Re: [TLS] MITM Attacks on Client Authentication after Resumption

Dr Stephen Henson <> Tue, 04 March 2014 14:03 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 1414B1A0176 for <>; Tue, 4 Mar 2014 06:03:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.111
X-Spam-Status: No, score=-1.111 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_NEUTRAL=0.779, T_HK_NAME_DR=0.01] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id hb0B3pSOCrn6 for <>; Tue, 4 Mar 2014 06:03:25 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id AFE421A0206 for <>; Tue, 4 Mar 2014 06:03:24 -0800 (PST)
Received: from ([]:50437 helo=[]) by ( []:10465) with esmtpa (authdaemon_plain:drh) id 1WKpwF-0001dX-MZ for (return-path <>); Tue, 04 Mar 2014 14:03:20 +0000
Message-ID: <>
Date: Tue, 04 Mar 2014 14:03:15 +0000
From: Dr Stephen Henson <>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
MIME-Version: 1.0
References: <>
In-Reply-To: <>
X-Enigmail-Version: 1.6
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: Re: [TLS] MITM Attacks on Client Authentication after Resumption
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 04 Mar 2014 14:03:28 -0000

On 03/03/2014 19:37, Martin Rex wrote:
> Dr Stephen Henson wrote:
>> If the client checks the hostname against the certificate whenever a
>> certificate is presented[2] then additionally the attacker needs a certificate
>> with the same hostname as the attacked server.
>> 2. This isn't always the case. Some applications check the hostname only after
>> the handshake has completed.
> An application client that is using a TLS library _without_ callbacks,
> and requests a blocking TLS handshake to be performed, will only get to
> see the server certificate after the handshake has completed.
> While the X.509 cert chain validation might be performed in-band
> by the TLS stack, the rfc2818 Section 3.1 server endpoint
> identification is left up to the application caller.

A stack might have an option to check the hostname as part of the in-band cert
validation and, on failure, abort the handshake at that point just like any
other validation error.

For example OpenSSL 1.0.2 can do that but previous versions do not. Since that's
an unreleased version it's likely no existing clients use that option.

I performed a few checks with an experimental option to change the server
certificate during renegotiation, which I believe simulates the attack
mechanism. If the client checks certificates in band then all versions choke
with a verification error if a chain is untrusted. For 1.0.2 only it also chokes
if the chain is trusted but the hostname doesn't match.

Dr Stephen N. Henson.
Core developer of the   OpenSSL project:
Freelance consultant see:
Email:, PGP key: via homepage.