Re: [TLS] Negotiation in draft-santesson-tls-gssapi

[Martin Rex <Martin.Rex at sap.com>]

Martin Rex wrote:
> 
> > Nor is there a way to piggiback the first context token into
> > the client Hello message without first extending the client Hello, but
> > how can we extend the client Hello?  (AFAICS we cannot.)
> 
> Hello extensions should work with SSLv3 already.
> Is there a size limitation on the Hello extension?
> (because there is no size limitation on the gssapi context level tokens). 

A while back we had a discussion about changing the TLS PRF.
Then it was suggested that it should be OK if both parties have
to keep all SSL handshake messages around in order to compute
the finished messages.

I don't think this would be a good idea if there is no size limit
on the size of the entire SSL/TLS handshake.  Do we really want
to have the entire GSS-API token exchange WITHIN the TLS handshake?

Even in the "good" case, this may be a significant amount of
data.  The initial SPNEGO token may be carrying a wrongly guessed
initial context token of a gssapi mechanism not offered by the
server, and then you also get the full handshake of the
common mechanism.


The decision of a TLS server to abort a handshake because of an
excessively large Hello extension itself might be easier than
to tell from which size on a huge optimistic context token for an
(potentially unsupported) gssapi mechanism in the SPNEGO token
should be considered an offense or attack deserving a FATAL SSL alert...


-Martin

_______________________________________________
TLS mailing list
TLS at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls