Re: [TLS] TLS renegotiation issue

[Nicolas Williams <Nicolas.Williams at sun.com>]

On Thu, Nov 05, 2009 at 11:09:51AM -0800, Eric Rescorla wrote:
> On Thu, Nov 5, 2009 at 10:46 AM, Nicolas Williams
> <Nicolas.Williams at sun.com> wrote:
> > On Thu, Nov 05, 2009 at 10:16:11AM -0800, Eric Rescorla wrote:
> >> I now have a draft extension up at:
> >>
> >> https://svn.resiprocate.org/rep/ietf-drafts/ekr/draft-rescorla-tls-renegotiate.txt
> >> https://svn.resiprocate.org/rep/ietf-drafts/ekr/draft-rescorla-tls-renegotiate.xml
> >
> > Initial comments based on a brief skim:
> >
> >  - Please add a normative reference to RFC5056.
> 
> There's no need for a normative reference here. This mechanism is
> self-contained.
> I'd be happy to add an informative reference.

That's also true about draft-altman-tls-channel-bindings then, but you
have a normative reference to it.  I'm happy with an informative
reference.

> >  - There's no real need for the ServerHello to include both of the
> >   Finished messages from the outer TLS connection.  (I think there's no
> >   real need for the ServerHello to include either of them, actually,
> >   but I've not thought enough about that.)  But it's OK as is, of
> >   course.
> 
> The general consensus was that it was harmless and might potentially
> avoid some reflection logic errors.

If the server sends anything other than a mere acknowledgement, it
should send its Finished message from the outer connection -- the client
can then check that to see that the server really does understand this
-- and the doc should say that the client must check this (but I think
it does say this).  The server sending the client's Finished message
back is superfluous, but I agree that it's harmless.

> >  - You call for each TLS handshake to bind to the one immediately
> >   outside it.
> >
> >   Would it be better to bind to the outer-most one instead?
> >
> >   (In practice there's probably never more than one outer and one inner
> >   handshake, right?)
> 
> Why do you think this is an improvement.

Either way the binding would ultimately be to the outer-most connection,
therefore this way there's less state to track.  A minor point, I agree.

> >  - There is a way for clients to protect themselves even when servers
> >   don't implement this extension:
> >
> >   a) clients MUST NOT ever send any application-level messages without
> >      TLS protection if they are willing to negotiate a TLS connection
> >      after sending any application-level messages,
> >
> >   _and_,
> >
> >   b) if a server requests re-negotiation then the client MUST ensure
> >      that the outer and inner TLS connection handshakes used a server
> >      certificate, and, specifically, the _same_ server certificate,
> >      otherwise the client MUST abort without ever completing the
> >      second/inner handshake.
> 
> This isn't enough. If you look at the diagram you can see that the
> client never experiences a renegotiation.

That's one diagram.  There's other cases, but even in the case you
described, if the client never experiences a re-negotiation then it will
not have authenticated itself, or, if it has authenticated itself then
it will/should also have authenticated the server to the client, in
which case the MITM can't be.  As a result the MITM gets nothing.  (My
rules cover the case where a client would send a request unprotected,
then negotiates TLS when the server requires authentication -- my rules
forbid that.)

> >  - Might as well update RFC5246 to indicate that the Finished messages
> >   for any connection MUST be exported to applications.  Better get this
> >   done now.
> 
> This sort of interface issue seems out of scope for the TLS spec.

Let me re-phrase: the finished messages should be added to
SecurityParameters (Martin evidently takes that to be something should
be exported to apps; I don't entirely agree with Martin on that point).

Nico
--