Re: [TLS] TLS or HTTP issue?

To: "tls at ietf.org" <tls at ietf.org>
Subject: Re: [TLS] TLS or HTTP issue?
From: Michael D'Errico <mike-list at pobox.com>
Date: Sat, 07 Nov 2009 09:52:47 -0800
Delivered-to: tls at core3.amsl.com
Dkim-signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=message-id :date:from:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; s=sasl; bh=rePPLpZrzBBV JirdNxLreYcRArU=; b=GnkqHsvPL/mdv9X1oG3SdnOrYvcXmPlvIAedxMOXKmju 2z/5kYXIfsEVnpAfGSykm9UdooWdNboGcAeEaSiBaDknedyWX/hqPRXq+zwT3woH iYpazjOnWF8Q5vQF8uH5Pmv8wmmwDnDj8tTWXTH+gh+qn5vLmyxz2afCcckuNdU=
Domainkey-signature: a=rsa-sha1; c=nofws; d=pobox.com; h=message-id:date :from:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; q=dns; s=sasl; b=vYh25T fi6wY7BRIrtODHHgV/OohsulD2rQFjYW+HFGMZaUWY5n5LTkwekzZ5gfePAAbngN p+8/DMepvxFtKla0+2A9Jla9ObzHM7hWAkIA8ScSYysZ/K/jQD7wFqn7okx1x2GF 3bjmn/I8lcnfFh1es4DH3Rw3ql/3EGWEgPdUM=
In-reply-to: <4AF53027.6030701 at extendedsubset.com>
List-archive: <http://www.ietf.org/mail-archive/web/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
References: <200911061713.nA6HDi2n021935 at fs4113.wdf.sap.corp> <4AF52966.3070400 at gnutls.org> <4AF53027.6030701 at extendedsubset.com>
User-agent: Thunderbird 2.0.0.23 (Macintosh/20090812)

Marsh Ray wrote:

Nikos Mavrogiannopoulos wrote:

the application layer
cannot distinguish between the two sessions (one before renegotiation,
one after). The problem was for me that you could receive any amount of
application data even after a rehandshake was requested, thus I had to
cache them and present to the application after rehandshake was finished.


Yes, yes!

The buffered stream IO model we all take for granted is insufficient to
represent the semantics of a TLS connection in the presence of
renegotiation!


My server works a bit differently; it does what I'll call "lazy
renegotiation."  If it receives a ClientHello for a renegotiation, it
calculates all of the response handshake messages and puts them into
the outbound queue for delivery to the client.  It will happily continue
sending application data to the client and also receiving and passing
application data back to the application while the pending TLS session
is in this uncompleted state.  I believe this is what the TLS spec
intended.

If the client continues with the handshake, those messages are processed
as they are received, and the pending TLS session moves closer to
completion.  It is possible for the client and/or server to end up with
two different active sessions -- one based on the renegotiation, and one
based on the original handshake.  This would happen if one side fails to
send a ChangeCipherSpec and Finished message.

So the question becomes: should this be a legal state to be in?  I could
add some logic to disallow the sending of application data over a newly-
installed renegotiated session until the peer has completed its side of
the handshake.  But it should probably be allowed to continue receiving
application data over the old session since it could have been in transit
prior to sending the Finished message.

I think a good addition to my API would be to have a callback that tells
the application when a renegotiation has completed, and to also pass back
any application data that was received under the old session, but not yet
read by the application.

There is another weird possibility that should probably be prohibited:
if for some reason a ChangeCipherSpec is received during a renegotiation,
but not followed immediately by a Finished message, the receipt of any
application data should cause a handshake failure.

Mike

Even with an added callback for cert validation, ambiguities linger!

I think it highly probable that real vulnerabilities exist in
applications due to this mismatch.

The draft-rescorla-tls-renegotiate extension should help quite a bit though.

- Marsh

References:
- Re: [TLS] TLS or HTTP issue?
  - From: Martin Rex
- Re: [TLS] TLS or HTTP issue?
  - From: Nikos Mavrogiannopoulos
- Re: [TLS] TLS or HTTP issue?
  - From: Marsh Ray

Prev by Date: Re: [TLS] TLS renegotiation issue
Next by Date: Re: [TLS] Test Server (was TLS renegotiation issue)
Previous by thread: Re: [TLS] TLS or HTTP issue?
Next by thread: Re: [TLS] TLS or HTTP issue?
Index(es):
- Date
- Thread

Re: [TLS] TLS or HTTP issue?

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.