Re: [TLS] TLS renegotiation issue

To: Martin Rex <mrex at sap.com>
Subject: Re: [TLS] TLS renegotiation issue
From: Nicolas Williams <Nicolas.Williams at sun.com>
Date: Thu, 5 Nov 2009 12:26:26 -0600
Cc: ekr at rtfm.com, tls at ietf.org
Delivered-to: tls at core3.amsl.com
In-reply-to: <200911051816.nA5IG292002997 at fs4113.wdf.sap.corp>
List-archive: <http://www.ietf.org/mail-archive/web/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
References: <20091105175044.GG5124 at Sun.COM> <200911051816.nA5IG292002997 at fs4113.wdf.sap.corp>
User-agent: Mutt/1.5.7i

On Thu, Nov 05, 2009 at 07:16:02PM +0100, Martin Rex wrote:
> Nicolas Williams wrote:
> > You can't use the client.random and server.random as channel bindings.
> 
> I'm trying to use terminology that is already in the TLS specs.
> The generic term "channel bindings" is a little bit to fuzzy for
> my taste, and the original use of channel bindings in GSS-API
> is not cryptographically secure.

I understand.  The spec will just have to be updated to say that the
finished messages (or at least the client one) are to be exported to
applications.

TLS implementors, know this: you must update your implementations to
export to applications, at least the client Finished message for at
least any and all "outer-most" TLS handshakes (that is, handshakes not
protected by another TLS connection's record layer).

This is just a matter of interfaces for all software implementations.
For hardware implementations it's going to be tougher -- particularly
tough for concentrator implementations.  (Provided that a concentrator
terminates both, the outer and inner TLS connections, then all other
uses of TLS channel binding can use the tls-server-end-point channel
binding type.  But really, you'll want to export the tls-unique channel
bindings.)

> > But the client's Finished message from the outer TLS connection works.
> 
> OK.
> 
> You win.  ;-)

Hey, it's not about winning!  I perfectly understand, and _share_, the
desire to use existing interfaces where possible.  In this case there is
no such interface (in some TLS APIs apps could parse the TLS record
layer and heuristically find the record that contains the protected
client Finished message, but that's... not really an interface, not what
we wnat, and not reliably available everywhere).

We've looked at this problem many times before, and this is always the
conclusion that we've come to.  I really wish that TLS 1.2 had made the
client Finished messages part of the exported security parameters (I
really wish I'd thought to make sure that 1.2 did that).  But then,
making the 1.2 spec say this is not enough: installed base inertia is
what makes it hard to ensure that Finished messages are exported.

Nico
--

Follow-Ups:
- Re: [TLS] TLS renegotiation issue
  - From: Martin Rex

References:
- Re: [TLS] TLS renegotiation issue
  - From: Nicolas Williams
- Re: [TLS] TLS renegotiation issue
  - From: Martin Rex

Prev by Date: Re: [TLS] TLS renegotiation issue
Next by Date: Re: [TLS] TLS renegotiation issue
Previous by thread: Re: [TLS] TLS renegotiation issue
Next by thread: Re: [TLS] TLS renegotiation issue
Index(es):
- Date
- Thread

Re: [TLS] TLS renegotiation issue

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.