Re: [TLS] TLS renegotiation issue

Eric Rescorla <ekr@rtfm.com> Thu, 05 November 2009 19:09 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B6F083A69F5 for <tls@core3.amsl.com>; Thu, 5 Nov 2009 11:09:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UDWb71jI7Aid for <tls@core3.amsl.com>; Thu, 5 Nov 2009 11:09:34 -0800 (PST)
Received: from mail-gx0-f228.google.com (mail-gx0-f228.google.com [209.85.217.228]) by core3.amsl.com (Postfix) with ESMTP id 182833A68C3 for <tls@ietf.org>; Thu, 5 Nov 2009 11:09:32 -0800 (PST)
Received: by gxk28 with SMTP id 28so289608gxk.9 for <tls@ietf.org>; Thu, 05 Nov 2009 11:09:52 -0800 (PST)
MIME-Version: 1.0
Received: by 10.91.26.7 with SMTP id d7mr7113728agj.1.1257448191899; Thu, 05 Nov 2009 11:09:51 -0800 (PST)
In-Reply-To: <20091105184615.GG1105@Sun.COM>
References: <73843DF9-EFCB-4B8D-913E-FE2235E5BDD3@rtfm.com> <d3aa5d00911051016p7a0cc508q2090b86de30a50d5@mail.gmail.com> <20091105184615.GG1105@Sun.COM>
Date: Thu, 5 Nov 2009 11:09:51 -0800
Message-ID: <d3aa5d00911051109r3d5dae33jef42e9dd2db1b0b@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
To: Nicolas Williams <Nicolas.Williams@sun.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] TLS renegotiation issue
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Nov 2009 19:09:35 -0000

On Thu, Nov 5, 2009 at 10:46 AM, Nicolas Williams
<Nicolas.Williams@sun.com>; wrote:
> On Thu, Nov 05, 2009 at 10:16:11AM -0800, Eric Rescorla wrote:
>> I now have a draft extension up at:
>>
>> https://svn.resiprocate.org/rep/ietf-drafts/ekr/draft-rescorla-tls-renegotiate.txt
>> https://svn.resiprocate.org/rep/ietf-drafts/ekr/draft-rescorla-tls-renegotiate.xml
>
> Initial comments based on a brief skim:
>
>  - Please add a normative reference to RFC5056.

There's no need for a normative reference here. This mechanism is
self-contained.
I'd be happy to add an informative reference.

>  - There's no real need for the ServerHello to include both of the
>   Finished messages from the outer TLS connection.  (I think there's no
>   real need for the ServerHello to include either of them, actually,
>   but I've not thought enough about that.)  But it's OK as is, of
>   course.

The general consensus was that it was harmless and might potentially
avoid some reflection logic errors.


>  - You call for each TLS handshake to bind to the one immediately
>   outside it.
>
>   Would it be better to bind to the outer-most one instead?
>
>   (In practice there's probably never more than one outer and one inner
>   handshake, right?)

Why do you think this is an improvement.


>  - There is a way for clients to protect themselves even when servers
>   don't implement this extension:
>
>   a) clients MUST NOT ever send any application-level messages without
>      TLS protection if they are willing to negotiate a TLS connection
>      after sending any application-level messages,
>
>   _and_,
>
>   b) if a server requests re-negotiation then the client MUST ensure
>      that the outer and inner TLS connection handshakes used a server
>      certificate, and, specifically, the _same_ server certificate,
>      otherwise the client MUST abort without ever completing the
>      second/inner handshake.

This isn't enough. If you look at the diagram you can see that the
client never experiences a renegotiation.



>  - Might as well update RFC5246 to indicate that the Finished messages
>   for any connection MUST be exported to applications.  Better get this
>   done now.

This sort of interface issue seems out of scope for the TLS spec.

-Ekr