[TLS] assert TLSext in renego-ServerHello instead of disable renego

To: tls at ietf.org
Subject: [TLS] assert TLSext in renego-ServerHello instead of disable renego
From: Martin Rex <mrex at sap.com>
Date: Mon, 9 Nov 2009 21:35:57 +0100 (MET)
Delivered-to: tls at core3.amsl.com
List-archive: <http://www.ietf.org/mail-archive/web/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
Reply-to: mrex at sap.com

Maybe a patched Server (one with support for secure renegotiation)
should ALWAYS assert this extension in a renegotiation TLS handshake
_with_ the verify_data of both server.finished and client.finished
in the ServerHello -- including when the client didn't send the
extension (maybe because the client didn't dare confusing an SSLv3 server).

If we recommend the Server to no longer perform insecure renegotiation,
we could instead recommend that the server unconditionally asserts the
ServerHello extension for the renegotiation handshake.  


This would even allow clients to agree to a secure renegotiation,
which did not dare proposing it (because of an interoperability
constraint with some legacy SSLv3 servers that choke on TLS extensions).

Those clients that propose the secure renegotiation may need a
fallback to a vanilla SSLv3 ClientHello.  Such a fallback would have
to be made at the apps level and is a significant change.  Allowing
server to assert this particular TLS extension in the ServerHello
of a _renegotiation_handhshake_ without having received it in the
ClientHello would obviate the need for the client to add a
TLS extension to the ClientHello, and therefore may obviate the
necessity of a re-connect fallback.


-Martin

Follow-Ups:
- Re: [TLS] assert TLSext in renego-ServerHello instead of disable renego
  - From: David-Sarah Hopwood
- Re: [TLS] assert TLSext in renego-ServerHello instead of disable renego
  - From: Eric Rescorla
- Re: [TLS] assert TLSext in renego-ServerHello instead of disable renego
  - From: Marsh Ray

Prev by Date: Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
Next by Date: Re: [TLS] assert TLSext in renego-ServerHello instead of disable renego
Previous by thread: [TLS] Could the renegotiation attack be used for session hijacking?
Next by thread: Re: [TLS] assert TLSext in renego-ServerHello instead of disable renego
Index(es):
- Date
- Thread

[TLS] assert TLSext in renego-ServerHello instead of disable renego

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.