IETF Logo Mail Archive

Re: [tram] STUNBIS: TLS verification

"Gonzalo Salgueiro (gsalguei)" <gsalguei@cisco.com> Fri, 17 February 2017 02:02 UTC

Return-Path: <gsalguei@cisco.com>
X-Original-To: tram@ietfa.amsl.com
Delivered-To: tram@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DDABB1297C1 for <tram@ietfa.amsl.com>; Thu, 16 Feb 2017 18:02:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.428
X-Spam-Level:
X-Spam-Status: No, score=-14.428 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTML_OBFUSCATE_10_20=0.093, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ebr4GvaarJJD for <tram@ietfa.amsl.com>; Thu, 16 Feb 2017 18:02:21 -0800 (PST)
Received: from alln-iport-8.cisco.com (alln-iport-8.cisco.com [173.37.142.95]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BDA261289B0 for <tram@ietf.org>; Thu, 16 Feb 2017 18:02:20 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=12326; q=dns/txt; s=iport; t=1487296940; x=1488506540; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=Szw4pc2dS6YOufJtOFfmijPQFXYGJnz2jZQ1HUMVs0M=; b=TOB+/w9ZE2IR8AjtZEIvQN0c1ZEzstZarC3oTCoIyR9BSPmIZ/lFgQHN mfCdMMbLItYf9LgRO8WnAj1oEh7wYGMBomYAGYtJOYyoGEeNF4kYyzwiC O+T+ndzisreJfFZdLzoLodzWYErIYPnXW++HGS+qYWtEuEqckLE63qxIB o=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0CxAQDJWKZY/4gNJK1eGQEBAQEBAQEBAQEBBwEBAQEBg1FhgQkHg1KKCJR0hSeHfIUsggwfAQqFeAIagXY/GAECAQEBAQEBAWIohHECBAEBIUsLEAIBCD8DAgICHwYLFBECBA4FiVQDFQ6wVYIlg1WDZQ2EEwEBAQEBAQEBAQEBAQEBAQEBAQEBAR2GTIIFgmqCUYFtVIJILoIxBY9Gi386AYZvhw2EGoJOjjiFCoUthEaEGgEPEDiBAFEVPREBhjJ1h3wrgQOBDQEBAQ
X-IronPort-AV: E=Sophos;i="5.35,170,1484006400"; d="scan'208,217";a="386589921"
Received: from alln-core-3.cisco.com ([173.36.13.136]) by alln-iport-8.cisco.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 17 Feb 2017 02:02:19 +0000
Received: from XCH-RCD-007.cisco.com (xch-rcd-007.cisco.com [173.37.102.17]) by alln-core-3.cisco.com (8.14.5/8.14.5) with ESMTP id v1H22JSC024161 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Fri, 17 Feb 2017 02:02:19 GMT
Received: from xch-aln-009.cisco.com (173.36.7.19) by XCH-RCD-007.cisco.com (173.37.102.17) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Thu, 16 Feb 2017 20:02:18 -0600
Received: from xch-aln-009.cisco.com ([173.36.7.19]) by XCH-ALN-009.cisco.com ([173.36.7.19]) with mapi id 15.00.1210.000; Thu, 16 Feb 2017 20:02:18 -0600
From: "Gonzalo Salgueiro (gsalguei)" <gsalguei@cisco.com>
To: "Olle E. Johansson" <oej@edvina.net>
Thread-Topic: [tram] STUNBIS: TLS verification
Thread-Index: AQHR5wut3ujlwI9bOEaLKCWMaHxfkqAqs3AAgAAC94CBQ2PSAA==
Date: Fri, 17 Feb 2017 02:02:18 +0000
Message-ID: <D3EBBA4E-8DDA-40F5-AFB0-D76DBDC9D3D2@cisco.com>
References: <3B69F8CE-4094-44A9-9D33-6879A089A859@edvina.net> <CABkgnnXmE0Drd6pcHkpuWE=qhF+2hWaYUNUvz23X1F1S0mN6Ow@mail.gmail.com> <5540FAAA-4C4E-47AB-9F7B-16AB4B39360E@edvina.net>
In-Reply-To: <5540FAAA-4C4E-47AB-9F7B-16AB4B39360E@edvina.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.24.51.16]
Content-Type: multipart/alternative; boundary="_000_D3EBBA4E8DDA40F5AFB0D76DBDC9D3D2ciscocom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/tram/FAA8eRrZDzMR_AnEXFZFwIixP3w>
Cc: Martin Thomson <martin.thomson@gmail.com>, "tram@ietf.org" <tram@ietf.org>
Subject: Re: [tram] STUNBIS: TLS verification
X-BeenThere: tram@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Discussing the creation of a Turn Revised And Modernized \(TRAM\) WG, which goal is to consolidate the various initiatives to update TURN and STUN." <tram.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tram>, <mailto:tram-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tram/>
List-Post: <mailto:tram@ietf.org>
List-Help: <mailto:tram-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tram>, <mailto:tram-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Feb 2017 02:02:23 -0000

