Re: [TLS] Last Call: draft-ietf-tls-renegotiation (Transport Layer Security (TLS) Renegotiation Indication Extension) to Proposed Standard
Marsh Ray <marsh@extendedsubset.com> Mon, 30 November 2009 18:47 UTC
Return-Path: <marsh@extendedsubset.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B25DA3A697F for <tls@core3.amsl.com>; Mon, 30 Nov 2009 10:47:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.479
X-Spam-Level:
X-Spam-Status: No, score=-2.479 tagged_above=-999 required=5 tests=[AWL=0.120, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ikfllnouD38L for <tls@core3.amsl.com>; Mon, 30 Nov 2009 10:47:51 -0800 (PST)
Received: from mho-02-ewr.mailhop.org (mho-02-ewr.mailhop.org [204.13.248.72]) by core3.amsl.com (Postfix) with ESMTP id 43A1F3A6944 for <tls@ietf.org>; Mon, 30 Nov 2009 10:47:51 -0800 (PST)
Received: from xs01.extendedsubset.com ([69.164.193.58]) by mho-02-ewr.mailhop.org with esmtpa (Exim 4.68) (envelope-from <marsh@extendedsubset.com>) id 1NFBHh-000Pzs-LS; Mon, 30 Nov 2009 18:47:43 +0000
Received: from [127.0.0.1] (localhost [127.0.0.1]) by xs01.extendedsubset.com (Postfix) with ESMTP id 34454603C; Mon, 30 Nov 2009 18:47:40 +0000 (UTC)
X-Mail-Handler: MailHop Outbound by DynDNS
X-Originating-IP: 69.164.193.58
X-Report-Abuse-To: abuse@dyndns.com (see http://www.dyndns.com/services/mailhop/outbound_abuse.html for abuse reporting information)
X-MHO-User: U2FsdGVkX1/mx1HV1WcpxI2ftXZZZZNxCsFQG41umq4=
Message-ID: <4B141340.9040706@extendedsubset.com>
Date: Mon, 30 Nov 2009 12:47:28 -0600
From: Marsh Ray <marsh@extendedsubset.com>
User-Agent: Thunderbird 2.0.0.23 (Windows/20090812)
MIME-Version: 1.0
To: Kyle Hamilton <aerowolf@gmail.com>
References: <20091130153734.D44C63A6AA9@core3.amsl.com> <4B13F367.6040307@extendedsubset.com> <6b9359640911301019w114a2a46m32c16afb2cb26067@mail.gmail.com>
In-Reply-To: <6b9359640911301019w114a2a46m32c16afb2cb26067@mail.gmail.com>
X-Enigmail-Version: 0.96.0
OpenPGP: id=1E36DBF2
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Cc: Eric Rescorla <ekr@rtfm.com>, tls@ietf.org
Subject: Re: [TLS] Last Call: draft-ietf-tls-renegotiation (Transport Layer Security (TLS) Renegotiation Indication Extension) to Proposed Standard
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Nov 2009 18:47:52 -0000
Kyle Hamilton wrote: > What I'm seeing here: > > An implementation continues to be conformant to TLS even if the RI > isn't sent. Sure, but is it compliant with draft-ietf-tls-renegotiation? I suggest that it shouldn't be. > If a client doesn't send the RI (either cipher suite flag > or extension), the server can't send the RI extension back (as it's a > violation of TLS 1.2 for a server to send an unsolicited extension). > If a client does send the RI cipherflag or extension, the server may > send back the RI reply, or (if its security policy prohibits > renegotiation -- to reduce the possible impact of large numbers of > reneg's overwhelming any crypto implementation, or because it's known > that client certificates are never going to be solicited by the > server, to name a couple of possible reasons) it may choose not to > reply with the extension. What is the benefit to anyone of a patched server not replying with the extension when it was specifically requested by the client? Allowing that just adds (or multiplies) in another valid combination that has to be regression tested. > In the event that the RI client doesn't receive the extension that it > solicited back from the server, it treats it as a non-RI server and > proceeds according to its own security policy. Which a year from now ought to be "don't connect to servers who's admins don't care enough to apply security patches in a year". > (It goes without saying that the peers' security policies must have > some compatibility -- FIPS 140-2 validated TLS implementations already > can't talk to implementations that don't have any FIPS-approved > algorithms, so there's no reason to worry about this.) > > On Mon, Nov 30, 2009 at 8:31 AM, Marsh Ray <marsh@extendedsubset.com> wrote: >>> TLS clients which support this draft MUST generate either the >>> >>> "renegotiation_info" extension or the TLS_RENEGO_PROTECTION_REQUEST >>> cipher suite with every ClientHello. >> Can they generate both? >> >> If not, what does the server do if he receives both? > > I suggest the wording 'MUST generate either or both of the RI > extension or the TLS_RENEGO_PROTECTION_REQUEST cipher suite flag with > every ClientHello. Agreed. > If the client requests renegotiation, it must do > so with the same mechanism(s) that it used during the initial > ClientHello -- e.g. if the client uses the RI extension without the > cipher suite flag, then ClientHello handshake messages used for > renegotiation must not contain the cipher suite flag.' Why? What if the client used the MCS flag for the initial handshake? How can he send the verify_data if there's no RI in the second handshake? If it must be restricted, I'd prefer that the MCS flag be allowed only on initial hello and banned on renegotation handshakes. >>> If a client offers the "renegotiation_info" extension or the >>> TLS_RENEGO_PROTECTION_REQUEST cipher suite and the server does not >>> reply with "renegotiation_info" in the ServerHello, then this >>> indicates that the server either does not support secure >>> renegotiation or is unwilling to use it. >> Is it allowed for a patched server to be "unwilling"? >> >> If not, drop the "or is unwilling to use it" lest it give the impression >> that such behavior is condoned. > > Above, I've suggested a couple of potential reasons why a server > (which knows about the renegotiation security hole) might simply > disable renegotiation entirely. Sure, but that's not a reason to not reply with RI when requested. It's not a reason for the server to not tell the client that it is, in fact, patched. >> Again, is it allowed for a client to be conformant to this spec and >> still not send either the extension or magic cipher suite value? > > A client may be conformant to this specification without sending > either the RI ext or the cipher suite flag, if it knows that it will > not perform or accept any requests to perform any renegotiations. The client doesn't necessarily see the renegotiation, so it can't know that it's not taking part in one. > If > it does not, the server will believe that it is an unpatched client > and expect/accept only one negotiation. If it's been patched and configured such that it talks to insecure clients. > Why indicate your willingness > to do something that you're not willing to do later anyway? > > I'd suggest adding wording to this effect, suggesting that > implementations SHOULD offer this extension only if they're willing to > accept renegotiations. Why should the client advertise that he's willing or not willing to renegotiate? What if the API and existing application code defers that decision until later? A client app that is willing renegotiate only just after submitting an HTTP request and if the user could possibly approve the client cert request. Client certs could become enabled at any time and shouldn't cause existing connections to break! IMHO a patched client should always send the magic cipher suite so the server can prevent MitM. That way you don't have to force the server into making the difficult decision as to whether or not to join in on a possibly-compromised connection. - Marsh
- [TLS] Last Call: draft-ietf-tls-renegotiation (Tr… The IESG
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Marsh Ray
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Robert Dugal
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Rob P Williams
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Kyle Hamilton
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Marsh Ray
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Bodo Moeller
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Marsh Ray
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Nasko Oskov
