IETF Logo Mail Archive

[TLS] Application Data before Client Finished message

Roelof Du Toit <Roelof_Dutoit@symantec.com> Fri, 24 March 2017 20:47 UTC

Return-Path: <Roelof_Dutoit@symantec.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2F5AB1289B5 for <tls@ietfa.amsl.com>; Fri, 24 Mar 2017 13:47:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.221
X-Spam-Level:
X-Spam-Status: No, score=-4.221 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=symc.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nmRUZm9GSflx for <tls@ietfa.amsl.com>; Fri, 24 Mar 2017 13:47:21 -0700 (PDT)
Received: from asbsmtoutape01.symantec.com (asbsmtoutape01.symantec.com [155.64.138.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2AA5B12871F for <tls@ietf.org>; Fri, 24 Mar 2017 13:47:20 -0700 (PDT)
Received: from asbsmtmtaapi01.symc.symantec.com (asb1-f5-symc-ext-prd-snat7.net.symantec.com [10.90.75.7]) by asbsmtoutape01.symantec.com (Symantec Messaging Gateway) with SMTP id C4.48.36325.7D585D85; Fri, 24 Mar 2017 20:47:19 +0000 (GMT)
X-AuditID: 0a5af819-428639a000008de5-c8-58d585d7a94a
Received: from TUSXCHMBXWPI02.SYMC.SYMANTEC.COM (asb1-f5-symc-ext-prd-snat7.net.symantec.com [10.90.75.7]) by asbsmtmtaapi01.symc.symantec.com (Symantec Messaging Gateway) with SMTP id FB.5C.04315.7D585D85; Fri, 24 Mar 2017 20:47:19 +0000 (GMT)
Received: from tus3xchcaspin01.SYMC.SYMANTEC.COM (10.44.91.13) by TUSXCHMBXWPI02.SYMC.SYMANTEC.COM (10.44.91.34) with Microsoft SMTP Server (TLS) id 15.0.1236.3; Fri, 24 Mar 2017 13:47:18 -0700
Received: from NAM01-SN1-obe.outbound.protection.outlook.com (10.44.128.10) by tus3xchcaspin01.SYMC.SYMANTEC.COM (10.44.91.13) with Microsoft SMTP Server (TLS) id 15.0.1236.3 via Frontend Transport; Fri, 24 Mar 2017 13:47:17 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=symc.onmicrosoft.com; s=selector1-symantec-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=s7XbpAztEHx3q//4LKa385YAeJu49TPuww8TcVDnPWc=; b=fpIJn42CIMAzEcQf1WLBdBt7Im5wmrFDE2aPmO+XmJtVD70bezUXBkIi33ZYlfPtGvSGprZEt8DLwIKPyzVCKoG8XSPnlfu8LhJ6bb6zeH44nuiI2H/3AP7wwZ+6dTPi2wEUYZNCTfoS2ILvb/UCze3fZ4jrzwe5gxNMDuV9gaQ=
Received: from DM5PR16MB1834.namprd16.prod.outlook.com (10.172.45.9) by DM5PR16MB1835.namprd16.prod.outlook.com (10.172.45.10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.977.11; Fri, 24 Mar 2017 20:47:17 +0000
Received: from DM5PR16MB1834.namprd16.prod.outlook.com ([10.172.45.9]) by DM5PR16MB1834.namprd16.prod.outlook.com ([10.172.45.9]) with mapi id 15.01.0977.021; Fri, 24 Mar 2017 20:47:16 +0000
From: Roelof Du Toit <Roelof_Dutoit@symantec.com>
To: "tls@ietf.org" <tls@ietf.org>
Thread-Topic: Application Data before Client Finished message
Thread-Index: AQHSpN/SEhprFr7qJk6yEGHBVM43PA==
Date: Fri, 24 Mar 2017 20:47:16 +0000
Message-ID: <0AD86891-21E6-40C1-B257-347CE73AEE02@symantec.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=symantec.com;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [72.23.5.194]
