Re: [xmpp] #39: prohibition on TLS renegotiation
Kurt Zeilenga <Kurt.Zeilenga@Isode.com> Wed, 07 July 2010 14:43 UTC
Return-Path: <Kurt.Zeilenga@Isode.com>
X-Original-To: xmpp@core3.amsl.com
Delivered-To: xmpp@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6F7DF3A6800 for <xmpp@core3.amsl.com>; Wed, 7 Jul 2010 07:43:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.354
X-Spam-Level:
X-Spam-Status: No, score=-2.354 tagged_above=-999 required=5 tests=[AWL=0.245, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WOhBzrN+wf5A for <xmpp@core3.amsl.com>; Wed, 7 Jul 2010 07:43:54 -0700 (PDT)
Received: from rufus.isode.com (rufus.isode.com [62.3.217.251]) by core3.amsl.com (Postfix) with ESMTP id 0E1723A67AB for <xmpp@ietf.org>; Wed, 7 Jul 2010 07:43:54 -0700 (PDT)
Received: from [192.168.1.101] ((unknown) [75.141.233.128]) by rufus.isode.com (submission channel) via TCP with ESMTPSA id <TDSSqQB1H7Oa@rufus.isode.com>; Wed, 7 Jul 2010 15:43:55 +0100
X-SMTP-Protocol-Errors: NORDNS
From: Kurt Zeilenga <Kurt.Zeilenga@Isode.com>
In-Reply-To: <87630r9xks.fsf@mocca.josefsson.org>
Date: Wed, 07 Jul 2010 07:43:50 -0700
Message-Id: <12FEB9B4-C775-46F2-BC3A-F4737F165FD9@Isode.com>
References: <057.cd3487385f077266653b25eecf323b0d@tools.ietf.org> <4C27CFDC.4060701@stpeter.im> <87lj9re7r2.fsf@mocca.josefsson.org> <4C335537.6070605@stpeter.im> <4C335FB7.2030806@stpeter.im> <87630r9xks.fsf@mocca.josefsson.org>
To: Simon Josefsson <simon@josefsson.org>
X-Mailer: Apple Mail (2.1081)
MIME-Version: 1.0
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: quoted-printable
Cc: xmpp@ietf.org
Subject: Re: [xmpp] #39: prohibition on TLS renegotiation
X-BeenThere: xmpp@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: XMPP Working Group <xmpp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/xmpp>, <mailto:xmpp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/xmpp>
List-Post: <mailto:xmpp@ietf.org>
List-Help: <mailto:xmpp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/xmpp>, <mailto:xmpp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Jul 2010 14:43:57 -0000
On Jul 7, 2010, at 7:27 AM, Simon Josefsson wrote: > Peter Saint-Andre <stpeter@stpeter.im> writes: > >> On 7/6/10 10:09 AM, Peter Saint-Andre wrote: >>> On 7/4/10 6:44 AM, Simon Josefsson wrote: >>>> Peter Saint-Andre <stpeter@stpeter.im> writes: >>>> >>>>> On 6/21/10 6:11 PM, xmpp issue tracker wrote: >>>>>> #39: prohibition on TLS renegotiation >>>>>> --------------------------------+------------------------------------------- >>>>>> Reporter: stpeter@… | Owner: stpeter@… >>>>>> Type: defect | Status: new >>>>>> Priority: minor | Milestone: >>>>>> Component: 3920bis | Version: >>>>>> Severity: In WG Last Call | Keywords: >>>>>> --------------------------------+------------------------------------------- >>>>>> Regarding Section 5.2.5, Matthew Wild commented: "is it really desired to >>>>>> put a complete ban on any renegotiation?" >>>>> >>>>> Based on my conversations with TLS mavens and discussion in the TLS WG >>>>> during the interminable threads on the renegotiation vulnerability, I >>>>> would say: yes, it really is desired to put a complete ban on any >>>>> renegotiation. >>>>> >>>>> Can you make an argument for why TLS renegotiation should be allowed in >>>>> XMPP applications? >>>> >>>> I would not argue for permitting TLS renegotiation, but there ARE some >>>> reasons for permitting TLS renegotiations: >>>> >>>> * Protect client credentials, i.e., first do server-authentication and >>>> then do client authentication in the protected channel. >>>> >>>> * Support sequence number wrapping (unlikely). From 5246: >>>> >>>> sequence number >>>> Each connection state contains a sequence number, which is >>>> maintained separately for read and write states. The sequence >>>> number MUST be set to zero whenever a connection state is made the >>>> active state. Sequence numbers are of type uint64 and may not >>>> exceed 2^64-1. Sequence numbers do not wrap. If a TLS >>>> implementation would need to wrap a sequence number, it must >>>> renegotiate instead. A sequence number is incremented after each >>>> record: specifically, the first record transmitted under a >>>> particular connection state MUST