Re: [TLS] Multiple Session Caches and SNI

To: tls at ietf.org
Subject: Re: [TLS] Multiple Session Caches and SNI
From: Michael D'Errico <mike-list at pobox.com>
Date: Fri, 30 Oct 2009 17:40:19 -0700
Delivered-to: tls at core3.amsl.com
Dkim-signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=message-id :date:from:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; s=sasl; bh=bcIE1LdGB66v jRQcMiuAtyci5uA=; b=Oc2qm1V+1kfHV+rCVHMYB2zU9Y2SREENsnaiplugcaxj dSNdCjuZTivJgcFk5ATMs2MrpL1pTogzeb+Ayombk+u77XQM5y6DUDq+3oeqcNNJ PfLm7xHuPHJHU+2FyaXpbIku6vuR+DOYe0ZESVGPpig+1DggOukQDbDlDEwq1Vo=
Domainkey-signature: a=rsa-sha1; c=nofws; d=pobox.com; h=message-id:date :from:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; q=dns; s=sasl; b=Om64Li qOk8d2gcn7LDipHvrHwVPhsSLx2XCcLa5+G6pQwCiEdfBBZm0JAcX3NIAzVowFSd 1h8Swqnh5jEBqozmTlNBIMQHoRtumIlZV8JDlIqY4+0e+DCkocGR7UNLwywWIBrQ 6ouVm2E7+EEHjdwmpOowXTRjojuzfklRBp6YE=
In-reply-to: <200910302031.n9UKVG2k027818 at fs4113.wdf.sap.corp>
List-archive: <http://www.ietf.org/mail-archive/web/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
References: <200910302031.n9UKVG2k027818 at fs4113.wdf.sap.corp>
User-agent: Thunderbird 2.0.0.23 (Macintosh/20090812)

Section 7.2.2 of RFC 5246 concerning Error Alerts handles this.  If
a connection terminates with a fatal alert, the session associated
with that connection MUST NOT be resumed.  So perhaps a server will
try to resume the session once, but it will delete it from its cache
when the handshake fails.  Other servers that don't recognize the
session ID will perform full handshakes.


That appears to strict to me.  I would make the server delete
a session from his cache when an attempted resume results in a failure.
I can not currently think of an error (i.e. fatal alert) after a
mutual successful finished message verification that should cause
the server to flush the affected ssl session from his session cache.


The main one is a BAD_RECORD_MAC alert if decryption fails, padding
is wrong, the MACs don't match.  The record version could be wrong;
the record could be greater than 2^14 bytes.  None of these things
should happen under normal circumstances, so you have to assume an
attack is underway.

If the TLS server finds a TLS session with the proposed session ID
in his cache, it should then use the results from the previous
determination of the ClientHello parameters whether it is OK to
attempt to resume the cached session, or whether it is advised
to perform a full SSL handshake, because of a significant mismatch
of the newly determine session characteristics from those
of the cachend session identified by the client-proposed Session ID.

RFC 4366 states:

    -  If, on the other hand, the older session is resumed, then the
       server MUST ignore the extensions and send a server hello
       containing none of the extension types.  In this case, the
       functionality of these extensions negotiated during the original
       session initiation is applied to the resumed session.


Correct, but you should not read it backwards.

If the server agrees to resume (for whatever reason), the other
accompanying information in the ClientHello should NOT be used to
modify that cached session.

Does rfc-4366 say anywhere that the server _must_not_ involve the
parameters and extensions present in a ClientHello in his decision
to resume or not resume a cached SSL session when the client
includes a session id in the ClientHello handshake message?


Aside from what I quoted, I don't believe so.  The server can decide
not to resume a session for whatever reason it wants.  In fact there
is no requirement to support session caching at all.  What the text
means is that IF the server agrees to resume the session, the resumed
session will have the same features as the original according to the
extensions in the original handshake, regardless of the extensions in
the ClientHello for the resumed session.

Mike

References:
- Re: [TLS] Multiple Session Caches and SNI
  - From: Martin Rex

Prev by Date: [TLS] RESOLVED (Re: [sasl] lasgt call comments (st Call: draft-altman-tls-channel-bindings (Channel Bindings for TLS) to Proposed Standard))
Next by Date: Re: [TLS] Questions about TLS Server Name Indication extension
Previous by thread: Re: [TLS] Multiple Session Caches and SNI
Next by thread: Re: [TLS] Renegotiation with SNI after initial connection without SNI (was Questions about TLS Server Name Indication extension)
Index(es):
- Date
- Thread

Re: [TLS] Multiple Session Caches and SNI

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.