Re: [TLS] TLS renegotiation issue

To: Nicolas Williams <Nicolas.Williams at sun.com>
Subject: Re: [TLS] TLS renegotiation issue
From: Eric Rescorla <ekr at rtfm.com>
Date: Thu, 5 Nov 2009 11:09:51 -0800
Cc: "tls at ietf.org" <tls at ietf.org>
Delivered-to: tls at core3.amsl.com
In-reply-to: <20091105184615.GG1105 at Sun.COM>
List-archive: <http://www.ietf.org/mail-archive/web/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
References: <73843DF9-EFCB-4B8D-913E-FE2235E5BDD3 at rtfm.com> <d3aa5d00911051016p7a0cc508q2090b86de30a50d5 at mail.gmail.com> <20091105184615.GG1105 at Sun.COM>

On Thu, Nov 5, 2009 at 10:46 AM, Nicolas Williams
<Nicolas.Williams at sun.com> wrote:
> On Thu, Nov 05, 2009 at 10:16:11AM -0800, Eric Rescorla wrote:
>> I now have a draft extension up at:
>>
>> https://svn.resiprocate.org/rep/ietf-drafts/ekr/draft-rescorla-tls-renegotiate.txt
>> https://svn.resiprocate.org/rep/ietf-drafts/ekr/draft-rescorla-tls-renegotiate.xml
>
> Initial comments based on a brief skim:
>
>  - Please add a normative reference to RFC5056.

There's no need for a normative reference here. This mechanism is
self-contained.
I'd be happy to add an informative reference.

>  - There's no real need for the ServerHello to include both of the
>   Finished messages from the outer TLS connection.  (I think there's no
>   real need for the ServerHello to include either of them, actually,
>   but I've not thought enough about that.)  But it's OK as is, of
>   course.

The general consensus was that it was harmless and might potentially
avoid some reflection logic errors.


>  - You call for each TLS handshake to bind to the one immediately
>   outside it.
>
>   Would it be better to bind to the outer-most one instead?
>
>   (In practice there's probably never more than one outer and one inner
>   handshake, right?)

Why do you think this is an improvement.


>  - There is a way for clients to protect themselves even when servers
>   don't implement this extension:
>
>   a) clients MUST NOT ever send any application-level messages without
>      TLS protection if they are willing to negotiate a TLS connection
>      after sending any application-level messages,
>
>   _and_,
>
>   b) if a server requests re-negotiation then the client MUST ensure
>      that the outer and inner TLS connection handshakes used a server
>      certificate, and, specifically, the _same_ server certificate,
>      otherwise the client MUST abort without ever completing the
>      second/inner handshake.

This isn't enough. If you look at the diagram you can see that the
client never experiences a renegotiation.



>  - Might as well update RFC5246 to indicate that the Finished messages
>   for any connection MUST be exported to applications.  Better get this
>   done now.

This sort of interface issue seems out of scope for the TLS spec.

-Ekr

Follow-Ups:
- Re: [TLS] TLS renegotiation issue
  - From: Nicolas Williams

References:
- [TLS] TLS renegotiation issue
  - From: Eric Rescorla
- Re: [TLS] TLS renegotiation issue
  - From: Eric Rescorla
- Re: [TLS] TLS renegotiation issue
  - From: Nicolas Williams

Prev by Date: Re: [TLS] TLS renegotiation issue
Next by Date: Re: [TLS] TLS renegotiation issue
Previous by thread: Re: [TLS] TLS renegotiation issue
Next by thread: Re: [TLS] TLS renegotiation issue
Index(es):
- Date
- Thread

Re: [TLS] TLS renegotiation issue

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.