Re: [TLS] assert TLSext in renego-ServerHello instead of disable renego

To: tls at ietf.org
Subject: Re: [TLS] assert TLSext in renego-ServerHello instead of disable renego
From: David-Sarah Hopwood <david-sarah at jacaranda.org>
Date: Tue, 10 Nov 2009 04:43:59 +0000
Delivered-to: tls at core3.amsl.com
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:received:received:sender:message-id:date:from :user-agent:mime-version:to:subject:references:in-reply-to :x-enigmail-version:content-type; bh=ZEWF9hqtuC3yj3dhY0iKGuXUmjcwoz0JVo3SbIiDF9c=; b=a3JZskwqkQNl+1WzH7Sg8qudQVByKSvwUA4jUo6vLwGUT2Oz0fZtlqDkQrAjpHHqHo VCnn6q22v5VFQM0wC+unuN+NIE8PLAp7l9WCMHD5dmuQs5yDCHz2g1v8zBeVfzuMsWAy XdAstpYvE/do+tFZwbOsU+9Qn3A/NNOVq7SEY=
Domainkey-signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=sender:message-id:date:from:user-agent:mime-version:to:subject :references:in-reply-to:x-enigmail-version:content-type; b=gdFE6W2SiTmL4IGmToL26PMM7eMAQsVql5F00ueRgjY66HgBpIKw99d/UYln2XhYNB t0flgilNhaYRUuCmX1dgqFMViwd8c1h8P16zR3u/r6e4ONwQwHkGi23runYcczFJm6jb XeflFpPHJ2cCR3z31BAJW1MNP1gAbOyc6oOm4=
In-reply-to: <200911092035.nA9KZviE026489 at fs4113.wdf.sap.corp>
List-archive: <http://www.ietf.org/mail-archive/web/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
References: <200911092035.nA9KZviE026489 at fs4113.wdf.sap.corp>
Sender: David-Sarah Hopwood <djhopwood at googlemail.com>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.8.1.3) Gecko/20070326 Thunderbird/2.0.0.0 Mnenhy/0.7.5.666

Martin Rex wrote:
> Maybe a patched Server (one with support for secure renegotiation)
> should ALWAYS assert this extension in a renegotiation TLS handshake
> _with_ the verify_data of both server.finished and client.finished
> in the ServerHello -- including when the client didn't send the
> extension (maybe because the client didn't dare confusing an SSLv3 server).
> 
> If we recommend the Server to no longer perform insecure renegotiation,
> we could instead recommend that the server unconditionally asserts the
> ServerHello extension for the renegotiation handshake.

That's not necessary. Suppose that the client sent an SSLv3 ClientHello
with client_version = 3.1 (or higher). Assuming the server supports TLS,
then TLS will be negotiated. So when the client sends the renegotiation,
it knows that it is safe to send extensions. The attack is prevented as
long as the renegotiating handshake uses the extension; it is not necessary
for the initial handshake to have used it.

However, the draft is not clear enough on that last point. It should
clarify that, while including a zero-length Renegotiation_Info implies
that the extension is supported (by either the client or server), the
converse is not true: lack of a Renegotiation_Info extension on the first
handshake does not imply that the extension isn't supported.

-- 
David-Sarah Hopwood  ⚥  http://davidsarah.livejournal.com

Attachment: signature.asc
Description: OpenPGP digital signature

Follow-Ups:
- Re: [TLS] assert TLSext in renego-ServerHello instead of disable renego
  - From: Michael D'Errico

References:
- [TLS] assert TLSext in renego-ServerHello instead of disable renego
  - From: Martin Rex

Prev by Date: Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
Next by Date: Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
Previous by thread: Re: [TLS] assert TLSext in renego-ServerHello instead of disable renego
Next by thread: Re: [TLS] assert TLSext in renego-ServerHello instead of disable renego
Index(es):
- Date
- Thread

Re: [TLS] assert TLSext in renego-ServerHello instead of disable renego

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.