Re: [TLS] Avoiding first use of RI in ClientHello
Stefan Santesson <stefan@aaa-sec.com> Wed, 25 November 2009 22:44 UTC
Return-Path: <stefan@aaa-sec.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 407743A67C2 for <tls@core3.amsl.com>; Wed, 25 Nov 2009 14:44:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.594
X-Spam-Level:
X-Spam-Status: No, score=-2.594 tagged_above=-999 required=5 tests=[AWL=0.655, BAYES_00=-2.599, HELO_EQ_SE=0.35, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K3ajGZb1g8zw for <tls@core3.amsl.com>; Wed, 25 Nov 2009 14:44:42 -0800 (PST)
Received: from s87.loopia.se (s87.loopia.se [194.9.95.113]) by core3.amsl.com (Postfix) with ESMTP id F22913A6405 for <tls@ietf.org>; Wed, 25 Nov 2009 14:44:41 -0800 (PST)
Received: from s60.loopia.se (s34.loopia.se [194.9.94.70]) by s87.loopia.se (Postfix) with ESMTP id 79C5328E7D4 for <tls@ietf.org>; Wed, 25 Nov 2009 23:44:44 +0100 (CET)
Received: (qmail 68557 invoked from network); 25 Nov 2009 22:44:35 -0000
Received: from 213-64-142-247-no153.business.telia.com (HELO [192.168.1.3]) (stefan@fiddler.nu@[213.64.142.247]) (envelope-sender <stefan@aaa-sec.com>) by s60.loopia.se (qmail-ldap-1.03) with DES-CBC3-SHA encrypted SMTP for <ekr@networkresonance.com>; 25 Nov 2009 22:44:35 -0000
User-Agent: Microsoft-Entourage/12.23.0.091001
Date: Wed, 25 Nov 2009 23:44:33 +0100
From: Stefan Santesson <stefan@aaa-sec.com>
To: Eric Rescorla <ekr@networkresonance.com>, tls@ietf.org
Message-ID: <C73371E1.6AF3%stefan@aaa-sec.com>
Thread-Topic: [TLS] Avoiding first use of RI in ClientHello
Thread-Index: AcpuINtBpqAg/HDjo0+kMje6+cDs7w==
In-Reply-To: <20091125223502.4265B6C3285@kilo.networkresonance.com>
Mime-version: 1.0
Content-type: text/plain; charset="US-ASCII"
Content-transfer-encoding: 7bit
Subject: Re: [TLS] Avoiding first use of RI in ClientHello
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Nov 2009 22:44:43 -0000
Eric, I think this is a great approach and in line with recent proposals. I prefer the RI extension without the verify data for reasons previously stated on the list. /Stefan On 09-11-25 11:35 PM, "Eric Rescorla" <ekr@networkresonance.com> wrote: > Folks, > > I wanted to try to resolve what I see as the major technical concern > people have about draft-ietf-tls-renegotiation-00, namely that the > client cannot offer secure renegotiation and be sure that it won't > cause a connection failure with a downrev (extension noncompliant) > server. > > There's been a lot of discussion of whether this is a serious problem, > but it's clear that minimal risk of breaking things that currently > work (which some folks think requires not using extensions in the > initial ClientHello) is important for the timely deployment of the > fix, and with the current draft, that may require fall-back to > extension-less handshake. > > It's unclear how often such fall-back logic would actually be needed, > and I do find Nelson's "tough love" approach here sort of appealing, > but it does seem to be a problem that you don't necessarily know for sure > whether you need it or not until you've actually shipped the product > with extensions, and possibly broken applications that currently work. > It's especially concerning that fall-back can't be implemented reliably > inside the TLS library, e.g., if you just get a filehandle, so changes > to the app logic are required. > > > The rest of this message describes a simple modification [*] to > draft-ietf-tls-negotiation which I think addresses this compatibility > issue without requiring fall-back. > > The idea is to use a magic cipher suite to signal that the client can > securely renegotiate (as described in > draft-mrex-tls-secure-renegotiation). However, the server treats this > EXACTLY as if the client had offered an empty RI extension, and > responds with its own RI extension (or if it doesn't implement the > full extension framework, just adds a known byte string to the end of > the ServerHello). In other words: > > > Client Server > ------------------------------------------------------ > ClientHello + TLS_RENEGO_PROTECTION_REQUEST -> > <- ServerHello + Empty RI > > > At this point, the client now knows that the server supports secure > renegotiation and can simply send RI in any renegotiation handshake > (and if the client doesn't implement the full extensions framework, it > could just add a known byte string to the end of the ClientHello, > without requiring full extension support). Note that this is > reminiscent of the SSLv2->SSLv3 transition where clients would > initially offer backward compatibility handshakes but once they knew > the server was SSLv3-capable would offer the new ClientHello. > > > What about 5246 and unsolicited extensions? > As far as I can tell, the major argument against using extensions > for S->C signalling is the 5246 prohibition against the server providing > unsolicited extensions. However, that was clearly intended to prevent > the server from sending extensions the client didn't expect and > that's not the case here. Moreover, we're updating 5246 so we can relax > the restriction for this extension (though I would think not in general). > > > What about not putting the verify data in the extension? > I think that issue is separable from the question of how we signal > support, so would like to deal with it separately. (It seems this > won't make any difference for the bigger questions like can deploying > the fix break things that currently work, or whether you can implement > the fix purely inside the TLS library) > > > What about SSLv3? > Obviously, the ClientHello is compatible with SSLv3. (and the magic > cipher suite can be offered even in SSLv2 backward compatible > hello---ugh!). Although SSLv3 does not have the TLS extension > framework, we could also specify that the server (once it sees the > magic cipher suite indicating the client supports this draft) just > appends the relevant fixed-length byte string to the end of the > ServerHello. > > > What do people think about this approach? > > -Ekr > > [*] I didn't invent this approach, I'm just reproposing it to try to focus > discussion. > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls
