Re: [Syslog] Fingerprint/handshake

Balazs Scheidler <bazsi@balabit.hu> Fri, 30 May 2008 05:17 UTC

Return-Path: <syslog-bounces@ietf.org>
X-Original-To: syslog-archive@megatron.ietf.org
Delivered-To: ietfarch-syslog-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 588B83A6B08; Thu, 29 May 2008 22:17:31 -0700 (PDT)
X-Original-To: syslog@core3.amsl.com
Delivered-To: syslog@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9436C28C158 for <syslog@core3.amsl.com>; Thu, 29 May 2008 22:17:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.296
X-Spam-Level: *
X-Spam-Status: No, score=1.296 tagged_above=-999 required=5 tests=[AWL=1.300, BAYES_00=-2.599, HELO_EQ_HU=1.35, HOST_EQ_HU=1.245]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tjZbbKH5xUEu for <syslog@core3.amsl.com>; Thu, 29 May 2008 22:17:29 -0700 (PDT)
Received: from lists.balabit.hu (support.balabit.hu [195.70.41.86]) by core3.amsl.com (Postfix) with ESMTP id 86CE73A685C for <syslog@ietf.org>; Thu, 29 May 2008 22:17:28 -0700 (PDT)
Received: from balabit.hu (unknown [10.80.0.254]) by lists.balabit.hu (Postfix) with ESMTP id 4602C2760CA for <syslog@ietf.org>; Fri, 30 May 2008 07:17:26 +0200 (CEST)
From: Balazs Scheidler <bazsi@balabit.hu>
To: Rainer Gerhards <rgerhards@hq.adiscon.com>
In-Reply-To: <1212057848.16825.16.camel@rgf9dev.intern.adiscon.com>
References: <003901c8b9f7$b671959d$060013ac@intern.adiscon.com> <AC1CFD94F59A264488DC2BEC3E890DE505DFD8E5@xmb-sjc-225.amer.cisco.com> <577465F99B41C842AAFBE9ED71E70ABA309090@grfint2.intern.adiscon.com> <AC1CFD94F59A264488DC2BEC3E890DE505E7E825@xmb-sjc-225.amer.cisco.com> <577465F99B41C842AAFBE9ED71E70ABA3090E1@grfint2.intern.adiscon.com> <1212048724.28540.29.camel@bzorp.balabit> <1212057848.16825.16.camel@rgf9dev.intern.adiscon.com>
Date: Fri, 30 May 2008 07:17:22 +0200
Message-Id: <1212124642.7808.5.camel@bzorp.balabit>
Mime-Version: 1.0
Cc: syslog@ietf.org
Subject: Re: [Syslog] Fingerprint/handshake
X-BeenThere: syslog@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Issues in Network Event Logging <syslog.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/syslog>
List-Post: <mailto:syslog@ietf.org>
List-Help: <mailto:syslog-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: syslog-bounces@ietf.org
Errors-To: syslog-bounces@ietf.org

On Thu, 2008-05-29 at 12:44 +0200, Rainer Gerhards wrote:
> On Thu, 2008-05-29 at 10:12 +0200, Balazs Scheidler wrote:
> > On Thu, 2008-05-29 at 09:45 +0200, Rainer Gerhards wrote:
> > > Inline...
> > > > -----Original Message-----
> > > > From: Joseph Salowey (jsalowey) [mailto:jsalowey@cisco.com]
> > > > Sent: Thursday, May 29, 2008 2:32 AM
> > > > To: Rainer Gerhards; syslog@ietf.org
> > > > Subject: RE: [Syslog] Fingerprint/handshake
> > > > 
> > > > Hi Rainer,
> > > > 
> > > > A TLS alert could be sent by the server indicating the error condition.
> > > > Would this help?
> > 
> > > That's an interesting idea. Let me give it a try. Will provide feedback when I have done this. In any case, if it turns out to be a problem with one library, we may be better of mandating that all verification is done during the handshake...
> > 
> > By the way, I've read in your implementation report that it is not
> > possible to terminate the handshake with OpenSSL either. This is not the
> > case, you can do that.
> 
> Ah, good to know. So it looks like this is a single-library problem,
> about which the standard should obviously not care.
> 
> Bazsi, could you do me a favor and let me know which callback you use,
> so that I can get to the specifics (also for the GnuTLS folks). I'd
> really appreciate that.
> 

In OpenSSL the complete peer validation process can be changed by using 
SSL_CTX_set_cert_verify_callback(), it gets X509_STORE populated with
the peer supplied key chain and returns whether the validation failed.

If the callback returns failure, an alarm is sent back to the peer
depending on the error code that is returned by this callback.


-- 
Bazsi


_______________________________________________
Syslog mailing list
Syslog@ietf.org
https://www.ietf.org/mailman/listinfo/syslog