IETF Logo Mail Archive

Re: [TLS] Last Call: draft-ietf-tls-renegotiation (Transport Layer Security (TLS) Renegotiation Indication Extension) to Proposed Standard

Kyle Hamilton <aerowolf@gmail.com> Mon, 30 November 2009 18:19 UTC

Return-Path: <aerowolf@gmail.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 815A128C150 for <tls@core3.amsl.com>; Mon, 30 Nov 2009 10:19:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.577
X-Spam-Level:
X-Spam-Status: No, score=-2.577 tagged_above=-999 required=5 tests=[AWL=0.022, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vNd2LKmHc3oa for <tls@core3.amsl.com>; Mon, 30 Nov 2009 10:19:54 -0800 (PST)
Received: from mail-pz0-f176.google.com (mail-pz0-f176.google.com [209.85.222.176]) by core3.amsl.com (Postfix) with ESMTP id 850F228C139 for <tls@ietf.org>; Mon, 30 Nov 2009 10:19:54 -0800 (PST)
Received: by pzk6 with SMTP id 6so2708658pzk.29 for <tls@ietf.org>; Mon, 30 Nov 2009 10:19:45 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=tt1dViH/h21xmWEIp6vnX2UtqF3KRg1/Yk7W2A/F/ck=; b=uXlbLKG5Ie5F2mWgk54d6rRfiIyQhXgPgvY4SKUUsnhzPASGipl85Iiz2AEAOwjYwg PeoRMU+rUym3zpjGO/LStjreyQGxwPmasbVzH4MCHwCJ+VABvxHnU+IYYImFjj+KfFz7 c0vrABnY0sXihv6MYCfy1jXhytsmnuicw3U/U=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=t/KDlNDNUCsNmK13aQe56B3iiL7ei59SfWUq3a3Ip1cf0XmXFjD5MfUYc47ShMVyc5 d4K+rVNYrPq1VcOrq74ialJx7Jy3o/K9ryJ/bLu3vibUFMMDnLX7RwMpuVCgTjUw+j7O +fZn49bniCrz/2mHchN1xli11dME3XjHrYOyk=
MIME-Version: 1.0
Received: by 10.142.61.23 with SMTP id j23mr485104wfa.299.1259605185256; Mon, 30 Nov 2009 10:19:45 -0800 (PST)
In-Reply-To: <4B13F367.6040307@extendedsubset.com>
References: <20091130153734.D44C63A6AA9@core3.amsl.com> <4B13F367.6040307@extendedsubset.com>
Date: Mon, 30 Nov 2009 10:19:45 -0800
Message-ID: <6b9359640911301019w114a2a46m32c16afb2cb26067@mail.gmail.com>
From: Kyle Hamilton <aerowolf@gmail.com>
To: Marsh Ray <marsh@extendedsubset.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Cc: Eric Rescorla <ekr@rtfm.com>, tls@ietf.org
Subject: Re: [TLS] Last Call: draft-ietf-tls-renegotiation (Transport Layer Security (TLS) Renegotiation Indication Extension) to Proposed Standard
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Nov 2009 18:19:55 -0000

What I'm seeing here:

An implementation continues to be conformant to TLS even if the RI
isn't sent.  If a client doesn't send the RI (either cipher suite flag
or extension), the server can't send the RI extension back (as it's a
violation of TLS 1.2 for a server to send an unsolicited extension).
If a client does send the RI cipherflag or extension, the server may
send back the RI reply, or (if its security policy prohibits
renegotiation -- to reduce the possible impact of large numbers of
reneg's overwhelming any crypto implementation, or because it's known
that client certificates are never going to be solicited by the
server, to name a couple of possible reasons) it may choose not to
reply with the extension.

In the event that the RI client doesn't receive the extension that it
solicited back from the server, it treats it as a non-RI server and
proceeds according to its own security policy.

(It goes without saying that the peers' security policies must have
some compatibility -- FIPS 140-2 validated TLS implementations already
can't talk to implementations that don't have any FIPS-approved
algorithms, so there's no reason to worry about this.)

On Mon, Nov 30, 2009 at 8:31 AM, Marsh Ray <marsh@extendedsubset.com> wrote:
>
>>    TLS clients which support this draft MUST generate either the
>>
>>    "renegotiation_info" extension or the TLS_RENEGO_PROTECTION_REQUEST
>>    cipher suite with every ClientHello.
>
> Can they generate both?
>
> If not, what does the server do if he receives both?

I suggest the wording 'MUST generate either or both of the RI
extension or the TLS_RENEGO_PROTECTION_REQUEST cipher suite flag with
every ClientHello.  If the client requests renegotiation, it must do
so with the same mechanism(s) that it used during the initial
ClientHello -- e.g. if the client uses the RI extension without the
cipher suite flag, then ClientHello handshake messages used for
renegotiation must not contain the cipher suite flag.'

>>    Existing implementations which do not support this extension are
>>    widely deployed and in general must interoperate with newer
>>    implementations which do support it.  This section describes
>
> s/must/need to/ to avoid confusion with MUST.

Agreed.

>
>>    If a client offers the "renegotiation_info" extension or the
>>    TLS_RENEGO_PROTECTION_REQUEST cipher suite and the server does not
>>    reply with "renegotiation_info" in the ServerHello, then this
>>    indicates that the server either does not support secure
>>    renegotiation or is unwilling to use it.
>
> Is it allowed for a patched server to be "unwilling"?
>
> If not, drop the "or is unwilling to use it" lest it give the impression
> that such behavior is condoned.

Above, I've suggested a couple of potential reasons why a server
(which knows about the renegotiation security hole) might simply
disable renegotiation entirely.

>>    If the client does not offer the "renegotiation_info" extension or
>>    the TLS_RENEGO_PROTECTION_REQUEST cipher suite then this indicates
>>    that the client does not support secure renegotiation or is unwilling
>>    to use it.  However, because the above attack looks like two
>
> Again, is it allowed for a client to be conformant to this spec and
> still not send either the extension or magic cipher suite value?
>
> - Marsh

A client may be conformant to this specification without sending
either the RI ext or the cipher suite flag, if it knows that it will
not perform or accept any requests to perform any renegotiations.  If
it does not, the server will believe that it is an unpatched client
and expect/accept only one negotiation.  Why indicate your willingness
to do something that you're not willing to do later anyway?

I'd suggest adding wording to this effect, suggesting that
implementations SHOULD offer this extension only if they're willing to
accept renegotiations.  (Local security policies may include "all
traffic that goes over the internet must appear as though it's coming
from servers that will renegotiate" -- if only as a prophylactic
against someone doing deep packet scanning and seeing a potentially
insecure server for later attack attempts.)

-Kyle H

v2.23.0 | Report a Bug | By Email