Re: [TLS] TLS or HTTP issue?

To: mrex at sap.com
Subject: Re: [TLS] TLS or HTTP issue?
From: Nikos Mavrogiannopoulos <nmav at gnutls.org>
Date: Sat, 07 Nov 2009 10:01:42 +0200
Cc: ekr at rtfm.com, tls at ietf.org
Delivered-to: tls at core3.amsl.com
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:sender:message-id:date:from :user-agent:mime-version:to:cc:subject:references:in-reply-to :x-enigmail-version:openpgp:content-type:content-transfer-encoding; bh=Tjw696Ln5KSI8yPJiYOeerx2xiObMVaPUxhZqinTs7Q=; b=CERzDLqPt3R4pFVMHid1TkVuDxUIEAyS1pit1mCbKKSoNyZIV+7tV1xjU+wTzUIfLx HpuOakk4rJmK9OY+1GnxzWG4L9aY5ZsY4Yi7SuOmOguLsbKw7WrlZK3sYvIScipP8Xu6 q0x+/WYfGB6hVm71ktfPVhlEw3XG/S37LU3ak=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:x-enigmail-version:openpgp:content-type :content-transfer-encoding; b=oJj/zwmw0LS3VKtnnaqwPcxhP8I1ngkfz4JM3BXmjypL7AualESQ2vbEgM5U+rudOM t2/aY/7h0Mg098RjFAiU2Unr5fg6Wy3ICtUWqBzKECvC7t5oAYebBHBSCY0nqm+4mrR2 mu33mOhRdlHgihpSVHrMHvfmbLW8ryljH9JZ4=
In-reply-to: <200911061713.nA6HDi2n021935 at fs4113.wdf.sap.corp>
List-archive: <http://www.ietf.org/mail-archive/web/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
Openpgp: id=96865171
References: <200911061713.nA6HDi2n021935 at fs4113.wdf.sap.corp>
Sender: Nikos Mavrogiannopoulos <n.mavrogiannopoulos at gmail.com>
User-agent: Thunderbird 2.0.0.23 (X11/20090817)

Martin Rex wrote:

> For re-negotiations, the following requirement from
> rfc5246 6.2.1. Fragmentation  (last paragraph):
> 
>    Note: Data of different TLS record layer content types MAY be
>    interleaved.  Application data is generally of lower precedence for
>    transmission than other content types.  However, records MUST be
>    delivered to the network in the same order as they are protected by
>    the record layer.  Recipients MUST receive and process interleaved
>    application layer traffic during handshakes subsequent to the first
>    one on a connection.
> 
> Provides and interesting additional challenge, and documents that
> at least some of the original protocol designers didn't sufficiently
> reflect on the implications.
> 
> Similarly rfc-5246, 7.4.1.1. Hello Request
> 
>       Since handshake messages are intended to have transmission
>       precedence over application data, it is expected that the
>       negotiation will begin before no more than a few records are
>       received from the client.  If the server sends a HelloRequest but
>       does not receive a ClientHello in response, it may close the
>       connection with a fatal alert.
> 
> I think it is underspecified what "interleaved application data
> and handshake messages" and "handshake message have transmission
> precedence over application data" is supposed to mean, and
> what kind of signalling would be necessary between the
> TLS protocol stack and the application caller in order
> to convey the underspecified semantics unambiguously.

Actually as far as I remember this was the most tricky part of TLS (any
version) to implement in a sensible transparent way. Moreover the way I
have implemented it, although not so transparent, the application layer
cannot distinguish between the two sessions (one before renegotiation,
one after). The problem was for me that you could receive any amount of
application data even after a rehandshake was requested, thus I had to
cache them and present to the application after rehandshake was finished.

[...]

> From the original design, and in the two quoted paragraphs above,
> it appears that SSL and its successor TLS was intended to be
> _very_ transparent, and the spec contains guidance for
> security-relevant signaling to the application only for
> the initial TLS handshake on a connection (full initial handshake,
> and session resume), but _NOT_ for the session renegotiation.
> 
> Therefore, I think, we do have a real shortcoming of the
> SSL/TLS protocol, and we really should scramble to fix it.
> 
> That includes improving on the guidance for the signaling
> and semantics of a TLS session renegotiate of the TLS
> protocol stack to the application -- in a fashion so that
> it can be folded back into rfc5246bis.

I agree this part of TLS needs to become more clear in semantics and
more strict in specification. For example what has to be done by a
client if a handshake request was received. Currently some client may
ignore it. How long is the server going to wait to understand that it
was ignored and no reply is expected?


regards,
Nikos

Follow-Ups:
- Re: [TLS] TLS or HTTP issue?
  - From: Marsh Ray

References:
- Re: [TLS] TLS or HTTP issue?
  - From: Martin Rex

Prev by Date: Re: [TLS] Comments on draft-rescorla-tls-renegotiate.txt
Next by Date: Re: [TLS] TLS or HTTP issue?
Previous by thread: Re: [TLS] TLS or HTTP issue?
Next by thread: Re: [TLS] TLS or HTTP issue?
Index(es):
- Date
- Thread

Re: [TLS] TLS or HTTP issue?

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.