Re: [TLS] Next Protocol Negotiation - Some comments
Adam Langley <agl@google.com> Thu, 12 July 2012 14:35 UTC
Return-Path: <agl@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 793A621F87DD for <tls@ietfa.amsl.com>; Thu, 12 Jul 2012 07:35:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.977
X-Spam-Level:
X-Spam-Status: No, score=-102.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id biW4boSIyLlH for <tls@ietfa.amsl.com>; Thu, 12 Jul 2012 07:34:59 -0700 (PDT)
Received: from mail-yw0-f44.google.com (mail-yw0-f44.google.com [209.85.213.44]) by ietfa.amsl.com (Postfix) with ESMTP id BCD5C21F87DA for <tls@ietf.org>; Thu, 12 Jul 2012 07:34:58 -0700 (PDT)
Received: by yhq56 with SMTP id 56so2860682yhq.31 for <tls@ietf.org>; Thu, 12 Jul 2012 07:35:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:x-system-of-record; bh=zlSrrO9XakOe7utpWffP+IR2AMxfowtQnNtHZZTEDnY=; b=IQ7qHHYpz497kIkgyU0bLYb4pVVV5QEHOoJcw2aJI/zZR/CZs9YmR4jTLzXozaxnTE kx+XfK9r3B4j2fdEIDjbB2hP4SBU8vSl5iqwKyqIIhIvkwYy8bB8TQMF7kvzrMgpq8p0 jb8K0SQgkBNdfNLWXkBl1dhFXk3wUtyUINAEKW5fuXOV82J/WOOBOksFqlhCJSAb0Vu7 Hchu/IVlzNCUd3LYEKP7K7kfcaxal84/1UHX8/SLSkIcVss+gzHEZSf3w7iJohiTB8go jiy6GluYof/NnXqQYaz4X6t1kB0Hx3pYrYZc466ZDf9i/ZQvnvgAMwgImF6MRDVL9neD Dluw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:x-system-of-record:x-gm-message-state; bh=zlSrrO9XakOe7utpWffP+IR2AMxfowtQnNtHZZTEDnY=; b=UQXyu+xFXYKe35b3vmlUEk5QGN2wMPvAODxYgnx1206M9ALnuWqbBHQLwsMFeM1/R0 74I2uvZAcpLfORqyC2TD8PhHJwrUh0k5udCAW5ZimzB3FgH8ri9b/hLPesSt0uVu84g3 0Ki32UfoXl0+VvKIHxVdnLhWrhlYm49fJrPdKlW3xILTwlDaeS//F57c6UutLdrptwAA zRfJ8GwmnAh79sGL5WdaaJ0nL/jEQpQrZFo6DB6rGX+LdWW9MDrfv5EJC6IhPYaSZZ+H bdplG1kUeBuAgoe0G6xEjonEcJEyqZtJ9XYv+xE/77Y5Iy4UAY3KMM6/sRHWGGwrtfin 7O3A==
Received: by 10.50.236.97 with SMTP id ut1mr17710726igc.50.1342103731836; Thu, 12 Jul 2012 07:35:31 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.50.236.97 with SMTP id ut1mr17710716igc.50.1342103731725; Thu, 12 Jul 2012 07:35:31 -0700 (PDT)
Received: by 10.231.31.202 with HTTP; Thu, 12 Jul 2012 07:35:31 -0700 (PDT)
In-Reply-To: <CALR0uiKnJNFx6hF7SQNBA2=h4YUbnQPEyr0kDYbXT6Bpu7bhJg@mail.gmail.com>
References: <CALR0uiKnJNFx6hF7SQNBA2=h4YUbnQPEyr0kDYbXT6Bpu7bhJg@mail.gmail.com>
Date: Thu, 12 Jul 2012 10:35:31 -0400
Message-ID: <CAL9PXLwOS9=A4tngFgi4s2=6_gR74_gS+gFazW4-1XcqPLHWLw@mail.gmail.com>
From: Adam Langley <agl@google.com>
To: Alfredo Pironti <alfredo.pironti@inria.fr>
Content-Type: text/plain; charset="UTF-8"
X-System-Of-Record: true
X-Gm-Message-State: ALoCoQnQu4+GLO0K97vvFAIFtFhWcB4ix4/WTcrmZ1+oPOxClWCDLdNgTTxAt2i2Bewsr1jRlpz10CWKeOO/3DavHj/CjfJ9LDpPmOiU1LAJZPXyLcTf1O4OemzWkxyrnSQ96S/7srsNttSv/C8X+Ja9bIb+lkpoaVMbHMGZ11PnnXch1FXGAWg=
Cc: tls@ietf.org
Subject: Re: [TLS] Next Protocol Negotiation - Some comments
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Jul 2012 14:35:00 -0000
On Thu, Jul 12, 2012 at 10:09 AM, Alfredo Pironti <alfredo.pironti@inria.fr> wrote: > Briefly, suppose a MItM wishes to know which 'selected_protocol' the > client is sending to the server. He could downgrade protocol > version/ciphersuite in the server hello, let the client send its > encrypted "EncryptedExtensions" message, and then let the session > fail. Decrypting the message once could be enough to spot that the > server is offering a specific 'selected_protocol' (or at least that > the client believes the server can offer it, even if not advertised), > and so ban the server in the future. Yep, especially if the client will allow NULL encryption ciphersuites. Quite possibly this should be noted in the spec. The purpose of encrypting and padding the protocol is to prevent large-scale, casual interference which has become so common and damaging to other protocols. It's certainly adding grey to TLS's otherwise binary world, but that's not to say that it's not useful. > On a related topic, the EncryptedExtension message is padded, to avoid > leaking the length of next-protocol name. I would add an > implementation caveat here. Note that handshake messages can be > fragmented. In particular, if an implementation prepares the > selected_protocol field and sends it to the record, then prepares the > padding field and sends it to the record, we may end up with two > encrypted fragments where the first reveals the length of the > selected_protocol field. An implementation should ensure this message > is not fragmented in the above way (or not fragmented at all). I > believe it's quite unlikely implementations out there would behave > like this, but again, we may want to be explicit on this. Yep, probably another point to be mentioned, thanks. (Although the reality is that fragmenting handshake messages doesn't actually work in the real world due to bugs.) > Finally, if I was to implement this extension, I would not know what > to do in case of errors. For example, if I'm the server, and I receive > an unsupported 'selected_protocol' from the client, what should I do? > Send an alert (which one)? That's deliberately unspecified at the moment because I don't know what the right behaviour is. What'll actually happen at the moment is that servers will use their default protocol if they don't recognise the requested protocol. But I don't think it's clear enough yet to say whether that's the right behaviour or not. Cheers AGL
- [TLS] Next Protocol Negotiation - Some comments Alfredo Pironti
- Re: [TLS] Next Protocol Negotiation - Some commen… Adam Langley