Re: [TLS] RESOLVED (Re: [sasl] lasgt call comments (st Call:

To: Nicolas.Williams at sun.com (Nicolas Williams)
Subject: Re: [TLS] RESOLVED (Re: [sasl] lasgt call comments (st Call:
From: Martin Rex <Martin.Rex at sap.com>
Date: Mon, 2 Nov 2009 17:48:44 +0100 (MET)
Cc: channel-binding at ietf.org, sasl at ietf.org, tls at ietf.org
Delivered-to: tls at core3.amsl.com
In-reply-to: <20091030223647.GO1105 at Sun.COM> from "Nicolas Williams" at Oct 30, 9 05:36:48 pm
List-archive: <http://www.ietf.org/mail-archive/web/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
Reply-to: mrex at sap.com

Nicolas Williams wrote:
> 
> Another problem that Larry has is that in his implementation what I call
> a "TLS connection" is called a "security context", and if the
> application re-handshakes (e.g., to authenticate a user) then the result
> is a second security context -- we need to be extra clear that it's the
> client Finished message from the _first_ "security context" that we're
> after.

Microsoft's implementation (which could be the one referred to by
Larry's implementation) has a silly design flaw in its TLS renogiation,
and I'm not sure that the previous text is a way to fix it.

It is possible to configure Microsoft IIS in a fashion so that it
will first perform a TLS handshake with a server-only authentication,
and after having received the HTTP request, it will re-negotiate and
ask for a client certificate.

In the ClientHello, the client will send no TLS session ID (since
the purpose is renegotiation -- aka a full TLS handshake.
Microsoft IIS will send back a ServerHello with an entirely new
TLS session ID.  In my TLS clients, I will drop TLS sessions
from the client-side cache for which the server asks for
re-negotiation (actually replace them with the resulting
renegotiated TLS session).

Unfortunately, this doesn't save a TLS handshake on the next
connect, Microsoft IIS will force another renegotiation when
that re-negotiated session is resumed, resulting in yet
another new TLS session.

From my experience, it is possible to TLS resume both, the original
and the renegotiated session when Microsoft IIS is the server,
and it will force through re-negotiation on both.  So an IIS
configured like that will artificially inflate its server-side
session cache and impose unnecessary re-negotiations on
the TLS client and on itself.

And btw. Channel Binding at the application layer and
transparent TLS-session renegotiation at the TLS layer appear
somewhere between hard-to-do and mutually exclusive--in case
that the TLS session renegotiation happens totally transparent
to the application.

-Martin

Follow-Ups:
- Re: [TLS] [CHANNEL-BINDING] RESOLVED (Re: [sasl] lasgt call comments (st Call:
  - From: Nicolas Williams
- Re: [TLS] RESOLVED (Re: [sasl] lasgt call comments (st Call:
  - From: Peter Gutmann

References:
- [TLS] RESOLVED (Re: [sasl] lasgt call comments (st Call: draft-altman-tls-channel-bindings (Channel Bindings for TLS) to Proposed Standard))
  - From: Nicolas Williams

Prev by Date: Re: [TLS] RESOLVED (Re: [sasl] lasgt call comments (st Call:
Next by Date: Re: [TLS] Server Signature Algorithms
Previous by thread: Re: [TLS] [CHANNEL-BINDING] RESOLVED (Re: [sasl] lasgt call comments (st Call:
Next by thread: Re: [TLS] RESOLVED (Re: [sasl] lasgt call comments (st Call:
Index(es):
- Date
- Thread

Re: [TLS] RESOLVED (Re: [sasl] lasgt call comments (st Call:

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.