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… David-Sarah Hopwood
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Glen Zorn
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Yoav Nir
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Stephen Farrell
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Joseph Salowey (jsalowey)
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Stefan Santesson
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Robert Relyea
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Martin Rex
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Martin Rex
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Marsh Ray
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Chris Newman
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… peter.robinson
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… David-Sarah Hopwood
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Yoav Nir
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Pasi.Eronen
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Martin Rex
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Chris Newman
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Chris Newman
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Marsh Ray
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Nasko Oskov
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Marsh Ray
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Martin Rex
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Cullen Jennings
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Martin Rex
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Eric Rescorla
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Michael D'Errico
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Marsh Ray
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation Martin Rex
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Marsh Ray
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Eric Rescorla
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Marsh Ray
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Martin Rex
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Eric Rescorla
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Martin Rex
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Marsh Ray
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Nelson B Bolyard
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… David-Sarah Hopwood
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… David-Sarah Hopwood
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Nelson B Bolyard
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Marsh Ray
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Nelson B Bolyard
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Nelson B Bolyard
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Martin Rex
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Marsh Ray
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Martin Rex
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Martin Rex
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation David-Sarah Hopwood
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Eric Rescorla
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Marsh Ray
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Martin Rex
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Nelson B Bolyard
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation Marsh Ray
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Stefan Santesson
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Eric Rescorla
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… David-Sarah Hopwood
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Michael Gray
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Martin Rex
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Martin Rex
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation David-Sarah Hopwood
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… David-Sarah Hopwood
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation Chris Newman
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Michael Gray
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation Nelson B Bolyard
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Marsh Ray
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Martin Rex
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Marsh Ray
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Wan-Teh Chang
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Martin Rex
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Michael D'Errico
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Marsh Ray
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Badra
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Martin Rex
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Stefan Santesson
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Marsh Ray
- [TLS] Defining "TLS channel" (Re: Last Call: draf… Nicolas Williams
- [TLS] TLS Renegotiate: empty extension and TLS_RE… peter.robinson
- Re: [TLS] TLS Renegotiate: empty extension and TL… Eric Rescorla
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Peter Sylvester
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Marsh Ray
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Nelson B Bolyard
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Martin Rex
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation Martin Rex
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation David-Sarah Hopwood
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation Marsh Ray
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation David-Sarah Hopwood
- [TLS] Overzealous RFC-2119-ification (was Last Ca… David-Sarah Hopwood
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation David-Sarah Hopwood
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation David-Sarah Hopwood
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation Michael D'Errico
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation Marsh Ray
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation David-Sarah Hopwood
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation Michael D'Errico
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation Michael D'Errico
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation Marsh Ray
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Michael Gray
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… David-Sarah Hopwood
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Martin Rex
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Marsh Ray
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Nelson B Bolyard
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Florian Weimer
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Marsh Ray
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Yoav Nir
- Re: [TLS] Defining "TLS channel" (Re: Last Call: … Pasi.Eronen
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Paul Hoffman
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Steve Checkoway
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Steve Dispensa
- Re: [TLS] Defining "TLS channel" (Re: Last Call: … Nicolas Williams
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Glen Zorn
- Re: [TLS] Defining "TLS channel" David-Sarah Hopwood
- Re: [TLS] Defining "TLS channel" David-Sarah Hopwood
- Re: [TLS] Defining "TLS channel" Nicolas Williams
- Re: [TLS] Defining "TLS channel" Nicolas Williams
- Re: [TLS] Defining "TLS channel" David-Sarah Hopwood
- Re: [TLS] Defining "TLS channel" Nicolas Williams
- Re: [TLS] Defining "TLS channel" David-Sarah Hopwood
- Re: [TLS] Defining "TLS channel" David-Sarah Hopwood
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Martin Rex
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Pasi.Eronen
- Re: [TLS] Last Call: draft-ietf-tls-renegotiation… Martin Rex
- Re: [TLS] Defining "TLS channel" tom.petch
- Re: [TLS] Defining "TLS channel" Martin Rex