Re: [TLS] Re: when is it ok to resume a cached SSL/TLS session
Martin Rex <martin.rex@sap.com> Mon, 15 January 2007 18:03 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1H6WBV-0003sn-5m; Mon, 15 Jan 2007 13:03:53 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1H6WBT-0003sL-Qg for tls@ietf.org; Mon, 15 Jan 2007 13:03:51 -0500
Received: from smtpde02.sap-ag.de ([155.56.68.170]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1H6WBQ-00041v-Ry for tls@ietf.org; Mon, 15 Jan 2007 13:03:51 -0500
Received: from sap-ag.de (smtpde02) by smtpde02.sap-ag.de (out) with ESMTP id TAA11476; Mon, 15 Jan 2007 19:03:39 +0100 (MEZ)
From: Martin Rex <martin.rex@sap.com>
Message-Id: <200701151803.TAA01170@uw1048.wdf.sap.corp>
Subject: Re: [TLS] Re: when is it ok to resume a cached SSL/TLS session
To: ekr@networkresonance.com
Date: Mon, 15 Jan 2007 19:03:39 +0100
In-Reply-To: <86lkk4ciz8.fsf@raman.networkresonance.com> from "Eric Rescorla" at Jan 15, 7 09:12:11 am
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-SAP: out
X-SAP: out
X-SAP: out
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 4d87d2aa806f79fed918a62e834505ca
Cc: tls@ietf.org
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: martin.rex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org
Eric Rescorla wrote: > > <home_pw@msn.com> writes: > > > > Eric Rescorla wrote: > >> TLS session IDs do not come with any guarantee that the server will > >> actually honor a resumption request. The server may implement any > >> session cache policy it chooses. Therefore the client *must* be > >> prepared for the server to refuse resumption. > >> > > > > So the only thing we are disagreeing on is the definition of "must be > > prepared". > > > > You say choked, I say graceful fail. > > No, I don't agree with this analysis. The server being unwilling > to resume a session is normal behavior. The TLS state machine > explicitly handles such cases. Implementations which choke > rather than doing a full handshake are broken. I fully agree with Eric that a client MUST deal gracefully with a server that does not resume a proposes SSL session (ID) for whatever reason. The particular problem in the scenario that I listed might be that the client, by retrieving a cached session from its cache thought he had several parameter (including the protocol version) already established and treated the response from the server (who didn't resume as proposed) probably more like a renegotiation rather than a new handshake, and therefore might have considered the unavailablility of the previous higher protocol version a rollback attack. The client-side SSL session cache can not be implemented "transparently" in the TLS implementation, it needs significant extra information from the application in order to know whether and which cached SSL session might be resumed. Think about a client-side proxy (CONNECT), where the layer above TLS must perform the CONNECT handshake with the proxy, and where the network target IP and TCP-Port will be the same for all non-local addresses. There, the decision whether and which SSL session cache entry might be tried for resumption will have to be derived from the hostname:port from the URL (which is also used for server endpoint identification). In our customer's scenario, no proxy is involved, so the different endpoint is visible on both, the socket and the URL. -Martin _______________________________________________ TLS mailing list TLS@lists.ietf.org https://www1.ietf.org/mailman/listinfo/tls
- [TLS] Question on Stateless TLS Session Resumption Narayanan, Vidya
- Re: [TLS] Question on Stateless TLS Session Resum… Eric Rescorla
- Re: [TLS] Question on Stateless TLS Session Resum… Lakshminath Dondeti
- Re: [TLS] Question on Stateless TLS Session Resum… Eric Rescorla
- Re: [TLS] Question on Stateless TLS Session Resum… Lakshminath Dondeti
- Re: [TLS] Question on Stateless TLS Session Resum… Eric Rescorla
- Re: [TLS] Question on Stateless TLS Session Resum… Lakshminath Dondeti
- [TLS] when is it ok to resume a cached SSL/TLS se… Martin Rex
- [TLS] when is it ok to resume a cached SSL/TLS se… Martin Rex
- [TLS] Re: when is it ok to resume a cached SSL/TL… Eric Rescorla
- Re: [TLS] Re: when is it ok to resume a cached SS… home_pw
- Re: [TLS] Re: when is it ok to resume a cached SS… Eric Rescorla
- Re: [TLS] Re: when is it ok to resume a cached SS… home_pw
- Re: [TLS] Re: when is it ok to resume a cached SS… Eric Rescorla
- Re: [TLS] Re: when is it ok to resume a cached SS… home_pw
- Re: [TLS] Re: when is it ok to resume a cached SS… Eric Rescorla
- Re: [TLS] Re: when is it ok to resume a cached SS… Martin Rex
- Re: [TLS] Re: when is it ok to resume a cached SS… home_pw
- Re: [TLS] Re: when is it ok to resume a cached SS… Eric Rescorla
- Re: [TLS] Re: when is it ok to resume a cached SS… Martin Rex
- Re: [TLS] Re: when is it ok to resume a cached SS… home_pw
- Re: [TLS] Re: when is it ok to resume a cached SS… home_pw
- Re: [TLS] Re: when is it ok to resume a cached SS… home_pw
- Re: [TLS] Re: when is it ok to resume a cached SS… Kyle Hamilton
- Re: [TLS] Re: when is it ok to resume a cached SS… home_pw
- Re: [TLS] Re: when is it ok to resume a cached SS… Martin Rex
- RE: [TLS] Question on Stateless TLS Session Resum… Narayanan, Vidya
- Re: [TLS] when is it ok to resume a cached SSL/TL… Martin Rex