Re: [TLS] Need for S->C signaling

To: "tls at ietf.org" <tls at ietf.org>
Subject: Re: [TLS] Need for S->C signaling
From: Marsh Ray <marsh at extendedsubset.com>
Date: Thu, 19 Nov 2009 16:29:44 -0600
Delivered-to: tls at core3.amsl.com
In-reply-to: <334EA87E-FDC3-4A45-B4EB-316A046EBFFD at checkpoint.com>
List-archive: <http://www.ietf.org/mail-archive/web/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
Openpgp: id=1E36DBF2
References: <C72AC445.671C%stefan at aaa-sec.com> <B197003731D4874CA41DE7B446BBA3E829CD28D4 at TK5EX14MBXW653.wingroup.windeploy.ntdev.microsoft.com> <334EA87E-FDC3-4A45-B4EB-316A046EBFFD at checkpoint.com>
User-agent: Thunderbird 2.0.0.23 (Windows/20090812)

Yoav Nir wrote:
> 
> But even if the server did send the CCS and Finished message, the
> Finished message does not check out,
> so the client does not complete the request. So where's the damage.
         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
http://tools.ietf.org/html/rfc4346
    Client                                               Server

      ClientHello                  -------->
                                                      ServerHello
                                                     Certificate*
                                               ServerKeyExchange*
                                              CertificateRequest*
                                   <--------      ServerHelloDone
      Certificate*
      ClientKeyExchange
      CertificateVerify*
      [ChangeCipherSpec]
      Finished                     -------->
                                               [ChangeCipherSpec]
                                   <--------             Finished
      Application Data             <------->     Application Data

             Fig. 1. Message flow for a full handshake


The client has to send his Finished message before he sees the server's.

The server executes the request when he receives Finished from the
client. There is nothing later he can wait for, really.

MitM can drop the server's Finished message before the client gets a
chance to verify it.

- Marsh

Follow-Ups:
- Re: [TLS] Need for S->C signaling
  - From: Yoav Nir

References:
- [TLS] Need for S->C signaling
  - From: Stefan Santesson
- Re: [TLS] Need for S->C signaling
  - From: Nasko Oskov
- Re: [TLS] Need for S->C signaling
  - From: Yoav Nir

Prev by Date: Re: [TLS] Need for S->C signaling
Next by Date: [TLS] I-D Action:draft-ietf-tls-renegotiation-00.txt
Previous by thread: Re: [TLS] Need for S->C signaling
Next by thread: Re: [TLS] Need for S->C signaling
Index(es):
- Date
- Thread

Re: [TLS] Need for S->C signaling

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.