Re: [TLS] simplistic renego protection

To: tls at ietf.org
Subject: Re: [TLS] simplistic renego protection
From: Nelson B Bolyard <nelson at bolyard.me>
Date: Thu, 19 Nov 2009 19:01:27 -0800
Delivered-to: tls at core3.amsl.com
In-reply-to: <4B059716.6010309 at jacaranda.org>
List-archive: <http://www.ietf.org/mail-archive/web/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
Organization: Network Security Services
References: <200911182000.nAIK0Qkm013905 at fs4113.wdf.sap.corp> <4B04A792.7040607 at jacaranda.org> <B197003731D4874CA41DE7B446BBA3E829CD28F1 at TK5EX14MBXW653.wingroup.windeploy.ntdev.microsoft.com> <4B059716.6010309 at jacaranda.org>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; rv:1.9.1b1pre) Gecko/20081004 NOT Firefox/2.0 SeaMonkey/2.0a2pre

On 2009-11-19 11:05 PST, David-Sarah Hopwood wrote:
> Nasko Oskov wrote:

>> If the MiTM sends a client hello to the server that has no extension, then
>> the server has no way to drop the connection. This will require a strict
>> server to prevent the attack and strict server config will not be reality
>> for a long time. What am I missing?
> 
> That, in the RI approach, strict server config is essential from the start.
> 
> We haven't yet established whether the ability to support lenient servers
> is a requirement. Eric has argued against allowing that; so have I.
> If lenient servers are allowed, then I think it will take *much* longer
> until the vulnerability is eliminated from most connections.

I must have missed the message wherein "lenient server" was defined.
Is it a server that accepts client hellos without any signal that the
client has been upgraded, but merely refuses to renegotiate with such a
client?

IOW, is it the kind of server that numerous vendors are shipping now,
that recent patches to open source have just created, one that refuses to
renegotiate at all but still accepts old style client hellos?

Is someone proposing to abolish them already?

> Remember, rejecting a renegotiating ClientHello does not necessarily lead
> to an interoperability failure; it only does so if the client will not
> reconnect.

By definition, the alert that rejects a renegotiating client auth
(no_renegotiation) is a warning alert.  It leaves the previous TLS
connection and session state intact and able to continue.  So IINM, it does
not lead to an interoperability failure unless the client chooses to treat
that alert as fatal, despite being a warning, AND refuses to reconnect.
Right?

Follow-Ups:
- Re: [TLS] simplistic renego protection
  - From: David-Sarah Hopwood
- Re: [TLS] simplistic renego protection
  - From: Martin Rex

References:
- Re: [TLS] simplistic renego protection
  - From: Martin Rex
- Re: [TLS] simplistic renego protection
  - From: David-Sarah Hopwood
- Re: [TLS] simplistic renego protection
  - From: David-Sarah Hopwood

Prev by Date: Re: [TLS] Protocol version bit to use,
Next by Date: Re: [TLS] simplistic renego protection
Previous by thread: [TLS] Definition of "lenient server"
Next by thread: Re: [TLS] simplistic renego protection
Index(es):
- Date
- Thread

Re: [TLS] simplistic renego protection

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.