Sorry for delay but just getting around to this.

Thanks Olle and Martin for raising this point. For points 1, 3, 4 we have aligned the TLS verification to RFC 6125.  As for point 2, we agree the DNSSEC case is important but the WG has decided not to include using DANE to validate TLS certificates for STUN (draft-petithuguenin-tram-stun-dane<https://tools.ietf.org/html/draft-petithuguenin-tram-stun-dane-04>), so it will need to be handled separately and not as part of this STUNbis effort.

Cheers,

Gonzalo

On Jul 26, 2016, at 1:33 AM, Olle E. Johansson <oej@edvina.net<mailto:oej@edvina.net>> wrote:


On 26 Jul 2016, at 10:22, Martin Thomson <martin.thomson@gmail.com<mailto:martin.thomson@gmail.com>> wrote:

I agree that 6125 is best here.  Simple answers:

On 26 July 2016 at 09:02, Olle E. Johansson <oej@edvina.net<mailto:oej@edvina.net>> wrote:
1) Configured STUN server name: “sollentuna.example.com<http://sollentuna.example.com>”
  Server redirects to “stockholm.example.com<http://stockholm.example.com>”  - which name needs to be in the cert?

If the redirect is authenticated, then it can be stockholm
“can be”  :-)
In SIP we always compare with the original URI and avoid redirections.
In that case it’s “sollentuna”. This is clearly something that needs to be documented.
In 6125 lingo, the server name “sollentuna.example.com<http://sollentuna.example.com>” is the reference identifier.
What you propose is that a STUN redirect change the reference identifier
which I’m fine with. The first STUN server needs a cert for sollentuna.example.com<http://sollentuna.example.com>
so we clearly trust that server. The redirect goes to stockholm and the
cert in that server needs to verify for Stockholm.
I think that case needs to be clear in stunbis.



2) Configured STUN server name: “orust.example.com<http://orust.example.com>”
  DNS SRV leads to “arlanda.example.net<http://arlanda.example.net>” as first selection
  - which name needs to be in the cert?

orust - we don't trust the DNS
Ok, let’s take the DNSsec case later. Marc and I had a draft on that earlier that we
need to revive after this is done.

3) Configured STUN server name: “bromma.example.com<http://bromma.example.com>”
   Certficate has “*.example.com<http://example.com>” - are wildcards approved? (SIP doesn’t approve)

*.example.com<http://example.com> should be OK
Following 6.4.3 in 6125 then

4) Configured STUN server name: “sigtuna.example.com<http://sigtuna.example.com>”
  Cert has “sigtuna.example.com<http://sigtuna.example.com>” in subject - but “sigtuna.example.net<http://sigtuna.example.net>” in SAN
  Is this approved? (In SIP it would not be)

no - I don't see how a complete name mismatch could ever be acceptable
Right, if there are SAN, the Subject CNAMe must be ignored.

/O

_______________________________________________
tram mailing list
tram@ietf.org<mailto:tram@ietf.org>
https://www.ietf.org/mailman/listinfo/tram

_______________________________________________
tram mailing list
tram@ietf.org<mailto:tram@ietf.org>
https://www.ietf.org/mailman/listinfo/tram

v2.23.0 | Report a Bug | By Email