- Re: [TLS] Draft 18 review : Message splitting and… Eric Rescorla
- Re: [TLS] Draft 18 review : Message splitting and… Olivier Levillain
- Re: [TLS] Draft 18 review : Message splitting and… Olivier Levillain