Re: [TLS] Re: when is it ok to resume a cached SSL/TLS session
Martin Rex <martin.rex@sap.com> Mon, 15 January 2007 19:23 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1H6XQH-0000oS-5g; Mon, 15 Jan 2007 14:23:13 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1H6XQF-0000nJ-Aa for tls@ietf.org; Mon, 15 Jan 2007 14:23:11 -0500
Received: from smtpde01.sap-ag.de ([155.56.68.171]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1H6XQC-0005LI-Qz for tls@ietf.org; Mon, 15 Jan 2007 14:23:11 -0500
Received: from sap-ag.de (smtpde01) by smtpde01.sap-ag.de (out) with ESMTP id UAA25914; Mon, 15 Jan 2007 20:23:01 +0100 (MEZ)
From: Martin Rex <martin.rex@sap.com>
Message-Id: <200701151923.UAA02162@uw1048.wdf.sap.corp>
Subject: Re: [TLS] Re: when is it ok to resume a cached SSL/TLS session
To: home_pw@msn.com
Date: Mon, 15 Jan 2007 20:23:00 +0100
In-Reply-To: <BAY126-DAV3FB5F2BEE682A4281A02A92B50@phx.gbl> from "home_pw@msn.com" at Jan 15, 7 10:57:50 am
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-SAP: out
X-SAP: out
X-SAP: out
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 0fa76816851382eb71b0a882ccdc29ac
Cc: tls@ietf.org
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: martin.rex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org
home_pw@msn.com wrote: > > >> > You say choked, I say graceful fail. > >> > >> No, I don't agree with this analysis. The server being > >> unwilling > >> to resume a session is normal behavior. The TLS state > >> machine > >> explicitly handles such cases. Implementations which > >> choke > >> rather than doing a full handshake are broken. > > > > I fully agree with Eric that a client MUST deal gracefully > > with > > a server that does not resume a proposes SSL session (ID) > > for > > whatever reason. > > > Show me the text in the standard that says MUST (or even > half hints MUST from the English wording). Tell me it MUST > apply to EAP-TLS, too. More importantly, tell me what > "appropriate" and "graceful" then mean, for packets on the > wire. Tell me what the server MUST do, if the client does > not comply. Your both making this out to be security- or > interoperability- critical (it's a MUST, Peter!!) I think it is acceptable for a client to have a certain level of expectation about the servers characteristics for the exact same target endpoint (host:port), but not for a different one on the same host. Especially in the real world of NATs. It is an implied MUST, not one that is spelled out, based on common sense and established practices. Where in the spec do you find an indication that a client may blindy assume that all processes on one host will share even the most valuable secrets, like credentials and an SSL session cache. In the (Berkeley) Sockets interface there is a tradition that a server process opens a listener Socket and keeps accepting connections on this sockets for the lifetime of the process. Different server processes traditionally listen on different TCP and UDP ports, and it is a longstanding security practice to not have each and every service running with full system privileges. SSL is an extension to the (Berkeley) Socket interface and has basically inherited these traditions. > > Concerning the evidence:- > > "The particular problem in the scenario that I listed might > be that the client, by retrieving a cached session from its > cache thought he had several parameter (including the protocol > version) already established and treated the response from the server > (who didn't resume as proposed) probably more like a renegotiation > rather than a new handshake, and therefore might have considered > the unavailablility of the previous higher protocol version > a rollback attack." > > VERY LIKELY! This is in MY purview - as a implementer - to > decide; Martin, you are making my point for me. My > implementations don't support ANY of the fallback practices, > either, by default! I think it is clear from the protocol handshake and the state machine that there is a significant difference between a server not resuming a cached session and an established session doing a renegotiation. For the denied resume, there is no agreement on a common previous session state, while for a renegitiation request, there exists common agreed-upon session state. -Martin _______________________________________________ TLS mailing list TLS@lists.ietf.org https://www1.ietf.org/mailman/listinfo/tls
- [TLS] Question on Stateless TLS Session Resumption Narayanan, Vidya
- Re: [TLS] Question on Stateless TLS Session Resum… Eric Rescorla
- Re: [TLS] Question on Stateless TLS Session Resum… Lakshminath Dondeti
- Re: [TLS] Question on Stateless TLS Session Resum… Eric Rescorla
- Re: [TLS] Question on Stateless TLS Session Resum… Lakshminath Dondeti
- Re: [TLS] Question on Stateless TLS Session Resum… Eric Rescorla
- Re: [TLS] Question on Stateless TLS Session Resum… Lakshminath Dondeti
- [TLS] when is it ok to resume a cached SSL/TLS se… Martin Rex
- [TLS] when is it ok to resume a cached SSL/TLS se… Martin Rex
- [TLS] Re: when is it ok to resume a cached SSL/TL… Eric Rescorla
- Re: [TLS] Re: when is it ok to resume a cached SS… home_pw
- Re: [TLS] Re: when is it ok to resume a cached SS… Eric Rescorla
- Re: [TLS] Re: when is it ok to resume a cached SS… home_pw
- Re: [TLS] Re: when is it ok to resume a cached SS… Eric Rescorla
- Re: [TLS] Re: when is it ok to resume a cached SS… home_pw
- Re: [TLS] Re: when is it ok to resume a cached SS… Eric Rescorla
- Re: [TLS] Re: when is it ok to resume a cached SS… Martin Rex
- Re: [TLS] Re: when is it ok to resume a cached SS… home_pw
- Re: [TLS] Re: when is it ok to resume a cached SS… Eric Rescorla
- Re: [TLS] Re: when is it ok to resume a cached SS… Martin Rex
- Re: [TLS] Re: when is it ok to resume a cached SS… home_pw
- Re: [TLS] Re: when is it ok to resume a cached SS… home_pw
- Re: [TLS] Re: when is it ok to resume a cached SS… home_pw
- Re: [TLS] Re: when is it ok to resume a cached SS… Kyle Hamilton
- Re: [TLS] Re: when is it ok to resume a cached SS… home_pw
- Re: [TLS] Re: when is it ok to resume a cached SS… Martin Rex
- RE: [TLS] Question on Stateless TLS Session Resum… Narayanan, Vidya
- Re: [TLS] when is it ok to resume a cached SSL/TL… Martin Rex