Re: [TLS] TLS renegotiation issue

Eric Rescorla <> Thu, 05 November 2009 19:09 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B6F083A69F5 for <>; Thu, 5 Nov 2009 11:09:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id UDWb71jI7Aid for <>; Thu, 5 Nov 2009 11:09:34 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 182833A68C3 for <>; Thu, 5 Nov 2009 11:09:32 -0800 (PST)
Received: by gxk28 with SMTP id 28so289608gxk.9 for <>; Thu, 05 Nov 2009 11:09:52 -0800 (PST)
MIME-Version: 1.0
Received: by with SMTP id d7mr7113728agj.1.1257448191899; Thu, 05 Nov 2009 11:09:51 -0800 (PST)
In-Reply-To: <20091105184615.GG1105@Sun.COM>
References: <> <> <20091105184615.GG1105@Sun.COM>
Date: Thu, 5 Nov 2009 11:09:51 -0800
Message-ID: <>
From: Eric Rescorla <>
To: Nicolas Williams <>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Cc: "" <>
Subject: Re: [TLS] TLS renegotiation issue
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 05 Nov 2009 19:09:35 -0000

On Thu, Nov 5, 2009 at 10:46 AM, Nicolas Williams
<> wrote:
> On Thu, Nov 05, 2009 at 10:16:11AM -0800, Eric Rescorla wrote:
>> I now have a draft extension up at:
> Initial comments based on a brief skim:
>  - Please add a normative reference to RFC5056.

There's no need for a normative reference here. This mechanism is
I'd be happy to add an informative reference.

>  - There's no real need for the ServerHello to include both of the
>   Finished messages from the outer TLS connection.  (I think there's no
>   real need for the ServerHello to include either of them, actually,
>   but I've not thought enough about that.)  But it's OK as is, of
>   course.

The general consensus was that it was harmless and might potentially
avoid some reflection logic errors.

>  - You call for each TLS handshake to bind to the one immediately
>   outside it.
>   Would it be better to bind to the outer-most one instead?
>   (In practice there's probably never more than one outer and one inner
>   handshake, right?)

Why do you think this is an improvement.

>  - There is a way for clients to protect themselves even when servers
>   don't implement this extension:
>   a) clients MUST NOT ever send any application-level messages without
>      TLS protection if they are willing to negotiate a TLS connection
>      after sending any application-level messages,
>   _and_,
>   b) if a server requests re-negotiation then the client MUST ensure
>      that the outer and inner TLS connection handshakes used a server
>      certificate, and, specifically, the _same_ server certificate,
>      otherwise the client MUST abort without ever completing the
>      second/inner handshake.

This isn't enough. If you look at the diagram you can see that the
client never experiences a renegotiation.

>  - Might as well update RFC5246 to indicate that the Finished messages
>   for any connection MUST be exported to applications.  Better get this
>   done now.

This sort of interface issue seems out of scope for the TLS spec.