Re: [TLS] assert TLSext in renego-ServerHello instead of disable renego

To: mrex at sap.com
Subject: Re: [TLS] assert TLSext in renego-ServerHello instead of disable renego
From: Eric Rescorla <ekr at networkresonance.com>
Date: Mon, 09 Nov 2009 14:15:11 -0800
Cc: tls at ietf.org
Delivered-to: tls at core3.amsl.com
In-reply-to: <200911092035.nA9KZviE026489 at fs4113.wdf.sap.corp>
List-archive: <http://www.ietf.org/mail-archive/web/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
References: <200911092035.nA9KZviE026489 at fs4113.wdf.sap.corp>
User-agent: Wanderlust/2.15.5 (Almost Unreal) Emacs/22.3 Mule/5.0 (SAKAKI)

At Mon, 9 Nov 2009 21:35:57 +0100 (MET),
Martin Rex wrote:
> 
> Maybe a patched Server (one with support for secure renegotiation)
> should ALWAYS assert this extension in a renegotiation TLS handshake
> _with_ the verify_data of both server.finished and client.finished
> in the ServerHello -- including when the client didn't send the
> extension (maybe because the client didn't dare confusing an SSLv3 server).

This is forbidden by RFC 4366: servers can only send what the client
offers:

   Note that for all extension types (including those defined in the
   future), the extension type MUST NOT appear in the extended server
   hello unless the same extension type appeared in the corresponding
   client hello.  Thus clients MUST abort the handshake if they receive
   an extension type in the extended server hello that they did not
   request in the associated (extended) client hello.

-Ekr

References:
- [TLS] assert TLSext in renego-ServerHello instead of disable renego
  - From: Martin Rex

Prev by Date: Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
Next by Date: Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
Previous by thread: Re: [TLS] assert TLSext in renego-ServerHello instead of disable
Next by thread: Re: [TLS] assert TLSext in renego-ServerHello instead of disable renego
Index(es):
- Date
- Thread

Re: [TLS] assert TLSext in renego-ServerHello instead of disable renego

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.