[TLS] draft-ietf-tls-session-hash-04 and session resumption
David Benjamin <davidben@chromium.org> Fri, 10 April 2015 23:25 UTC
Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0B7891B2E64 for <tls@ietfa.amsl.com>; Fri, 10 Apr 2015 16:25:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.388
X-Spam-Level:
X-Spam-Status: No, score=-1.388 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id illxTqjulPhG for <tls@ietfa.amsl.com>; Fri, 10 Apr 2015 16:25:54 -0700 (PDT)
Received: from mail-ig0-x22b.google.com (mail-ig0-x22b.google.com [IPv6:2607:f8b0:4001:c05::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C8FC81B2E63 for <tls@ietf.org>; Fri, 10 Apr 2015 16:25:54 -0700 (PDT)
Received: by iggg4 with SMTP id g4so10117687igg.0 for <tls@ietf.org>; Fri, 10 Apr 2015 16:25:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:from:date:message-id:subject:to:cc:content-type; bh=GR5i9DGRwzjmAAcmdySgeHI//SlmzzAtpMYnedYVvw4=; b=ZVenRCCOid4o3TFgOQ/bheFrKcNSAjV3AMsCQlIqP0gluqdVD4kr76eayooweX/o/Z dSfhdPw2JzEwBfXAOef29gpXPQPqex/T9IZoIuBwA2wg1DTNEQjfYaqG4AmCh4okY/6S VKisgR7jzlp8EajNJFnQk6A2p+cr7kpdVFhSc=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc :content-type; bh=GR5i9DGRwzjmAAcmdySgeHI//SlmzzAtpMYnedYVvw4=; b=gwe9MoRq5S3zt4QPIhedK52/+aA1K7HSfcRS33RoOcKzUiPN8P6cMdKezOTu/FDYEE tDpVonndkBFB9g1vqxJDsJSCj1XSAAcCfWPTFP9O1GM7xeQ5eeKN06mmOMiVjpE7sJOh kLNE9NAxpwHkHr18T0t/1g/McX654YHO1i+A29TBz7X67XfaJPuTOxYIwBSKQaU4Byyd kH4xKzW+jITnosO1b7YH9g9xGXGTErNLePyGcSnSyYxmW0C87Me52kCJJSJw14zFSuf+ GEewMlpB3bP+3sn81sWvx+lCEzl46lp6SvfqXjGqNM82MVmm07NUJ9wOylfjw5888Puf T35w==
X-Gm-Message-State: ALoCoQlkQ+5ncqYa+6aHSYzurkFW1T5f+8g7NIEwj0IOyAs0uU+/mTCKgpNfFymK59G9zsRX2CeV
X-Received: by 10.43.72.138 with SMTP id yo10mr6818989icb.69.1428708354170; Fri, 10 Apr 2015 16:25:54 -0700 (PDT)
MIME-Version: 1.0
From: David Benjamin <davidben@chromium.org>
Date: Fri, 10 Apr 2015 23:25:53 +0000
Message-ID: <CAF8qwaCeXLXWumLimbtusOf9KbvNQCAQPwmvZ-vnkpfV+jso4w@mail.gmail.com>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="001a11c204fef075e10513671572"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/zqpcgMxa0E9yNbYQDkY9WBKbBGo>
Cc: Emilia Kasper <ekasper@google.com>, Bill Cox <waywardgeek@google.com>
Subject: [TLS] draft-ietf-tls-session-hash-04 and session resumption
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Apr 2015 23:25:56 -0000
Sorry this is rather late feedback. I was looking at the new session resumption provisions in draft-ietf-tls-session-hash-04, and one seems problematic. So, the draft has some SHOULDs which disable all EMS-less session resumption: > The client SHOULD NOT offer an abbreviated handshake to resume a session that does not use an extended master secret. > If the new ClientHello does not contain the "extended_master_secret" extension, the server SHOULD fall back to a full handshake by sending a ServerHello that rejects the offered session but continues with a full handshake. > If the new ServerHello does not contain the "extended_master_secret" extension, the client SHOULD abort the handshake. I suspect most implementations will ignore them for the time being. Assuming they're ignored, being only SHOULDs, > If the original session did not use an extended master secret but the new ClientHello does contain the "extended_master_secret" extension, the server MUST abort the handshake. Consider a client which persists sessions to disk and then upgrades with EMS support. Alternatively, the server may have since upgraded while retaining the session cache. This can cause a client to offer an EMS-less session to an EMS-ful server. This MUST now causes the server to abort the handshake, which is rather unfriendly. Instead, I propose it change to: > If the original session did not use an extended master secret but the new ClientHello does contain the "extended_master_secret" extension, the server MUST reject the session and fall back to a full handshake. The new session will still be EMS-ful and we don't risk hard-to-diagnose failures. David
- Re: [TLS] draft-ietf-tls-session-hash-04 and sess… Martin Thomson
- [TLS] draft-ietf-tls-session-hash-04 and session … David Benjamin
- Re: [TLS] draft-ietf-tls-session-hash-04 and sess… Karthikeyan Bhargavan
- Re: [TLS] draft-ietf-tls-session-hash-04 and sess… Emilia Kasper
- Re: [TLS] draft-ietf-tls-session-hash-04 and sess… Martin Rex
- Re: [TLS] draft-ietf-tls-session-hash-04 and sess… Karthikeyan Bhargavan
- Re: [TLS] draft-ietf-tls-session-hash-04 and sess… Karthikeyan Bhargavan
- Re: [TLS] draft-ietf-tls-session-hash-04 and sess… David Benjamin
- Re: [TLS] draft-ietf-tls-session-hash-04 and sess… Martin Thomson
- Re: [TLS] draft-ietf-tls-session-hash-04 and sess… Martin Thomson
- Re: [TLS] draft-ietf-tls-session-hash-04 and sess… David Benjamin