[TLS] Simple way to drop re-negotiation in HTTP (Re: draft-rescorla-tls-renegotiate.txt)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[TLS] Simple way to drop re-negotiation in HTTP (Re: draft-rescorla-tls-renegotiate.txt)

To: Marsh Ray <marsh at extendedsubset.com>
Subject: [TLS] Simple way to drop re-negotiation in HTTP (Re: draft-rescorla-tls-renegotiate.txt)
From: Nicolas Williams <Nicolas.Williams at sun.com>
Date: Fri, 6 Nov 2009 17:47:58 -0600
Cc: "tls at ietf.org" <tls at ietf.org>
Delivered-to: tls at core3.amsl.com
In-reply-to: <4AF4B423.2000309 at extendedsubset.com>
List-archive: <http://www.ietf.org/mail-archive/web/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
References: <200911061959.nA6JxnnB001831 at fs4113.wdf.sap.corp> <4AF497C5.5060801 at REDHAT.COM> <4AF4A091.3070609 at pobox.com> <4AF4B423.2000309 at extendedsubset.com>
User-agent: Mutt/1.5.7i

On Fri, Nov 06, 2009 at 05:41:23PM -0600, Marsh Ray wrote:
> Michael D'Errico wrote:
> > 
> > A server can still negotiate an SSLv3 connection as it does today.
> > It just can't re-negotiate that connection later.
> 
> But on the server question:
> 
> There is a large, but unknown, group of sites that really depend on
> being able to serve different requirements for client certs from the
> same IP.

The simplest way to drop re-negotiation in web servers is this (based on
an idea by Nelson Bolyard):

 - start two instances of the web server, one on an alternate port
   number, with the same contents

 - the primary instance will accept TLS user authentication, but will
   not require it

 - the instance on the alternate port will always require TLS user
   authentication

 - neither instance accepts TLS re-negotiations

 - whenever the primary instance of the web server would request user
   authentication via TLS do this instead: re-direct to client to the
   same resource on the alternate port.

That's almost entirely automatic.  The only thing a webmaster must do is
pick a suitable port number for the instance that requires user
authentication.

The redirects will add some round-tripage.  They can be avoided somewhat
by re-writing URLs in contents served to point to the right server
instance.

Ugly, yes, but automatable.

Nico
--

Follow-Ups:
- Re: [TLS] Simple way to drop re-negotiation in HTTP (Re: draft-rescorla-tls-renegotiate.txt)
  - From: Marsh Ray

References:
- Re: [TLS] draft-rescorla-tls-renegotiate.txt
  - From: Martin Rex
- Re: [TLS] draft-rescorla-tls-renegotiate.txt
  - From: Robert Relyea
- Re: [TLS] draft-rescorla-tls-renegotiate.txt
  - From: Michael D'Errico
- Re: [TLS] draft-rescorla-tls-renegotiate.txt
  - From: Marsh Ray

Prev by Date: Re: [TLS] draft-rescorla-tls-renegotiate.txt
Next by Date: Re: [TLS] draft-rescorla-tls-renegotiate.txt
Previous by thread: Re: [TLS] draft-rescorla-tls-renegotiate.txt
Next by thread: Re: [TLS] Simple way to drop re-negotiation in HTTP (Re: draft-rescorla-tls-renegotiate.txt)
Index(es):
- Date
- Thread

[TLS] Simple way to drop re-negotiation in HTTP (Re: draft-rescorla-tls-renegotiate.txt)

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.