Re: [TLS] Comments on draft-rescorla-tls-renegotiate.txt

To: tls at ietf.org
Subject: Re: [TLS] Comments on draft-rescorla-tls-renegotiate.txt
From: Michael D'Errico <mike-list at pobox.com>
Date: Sat, 07 Nov 2009 08:07:58 -0800
Delivered-to: tls at core3.amsl.com
Dkim-signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=message-id :date:from:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; s=sasl; bh=F2/E5isboqCG xxLUzznw7qMejZw=; b=u1jEQlgsZ/Xkmyi1Z8v8vKhQK+ljM0ReiGDhNUGaV7Hs 7+I5BnTyiZvPieFREUCDtpXJFi2BxRfqw30wlO+8KRO6T6qxOZHwTTah7FryvV5H L/XF80MR6cGz9iDb9JSEfkQRuwtTQOKu+c82k8Yc4lRwVTuFqS35D4naYj0h0wA=
Domainkey-signature: a=rsa-sha1; c=nofws; d=pobox.com; h=message-id:date :from:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; q=dns; s=sasl; b=SCYQbp kxsFyBHmJZK1x98+05rYkCf9tAcvK6pIItvyfR60/ZsqrpdDN6iKKkbKRVfFJdF0 2lHgQd3NDH9vstw/CLtlmEffGnClT6HVUhEsUgwQlSMqit/LxATeQ2BH79OcqTWu uV60WxMyVYHacF80PZonTNruRAt2LuY4CZ33A=
In-reply-to: <4AF5112E.2070809 at jacaranda.org>
List-archive: <http://www.ietf.org/mail-archive/web/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
References: <4AF5112E.2070809 at jacaranda.org>
User-agent: Thunderbird 2.0.0.23 (Macintosh/20090812)

Another issue is that a server that supports the extension can refuse
the renegotiation. The current draft is not clear about what the client
and server behaviour should be in that case.

Suggestion:

If a ClientHello that is requesting to resume a previous session
contains a Renegotiation_Info extension, and the server supports the
extension but wishes to refuse the renegotiation, it SHOULD reply
with a zero-length Renegotiation_Info.


The server already has to reply with an empty Renegotiation_Info
extension.  That is what happens on an initial handshake even when
resuming a previous session, and also for a session_ticket resume.

The draft has only a single sentence discussing session resumption:

   The above rules apply even when TLS resumption is used.

Maybe it needs to elaborate more.

If a client that is requesting to resume a session receives a
zero-length Renegotiation_Info without a no_renegotiation alert, it
MUST abort the handshake. If it receives both a zero-length
Renegotiation_Info and a no_renegotiation alert, then the fact that
the Renegotiation_Info contents do not match the previous session's
verify_data values should not be considered a reason for the client
to abort.


No, session resumption is no different w.r.t. the Renegotiation_Info
extension than a full handshake.  The info is always empty on the
first handshake for a connection, even when resuming a previous session.

As a result, you do not need to store the verify_data from the finished
messages in your session cache.

Note that one legitimate reason for refusing a renegotiation is that
the old session has expired, in which case the server is likely to have
forgotten the client and server verify_data values for that session.
Nevertheless it SHOULD reply with a Renegotiation_Info to indicate
that it supports the extension.


The server never needs to remember the verify_data from a previous
session unless it is the currently active session.  When storing a
session in your session cache, the verify_data can be discarded since
it is not needed in the future.  If that session gets resumed later,
the Renegotiation_Info will be empty.

Mike

For the same reason, when the server refuses a renegotiation it may
not have the ability to check that the contents of the client's
Renegotiation_Info were correct. Therefore, there should be no
requirement for the server to check the contents in that case.

Follow-Ups:
- Re: [TLS] Comments on draft-rescorla-tls-renegotiate.txt
  - From: David-Sarah Hopwood

References:
- [TLS] Comments on draft-rescorla-tls-renegotiate.txt
  - From: David-Sarah Hopwood

Prev by Date: Re: [TLS] TLS or HTTP issue?
Next by Date: Re: [TLS] [oss-security] CVE-2009-3555 for TLS renegotiation MITM attacks
Previous by thread: Re: [TLS] Comments on draft-rescorla-tls-renegotiate.txt
Next by thread: Re: [TLS] Comments on draft-rescorla-tls-renegotiate.txt
Index(es):
- Date
- Thread

Re: [TLS] Comments on draft-rescorla-tls-renegotiate.txt

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.