x-microsoft-exchange-diagnostics: 1; DM5PR16MB1835; 7:iMxQ4HSRFHt+fUIOV70kea2FRlHUZ4HGiT+31QuPnrJJLWMJ6QjMSsl0fpkeJBhqAweB6kREZ2v6rPU/vcYinZctYCw3Z6HiWvaHxOYoUYdhSC+wsxn8QlzsyZ/1eZU0FYyDWvtQakgh32OkB921S3nY8+cehCGRGHap/YXWriaU/H/mACdamzHmWJ+ohjccNCyVC56VV3AnbA+udx8Y9j4ig1PSpLx6lsgjj5XRxfIaexy+xYLWwAX31louBLaPrl8u5YrGAutdz5DVa1XmLS2PTmZvvO4+OuHTA/ORkrdP+2xrvBU3znjB1crhCk4xbQUg6wbkrJRuGZPgn3YATA==
x-forefront-antispam-report: SFV:SKI; SCL:-1SFV:NSPM; SFS:(10009020)(6009001)(39450400003)(39830400002)(39410400002)(1730700003)(3660700001)(8676002)(10710500007)(122556002)(2501003)(3280700002)(2351001)(81166006)(10290500002)(6506006)(6486002)(80792005)(77096006)(2906002)(6436002)(36756003)(82746002)(6512007)(6916009)(54896002)(189998001)(38730400002)(110136004)(6306002)(53936002)(5640700003)(83716003)(66066001)(99286003)(50986999)(25786009)(2900100001)(7736002)(5660300001)(8936002)(7110500001)(2420400007)(54356999)(6116002)(86362001)(15650500001)(3846002)(33656002)(102836003); DIR:OUT; SFP:1101; SCL:1; SRVR:DM5PR16MB1835; H:DM5PR16MB1834.namprd16.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
x-ms-office365-filtering-correlation-id: cfc47a17-b348-4167-1d99-08d472f6f52e
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(2017030254075); SRVR:DM5PR16MB1835;
x-microsoft-antispam-prvs: <DM5PR16MB1835594886E2D169ECB27513FA3E0@DM5PR16MB1835.namprd16.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863)(21748063052155);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040375)(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001)(6041248)(20161123555025)(20161123564025)(20161123562025)(20161123558025)(20161123560025)(6072148); SRVR:DM5PR16MB1835; BCL:0; PCL:0; RULEID:; SRVR:DM5PR16MB1835;
x-forefront-prvs: 0256C18696
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_0AD8689121E640C1B257347CE73AEE02symanteccom_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Mar 2017 20:47:16.6053 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 3b217a9b-6c58-428b-b022-5ad741ce2016
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR16MB1835
X-OriginatorOrg: symantec.com
X-Brightmail-Tracker: H4sIAAAAAAAAA02SfUgTcRzG/e3u9DYanGvltxmYoyLzXYoMzUyIBCtCkNQCu+aR4nzhNlfW P0K+5JaZFomSr0moCKEQ6hK1leZLuRa5NSNtbVoJJgnZhpFtuxP65/h8v8/z3P0e7kdikkFC RuYWqBm2gFbKfUW4KDPFL9xSPpse1bmxP3bNqEWJKLmjwyU4hzJF8dmMMlfDsJEJl0Q545P1 qGgp8dqIVU+Uoo0ELRKSQB2C0k4bpkUiUkL9RGBfXsG2hPrPrQQnrCNw9nTxrjEEw9WL/LCM YOiO1c8TwakqDHRLGZxwTwAD7SacGwwIpocfCzwuXyoaXKN1hIelVDAMzOq86e1ULGg3OY+U Ogbm5jbEcQT0PCsjuC/sg/YGo5fF1HEwdztwDyNqJ/ye6vFmMSoA5hwtAq4EBR1DRr7QDvhu /+sthCgdgqdDI4gTwuCNxcFzECwsTiOPCajbGHR1OgTcMEiAfvUj/9ozYFpt4xMXQd+8xu/z 4MfcLYLjFOifsuBcuFEAdX8q+HPshumJdwTXWQaf3lehuyi08b+jc6yAsS/jeKO3qj9MNjjc TLr3IfBEH8lZguG+zubH8QEof9jEczKYmtax/z2tiOxGe2jVZVW+urBYTRcxUdERqpJ8hedB u6+TIkJRmN+HvBfKuWsAvZw4bUAUieTbxAFXZ9MlBK1xO93/kcTkUrEtzr0SZ9Ml1xm2MIst VjIqAwokcXmAuFb5Nl1CXaHVTB7DFDHslioghbJSJK2s7c0Q3rigmDnv1FS8xr7NW+dnHgX2 WVLZCVl4kr/BvJR2uCU+bHTvZvWKMdWHOWXwETnbTTHisq9HHEk+R+MqC2pOPLjZnCJsWV2o iTUsfhjpsln7s36tu3pLzGr7i6mgV465hYQ0V1/Ic0OyiS23nzXFnNSE1rGisf4SOa7KoaMP YqyK/geKK03wTAMAAA==
