Re: [TLS] TLS or HTTP issue?

To: "tls at ietf.org" <tls at ietf.org>
Subject: Re: [TLS] TLS or HTTP issue?
From: Marsh Ray <marsh at extendedsubset.com>
Date: Sat, 07 Nov 2009 02:30:31 -0600
Delivered-to: tls at core3.amsl.com
In-reply-to: <4AF52966.3070400 at gnutls.org>
List-archive: <http://www.ietf.org/mail-archive/web/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
Openpgp: id=1E36DBF2
References: <200911061713.nA6HDi2n021935 at fs4113.wdf.sap.corp> <4AF52966.3070400 at gnutls.org>
User-agent: Thunderbird 2.0.0.23 (Windows/20090812)

Nikos Mavrogiannopoulos wrote:
> 
> the application layer
> cannot distinguish between the two sessions (one before renegotiation,
> one after). The problem was for me that you could receive any amount of
> application data even after a rehandshake was requested, thus I had to
> cache them and present to the application after rehandshake was finished.

Yes, yes!

The buffered stream IO model we all take for granted is insufficient to
represent the semantics of a TLS connection in the presence of
renegotiation!

Even with an added callback for cert validation, ambiguities linger!

I think it highly probable that real vulnerabilities exist in
applications due to this mismatch.

The draft-rescorla-tls-renegotiate extension should help quite a bit though.

- Marsh

Follow-Ups:
- Re: [TLS] TLS or HTTP issue?
  - From: Michael D'Errico

References:
- Re: [TLS] TLS or HTTP issue?
  - From: Martin Rex
- Re: [TLS] TLS or HTTP issue?
  - From: Nikos Mavrogiannopoulos

Prev by Date: Re: [TLS] TLS or HTTP issue?
Next by Date: Re: [TLS] Comments on draft-rescorla-tls-renegotiate.txt
Previous by thread: Re: [TLS] TLS or HTTP issue?
Next by thread: Re: [TLS] TLS or HTTP issue?
Index(es):
- Date
- Thread

Re: [TLS] TLS or HTTP issue?

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.