Re: [TLS] MITM Attacks on Client Authentication after Resumption

[Dr Stephen Henson <lists@drh-consultancy.co.uk>]

On 03/03/2014 19:37, Martin Rex wrote:
> Dr Stephen Henson wrote:
>>
>> If the client checks the hostname against the certificate whenever a
>> certificate is presented[2] then additionally the attacker needs a certificate
>> with the same hostname as the attacked server.
>>
>> 2. This isn't always the case. Some applications check the hostname only after
>> the handshake has completed.
> 
> An application client that is using a TLS library _without_ callbacks,
> and requests a blocking TLS handshake to be performed, will only get to
> see the server certificate after the handshake has completed.
> 
> While the X.509 cert chain validation might be performed in-band
> by the TLS stack, the rfc2818 Section 3.1 server endpoint
> identification is left up to the application caller.
> 

A stack might have an option to check the hostname as part of the in-band cert
validation and, on failure, abort the handshake at that point just like any
other validation error.

For example OpenSSL 1.0.2 can do that but previous versions do not. Since that's
an unreleased version it's likely no existing clients use that option.

I performed a few checks with an experimental option to change the server
certificate during renegotiation, which I believe simulates the attack
mechanism. If the client checks certificates in band then all versions choke
with a verification error if a chain is untrusted. For 1.0.2 only it also chokes
if the chain is trusted but the hostname doesn't match.

Steve.
-- 
Dr Stephen N. Henson.
Core developer of the   OpenSSL project: http://www.openssl.org/
Freelance consultant see: http://www.drh-consultancy.co.uk/
Email: shenson@drh-consultancy.co.uk, PGP key: via homepage.