IETF Logo Mail Archive

Re: [TLS] Re: when is it ok to resume a cached SSL/TLS session

<home_pw@msn.com> Mon, 15 January 2007 16:06 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1H6ULu-0006Ar-Az; Mon, 15 Jan 2007 11:06:30 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1H6ULt-0006Am-6V for tls@ietf.org; Mon, 15 Jan 2007 11:06:29 -0500
Received: from bay0-omc3-s34.bay0.hotmail.com ([65.54.246.234]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1H6ULq-0001T3-Ke for tls@ietf.org; Mon, 15 Jan 2007 11:06:29 -0500
Received: from hotmail.com ([65.55.131.16]) by bay0-omc3-s34.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668); Mon, 15 Jan 2007 08:06:26 -0800
Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Mon, 15 Jan 2007 08:06:25 -0800
Message-ID: <BAY126-DAV649C9E2DAC40983624F6292B50@phx.gbl>
Received: from 70.142.20.165 by BAY126-DAV6.phx.gbl with DAV; Mon, 15 Jan 2007 16:06:24 +0000
X-Originating-IP: [70.142.20.165]
X-Originating-Email: [home_pw@msn.com]
X-Sender: home_pw@msn.com
From: home_pw@msn.com
To: martin.rex@sap.com
References: <20070115154600.A77285C01E@laser.networkresonance.com>
Subject: Re: [TLS] Re: when is it ok to resume a cached SSL/TLS session
Date: Mon, 15 Jan 2007 08:06:23 -0800
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="iso-8859-1"; reply-type="original"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Windows Live Mail desktop 8.0.1223
X-MimeOLE: Produced By Microsoft MimeOLE V8.0.1223
X-OriginalArrivalTime: 15 Jan 2007 16:06:25.0754 (UTC) FILETIME=[1BAC63A0:01C738BF]
X-Spam-Score: 0.2 (/)
X-Scan-Signature: 00e94c813bef7832af255170dca19e36
Cc: tls@ietf.org
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org

>> The server doesn't recognize that session and replies 
>> with
>> a Server Hello containing his highest protocol version, 
>> plus
>> plus server certificate message plus client cert request 
>> plus
>> server hello done.  The popular Web Browser closes the 
>> network
>> connection without sending any kind of SSL alert and 
>> shows
>> "Page cannot be displayed" to the user.
>>
>>
>> I firmly believe that this is a conceptual flaw on the 
>> client
>> side, making a flawed assumption about when a cached SSL 
>> session
>> can be expected to be resumable.
>
> ISTM that there are two issues here:
>
> 1. Whether the client should have offered asession ID.
> 2. Whether it should have choked when the server refused.
>
> Without taking a position on the first, which I think is 
> tricky,
> the client should definitely not have choked. Servers can 
> always
> refuse to accept a resumption.
>
> -Ekr

I reasoned differently, because this is an https context - 
there is thus a URL resolver involved. The validity of a 
secure URL is not the same as the validity of an SSL-named 
layer 4 TCP port (or SSL-named PPP tunnel connection,....)

At the SSL layer, the client sought a session resumption 
from a named layer 4 port. Session resumption means that the 
URL resolver at the https layer, however, is based on the 
client's connection state , not the host/port parsing. This 
includes the binding of URLs used in session creation, and 
the URL used in connection establishment (which are allowed 
to differ)

IN the cited case, a server responding from a given layer 4 
port of the second URL refused to resume a session (for some 
reason, like it didn't share session state records with 
another implementation). It then correctly engaged in a full 
handshake (with unusual custom pipelining of full handshake 
messages).

The client is entitled to reject the handshake, as in any 
full/partial rehandshake case. The client uses the 
conforming option to close the TLS Transport (TCP) rather 
than perform a close. This is reasonable, given the URL 
resource showed no knowledge of the sessionid/keying 
material.

---

I exploit the SSL architecture myself, sending server 
HelloRequests to my clients which respond with a clientHello 
(with special data in the time/nonce), a server Hello is 
similarly sent with similar custom time/nonce, which causes 
the client to finally issue a "sorry no"... alert, 
non-fatal. My special data happens to be time-synced OTPs 
(with CR capability, beyond STD 61), generated by a USB 
smartcard device. Given the flow is occurring over the 
current connection state (which is running mac'ed in my 
cipher suite, and each fragment gets DOA semantics from the 
confidentiality service) I'm adding timing signals to the 
SSL record_layer essentially.
 


_______________________________________________
TLS mailing list
TLS@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email