- Re: [TLS] Verify data in the RI extension? Stefan Santesson
- [TLS] Avoiding first use of RI in ClientHello Eric Rescorla
- Re: [TLS] Avoiding first use of RI in ClientHello Stefan Santesson
- Re: [TLS] Avoiding first use of RI in ClientHello Dr Stephen Henson
- Re: [TLS] Avoiding first use of RI in ClientHello Robert Relyea
- Re: [TLS] Avoiding first use of RI in ClientHello Eric Rescorla
- Re: [TLS] Avoiding first use of RI in ClientHello Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [TLS] Avoiding first use of RI in ClientHello peter.robinson
- Re: [TLS] Avoiding first use of RI in ClientHello Min Huang
- Re: [TLS] Verify data in the RI extension? Yoav Nir
- Re: [TLS] Avoiding first use of RI in ClientHello Pasi.Eronen
- Re: [TLS] Avoiding first use of RI in ClientHello Pasi.Eronen
- [TLS] Verify data in the RI extension? Stefan Santesson
- Re: [TLS] Verify data in the RI extension? Stefan Santesson
- Re: [TLS] Avoiding first use of RI in ClientHello Eric Rescorla
- [TLS] Perhaps there's another way. Was: Verify da… Marsh Ray
- Re: [TLS] Perhaps there's another way. Was: Verif… Dr Stephen Henson
- Re: [TLS] Avoiding first use of RI in ClientHello Stefan Santesson
- [TLS] What would be the point of removing signall… David-Sarah Hopwood
- Re: [TLS] Perhaps there's another way. Was: Verif… Marsh Ray
- Re: [TLS] Perhaps there's another way. Was: Verif… Dr Stephen Henson
- Re: [TLS] What would be the point of removing sig… Stefan Santesson
- Re: [TLS] What would be the point of removing sig… Marsh Ray
- Re: [TLS] What would be the point of removing sig… Bodo Moeller
- Re: [TLS] Perhaps there's another way. Was: Verif… Nelson B Bolyard
- Re: [TLS] What would be the point of removing sig… Nelson B Bolyard
- Re: [TLS] What would be the point of removing sig… Stefan Santesson
- Re: [TLS] Verify data in the RI extension? Pasi.Eronen
- Re: [TLS] Verify data in the RI extension? Simon Josefsson
- Re: [TLS] Verify data in the RI extension? Stefan Santesson
- Re: [TLS] Verify data in the RI extension? Pasi.Eronen
- Re: [TLS] Verify data in the RI extension? Pasi.Eronen
- Re: [TLS] Verify data in the RI extension? Martin Rex
- Re: [TLS] Verify data in the RI extension? Nikos Mavrogiannopoulos
- Re: [TLS] Verify data in the RI extension? Stefan Santesson
- Re: [TLS] Verify data in the RI extension? Eric Rescorla
- Re: [TLS] Verify data in the RI extension? Stefan Santesson
- Re: [TLS] Verify data in the RI extension? Eric Rescorla
- Re: [TLS] Verify data in the RI extension? Martin Rex
- Re: [TLS] Verify data in the RI extension? Eric Rescorla
- Re: [TLS] Verify data in the RI extension? Martin Rex
- Re: [TLS] Verify data in the RI extension? Martin Rex
- Re: [TLS] Verify data in the RI extension? Martin Rex
- Re: [TLS] Verify data in the RI extension? Stefan Santesson
- Re: [TLS] Verify data in the RI extension? Eric Rescorla
- Re: [TLS] Verify data in the RI extension? Eric Rescorla
- Re: [TLS] Verify data in the RI extension? Martin Rex
- Re: [TLS] Verify data in the RI extension? Eric Rescorla
- Re: [TLS] Verify data in the RI extension? Martin Rex
- Re: [TLS] Verify data in the RI extension? Martin Rex
- Re: [TLS] Verify data in the RI extension? Pasi.Eronen
- Re: [TLS] Verify data in the RI extension? Martin Rex
- Re: [TLS] Verify data in the RI extension? Eric Rescorla
- Re: [TLS] Verify data in the RI extension? Martin Rex
- Re: [TLS] Verify data in the RI extension? Pasi.Eronen
- Re: [TLS] Avoiding first use of RI in ClientHello Bodo Moeller
- Re: [TLS] Verify data in the RI extension? Bodo Moeller
- Re: [TLS] Verify data in the RI extension? Michael D'Errico
- Re: [TLS] What would be the point of removing sig… David-Sarah Hopwood
- Re: [TLS] What would be the point of removing sig… David-Sarah Hopwood
- Re: [TLS] What would be the point of removing sig… David-Sarah Hopwood
- Re: [TLS] Verify data in the RI extension? David-Sarah Hopwood
- Re: [TLS] Verify data in the RI extension? Michael D'Errico
- Re: [TLS] Verify data in the RI extension? David-Sarah Hopwood
- Re: [TLS] Verify data in the RI extension? Michael D'Errico
- Re: [TLS] Verify data in the RI extension? David-Sarah Hopwood
- Re: [TLS] Verify data in the RI extension? Bodo Moeller
- Re: [TLS] What would be the point of removing sig… Bodo Moeller
- Re: [TLS] Verify data in the RI extension? Michael D'Errico
- Re: [TLS] Verify data in the RI extension? Michael D'Errico
- Re: [TLS] Verify data in the RI extension? David-Sarah Hopwood
- Re: [TLS] Verify data in the RI extension? Marsh Ray
- Re: [TLS] Verify data in the RI extension? Stefan Santesson
- Re: [TLS] Verify data in the RI extension? Yoav Nir