Re: [TLS] simplistic renego protection

To: tls at ietf.org
Subject: Re: [TLS] simplistic renego protection
From: Nelson B Bolyard <nelson at bolyard.me>
Date: Thu, 19 Nov 2009 19:37:06 -0800
Delivered-to: tls at core3.amsl.com
In-reply-to: <4B059A60.9000003 at jacaranda.org>
List-archive: <http://www.ietf.org/mail-archive/web/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
Organization: Network Security Services
References: <200911182000.nAIK0Qkm013905 at fs4113.wdf.sap.corp> <4B04A792.7040607 at jacaranda.org> <B197003731D4874CA41DE7B446BBA3E829CD28F1 at TK5EX14MBXW653.wingroup.windeploy.ntdev.microsoft.com> <4B059716.6010309 at jacaranda.org> <4B059A60.9000003 at jacaranda.org>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; rv:1.9.1b1pre) Gecko/20081004 NOT Firefox/2.0 SeaMonkey/2.0a2pre

On 2009-11-19 11:20 PST, David-Sarah Hopwood wrote:
> David-Sarah Hopwood wrote:
>> Nasko Oskov wrote:

>>> If the MiTM sends a client hello to the server that has no extension,
>>> then the server has no way to drop the connection. This will require
>>> a strict server to prevent the attack and strict server config will
>>> not be reality for a long time. What am I missing?
>> 
>> That, in the RI approach, strict server config is essential from the
>> start.
> 
> Point of clarification: "strict server" here means that the server does 
> not accept *renegotiations* with an unpatched client. It still accepts 
> initial handshakes.

If that is a "strict server", then what is a "lenient server"?
Is it a vulnerable server?

Follow-Ups:
- Re: [TLS] simplistic renego protection
  - From: David-Sarah Hopwood
- Re: [TLS] simplistic renego protection
  - From: Michael D'Errico

References:
- Re: [TLS] simplistic renego protection
  - From: Martin Rex
- Re: [TLS] simplistic renego protection
  - From: David-Sarah Hopwood
- Re: [TLS] simplistic renego protection
  - From: David-Sarah Hopwood
- Re: [TLS] simplistic renego protection
  - From: David-Sarah Hopwood

Prev by Date: Re: [TLS] simplistic renego protection
Next by Date: Re: [TLS] simplistic renego protection
Previous by thread: Re: [TLS] simplistic renego protection
Next by thread: Re: [TLS] simplistic renego protection
Index(es):
- Date
- Thread

Re: [TLS] simplistic renego protection

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.