Re: [TLS] Multiple Session Caches and SNI

To: tls at ietf.org
Subject: Re: [TLS] Multiple Session Caches and SNI
From: Michael D'Errico <mike-list at pobox.com>
Date: Fri, 30 Oct 2009 12:26:15 -0700
Delivered-to: tls at core3.amsl.com
Dkim-signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=message-id :date:from:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; s=sasl; bh=4cZilZth/RZ8 xh1HfVC9O4ungQs=; b=VX+dzoQzhVwZ0sQiRj8w5Ffbr3KcAVHj+WUgpCQKU5PY e9b4cLtKLr6MFcTIKv0bmg57gUxNBazURNnG2krSub9dxmfXuYkJQEQF3n6SxkH7 JaHls0t9+ZVH3T9OwfxyJ7AtiJwGu/pUaN5hvVZDbuSJ9qsNl2N+To9Y2XiV+po=
Domainkey-signature: a=rsa-sha1; c=nofws; d=pobox.com; h=message-id:date :from:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; q=dns; s=sasl; b=H7+Flp 1JjECeZ7FEhB8mEWv0L8Q5GsJSS8BP8ZqQK9gqfxyEVJSG0Vk7abVOFO3Gv/U9Pl oHY7In7qA9kWaIaDjRCRO2l89Aj3q7zfgp5C0NfJB/Q71dMyQfQf9qBlz0DFk4B5 ddkzmwWqk26m/700/nnIpHUOAazWnHEzcszwQ=
In-reply-to: <200910301852.n9UIqgev022554 at fs4113.wdf.sap.corp>
List-archive: <http://www.ietf.org/mail-archive/web/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
References: <200910301852.n9UIqgev022554 at fs4113.wdf.sap.corp>
User-agent: Thunderbird 2.0.0.23 (Macintosh/20090812)

In addition to cache management aspects, the TLS server should keep
robustness in mind.  e.g. robustness against TLS clients with
a broken client-side TLS session cache management that will
recklessly propose a TLS session resume for a session (ID) originally
established with Mars to just about every earthling they're asked
to connect to later on.


Section 7.2.2 of RFC 5246 concerning Error Alerts handles this.  If
a connection terminates with a fatal alert, the session associated
with that connection MUST NOT be resumed.  So perhaps a server will
try to resume the session once, but it will delete it from its cache
when the handshake fails.  Other servers that don't recognize the
session ID will perform full handshakes.

And before a TLS server checks for existence of a TLS session,
whose session ID is proposed in a ClientHello, it should determine
wheter it would be willing to establish a new session through
a full handshake based on the other information in the ClientHello
and under what conditions it would do so.


I do it the other way around -- after retrieving the session, checks
are made to make sure the cipher suite and compression algorithm are
listed in the ClientHello.  This is mandatory according to section
7.4.1.2.  The only other check I currently have is for the age of the
session to make sure it is fresh enough.

If the TLS server finds a TLS session with the proposed session ID
in his cache, it should then use the results from the previous
determination of the ClientHello parameters whether it is OK to
attempt to resume the cached session, or whether it is advised
to perform a full SSL handshake, because of a significant mismatch
of the newly determine session characteristics from those
of the cachend session identified by the client-proposed Session ID.


RFC 4366 states:

   -  If, on the other hand, the older session is resumed, then the
      server MUST ignore the extensions and send a server hello
      containing none of the extension types.  In this case, the
      functionality of these extensions negotiated during the original
      session initiation is applied to the resumed session.

Mike

This is a simple and straightforward robustness principle leading
to consistent behaviour, that will save implementors and consumers
of the technology a lot of time and headaches.


-Martin

Follow-Ups:
- Re: [TLS] Multiple Session Caches and SNI
  - From: Martin Rex

References:
- Re: [TLS] Multiple Session Caches and SNI (was Questions about TLS
  - From: Martin Rex

Prev by Date: Re: [TLS] Questions about TLS Server Name Indication extension
Next by Date: Re: [TLS] Multiple domain names in SNI (was Questions about TLS Server Name Indication extension)
Previous by thread: Re: [TLS] Multiple Session Caches and SNI (was Questions about TLS
Next by thread: Re: [TLS] Multiple Session Caches and SNI
Index(es):
- Date
- Thread

Re: [TLS] Multiple Session Caches and SNI

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.