use sequence number 0. >>>> >>>> * Refresh encryption keys. >>>> >>>> On the whole, I would agree that these small use-cases do not outweigh >>>> the complexity in permitting renegotiation and that it is the right >>>> decision. But I wouldn't agree that it is a clear-cut obvious decision, >>>> it is a careful trade-off. Documenting why the decision has been made, >>>> and its pros and cons, is useful. >>> >>> Thanks for the clarifications. I agree that it would be good to explain >>> the reasoning in more detail, so I'll add some text about that to the >>> next version of the spec. >> >> How is this for proposed text in Section 5.2.5? (The first paragraph is >> unchanged; I've included here only to provide context.) > > I like it. > > I don't see what benefit there is in permitting TLS renegotiation, even > with the TLS renegotiation extension, because it adds complexity to the > XMPP specification, XMPP implementations (a SHOULD NOT requirement > typically results in more code and trickier testing than a MUST NOT), > and complexity for interop testing events. I personally wouldn't have a problem with just saying "SHOULD NOT do TLS renegotiation". That is, I don't see a particular need to detail how to implement a non-recommended capability. > > If someone finds a compelling reason to use TLS renegotation, they can > write a separate document (updating the XMPP specification) to describe > how it should work. That will likely result in better interop than with > the compromise text that isn't sufficient for good interop of > TLS+renegotiation. > > However I don't care strongly; I think either text would be better than > what is in many other protocols anyway. > > /Simon > >> 5.2.5. Renegotiation >> >> XMPP entities MUST NOT attempt TLS renegotiation, and if either party >> to a TLS-protected stream detects a TLS renegotiation attempt it MUST >> immediately close the underlying TCP connection without returning a >> stream error (since the violation has occurred at the TLS layer, not >> the XMPP layer; see Section 13.3). >> >> Security Note: There are some rare cases in which TLS >> renegotiation might be justified, such as (1) refreshing >> encryption keys, (2) wrapping the TLS sequence number as explained >> in [TLS], and (3) protecting client credentials by completing >> server authentication first and then completing client >> authentication over the protected channel. In the first two cases >> it is preferable to use an XMPP stream reset instead of performing >> TLS renegotiation. The third case has slightly improved security >> characteristics when the TLS client (which might be an XMPP >> server) presents credentials to the TLS server, however that >> slight benefit is outweighed by the complexity of requiring >> implementations to support TLS renegotiation. >> >> ### >> >> >> _______________________________________________ >> xmpp mailing list >> xmpp@ietf.org >> https://www.ietf.org/mailman/listinfo/xmpp > _______________________________________________ > xmpp mailing list > xmpp@ietf.org > https://www.ietf.org/mailman/listinfo/xmpp
- [xmpp] #39: prohibition on TLS renegotiation xmpp issue tracker
- Re: [xmpp] #39: prohibition on TLS renegotiation Peter Saint-Andre
- Re: [xmpp] #39: prohibition on TLS renegotiation xmpp issue tracker
- Re: [xmpp] #39: prohibition on TLS renegotiation Simon Josefsson
- Re: [xmpp] #39: prohibition on TLS renegotiation Peter Saint-Andre
- Re: [xmpp] #39: prohibition on TLS renegotiation Peter Saint-Andre
- Re: [xmpp] #39: prohibition on TLS renegotiation Kurt Zeilenga
- Re: [xmpp] #39: prohibition on TLS renegotiation Peter Saint-Andre
- Re: [xmpp] #39: prohibition on TLS renegotiation Kurt Zeilenga
- Re: [xmpp] #39: prohibition on TLS renegotiation Peter Saint-Andre
- Re: [xmpp] #39: prohibition on TLS renegotiation Simon Josefsson
- Re: [xmpp] #39: prohibition on TLS renegotiation Kurt Zeilenga
- Re: [xmpp] #39: prohibition on TLS renegotiation Simon Josefsson
- Re: [xmpp] #39: prohibition on TLS renegotiation Peter Saint-Andre
- Re: [xmpp] #39: prohibition on TLS renegotiation Ben Campbell
- Re: [xmpp] #39: prohibition on TLS renegotiation Kurt Zeilenga
- Re: [xmpp] #39: prohibition on TLS renegotiation Peter Saint-Andre