Re: [TLS] TLS renegotiation issue

[Eric Rescorla <ekr at rtfm.com>]

On Thu, Nov 5, 2009 at 12:21 PM, Nicolas Williams
<Nicolas.Williams at sun.com> wrote:
> On Thu, Nov 05, 2009 at 11:09:51AM -0800, Eric Rescorla wrote:
>> On Thu, Nov 5, 2009 at 10:46 AM, Nicolas Williams
>> <Nicolas.Williams at sun.com> wrote:
>> > On Thu, Nov 05, 2009 at 10:16:11AM -0800, Eric Rescorla wrote:
>> >> I now have a draft extension up at:
>> >>
>> >> https://svn.resiprocate.org/rep/ietf-drafts/ekr/draft-rescorla-tls-renegotiate.txt
>> >> https://svn.resiprocate.org/rep/ietf-drafts/ekr/draft-rescorla-tls-renegotiate.xml
>> >
>> > Initial comments based on a brief skim:
>> >
>> >  - Please add a normative reference to RFC5056.
>>
>> There's no need for a normative reference here. This mechanism is
>> self-contained.
>> I'd be happy to add an informative reference.
>
> That's also true about draft-altman-tls-channel-bindings then, but you
> have a normative reference to it.  I'm happy with an informative
> reference.

That's an editing error. I'll add informative to both.




>> >  - There is a way for clients to protect themselves even when servers
>> >   don't implement this extension:
>> >
>> >   a) clients MUST NOT ever send any application-level messages without
>> >      TLS protection if they are willing to negotiate a TLS connection
>> >      after sending any application-level messages,
>> >
>> >   _and_,
>> >
>> >   b) if a server requests re-negotiation then the client MUST ensure
>> >      that the outer and inner TLS connection handshakes used a server
>> >      certificate, and, specifically, the _same_ server certificate,
>> >      otherwise the client MUST abort without ever completing the
>> >      second/inner handshake.
>>
>> This isn't enough. If you look at the diagram you can see that the
>> client never experiences a renegotiation.
>
> That's one diagram.  There's other cases, but even in the case you
> described, if the client never experiences a re-negotiation then it will
> not have authenticated itself, or, if it has authenticated itself then
> it will/should also have authenticated the server to the client, in
> which case the MITM can't be.  As a result the MITM gets nothing.  (My
> rules cover the case where a client would send a request unprotected,
> then negotiates TLS when the server requires authentication -- my rules
> forbid that.)

You're assuming that certificate-based client auth is the only issue.
But the attacker can do damage just by injecting a prefix to an
ordinary cookie-authenticated request.

-Ekr