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprLKsWRmVeSWpSXmKPExsXCFeXNrnu99WqEQe8VWYtP57sYHRg9liz5 yRTAGMVlk5Kak1mWWqRvl8CVcezkdMaCZw4V+2/uYm1g/G3XxcjJISFgIjH9wQLWLkYuDiGB b4wSP9asZIZwjjJK7Ot9CuW8YpTY03eTHaSFRaCTWaL7WSREYjKTxI5FF1kgnEOMEqf3LWMC qWITMJT4eWASK4gtIqAoseNqN1i3sICFRNd/iBoRAVuJa/MWMkLYehJrdrewQmxQlVg08zyY zStgL3Ft1RMWEJtRQEzi+6k1YL3MAuISt57MZ4J4QkBiyZ7zzBC2qMTLx//AHmIU6GaU2Lpn PyNEQkfi7PUnULa8xP2npxlBiiQEepglVq54wgTh7GSV2PX+NtRYX4mL7xdCdcRI7Jr3CSqe LfHuVgcrhO0tsf3UdRaI5llMEpP+tEHdISNx+sQlVoifpSTuXulkhLBlJF7c2csK8UOyxNFH x1gmMKrPQvLSLCSpWeAgEJQ4OfMJkM0BFNeUWL9LH6JEUWJK90N2CFtDonXOXCjbQ+Li3G/M yGoWMHKsYlRILE4qzi3JLUlMLMg0MNQrrsxNBhGJwNSUrJecn7uJEZyefovtYDzwx+cQowAH oxIPb4fn1Qgh1sQyoMpDjNIcLErivDcMN0UICaQnlqRmp6YWpBbFF5XmpBYfYmTi4JRqYJQI vXm5ldn8yn1dxxMuwVfuzTGY7lmdL3lc7vnm17ZHFSov3d9305Txhm9PxY8gxx3r+M0WlLvY 6ns03bxzt6VY79FlkwN7NxocauY9f4v31WrnXZ4LJT4eXaUssuv2inrj7pcvU3d8enfzhzbj 7djtMpV+apKlt27//xX+/Hqz+tydM1p41QKVWIozEg21mIuKEwH4z96sMAMAAA==
X-CFilter-Loop: ASB02
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/z_d5U-JbuCgv_sopnPe72KbMGOg>
Subject: [TLS] Application Data before Client Finished message
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Mar 2017 20:47:23 -0000

I was wondering if Section 4.4.4 requires an additional exception to allow sending Application Data from the server prior to receiving the client's Finished message?

The current draft has the following in Section 4.4.4:
Once a side has sent its Finished message and received and validated the Finished message from its peer, it may begin to send and receive application data over the connection. Early data may be sent prior to the receipt of the peer’s Finished message, per Section 4.2.7.

.. while Section 2 has the following:
At this point, the handshake is complete, and the client and server may exchange application-layer data. Application data MUST NOT be sent prior to sending the Finished message. Note that while the server may send application data prior to receiving the client’s Authentication messages, any data sent at that point is, of course, being sent to an unauthenticated peer.


Unrelated, I was curious why the 'client_traffic_secret_0' calculation does not include the 'Client Finished' message while the 'server_traffic_secret_0' calculation includes the 'Server Finished' message?  After some digging I noticed that the split was added in Draft 16, while Drafts 13 through 15 had it as just 'traffic_secret_0' (calculated without 'Client Finished').   I'm guessing it does not really affect the strength of the secret, but I was wondering about the asymmetry.

--Roelof

v2.23.0 | Report a Bug | By Email