Re: [TLS] Application data during renegotiation handshake
On Wed, 2015-11-11 at 18:39 +, Mike Bishop wrote: > I know that BoringSSL explicitly requires that application data flow > be stopped during renegotiation. If the HTTP working group adopts > this draft, do the owners of other TLS implementations expect this to > require changes in their TLS 1.2 implementations? GnuTLS also has this requirement. regards, Nikos ___ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
Re: [TLS] Application data during renegotiation handshake
On 12/11/15 08:23, Nikos Mavrogiannopoulos wrote: > On Wed, 2015-11-11 at 18:39 +, Mike Bishop wrote: > >> I know that BoringSSL explicitly requires that application data flow >> be stopped during renegotiation. If the HTTP working group adopts >> this draft, do the owners of other TLS implementations expect this to >> require changes in their TLS 1.2 implementations? > GnuTLS also has this requirement. > OpenSSL also does not allow application data during renegotiation. Matt ___ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
Re: [TLS] Application data during renegotiation handshake
On Wednesday 11 November 2015 18:39:51 Mike Bishop wrote: > Per the TLS 1.2 spec, that's permitted, but if > it's not been done before, I'm afraid we may be hitting less-tested > code paths. It's also something that Java does and what NSS supports. But indeed it is problematic: https://rt.openssl.org/Ticket/Display.html?id=3712&user=guest&pass=guest -- Regards, Hubert Kario Senior Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic signature.asc Description: This is a digitally signed message part. ___ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
Re: [TLS] Application data during renegotiation handshake
Matt Caswell wrote: > > > On 12/11/15 08:23, Nikos Mavrogiannopoulos wrote: > > On Wed, 2015-11-11 at 18:39 +, Mike Bishop wrote: > > > >> I know that BoringSSL explicitly requires that application data flow > >> be stopped during renegotiation. If the HTTP working group adopts > >> this draft, do the owners of other TLS implementations expect this to > >> require changes in their TLS 1.2 implementations? > > GnuTLS also has this requirement. > > > OpenSSL also does not allow application data during renegotiation. Our implementation also does not allow application data during renegotiation. (But it also has server-side renegotiation completely disabled.) -Martin ___ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
Re: [TLS] Application data during renegotiation handshake
On Wed, 2015-11-11 at 18:39 +, Mike Bishop wrote: > A question for TLS implementation owners: During the discussion of > the TLS 1.2 portion of https://tools.ietf.org/html/draft-thomson-http > 2-client-certs-00, it was pointed out that HTTP/2 breaks a > simplification of the HTTP-TLS interface that some implementations > may have assumed. > > Since HTTP/1.1 only has one request per connection and that request > is waiting on the client certificate to be retrieved via > renegotiation, you can assume that the client will not send any > application data between the new ClientHello and sending the Finished > message. (“…it is expected that the negotiation will begin before no > more than a few records are received from the client.”) Likewise, > the server will not emit any application data between sending the > HelloRequest and sending its own Finished message. Since HTTP/2 will > have other requests being generated and served in parallel, this is > no longer the case. Per the TLS 1.2 spec, that’s permitted, but if > it’s not been done before, I’m afraid we may be hitting less-tested > code paths. We may are also introducing a new attack surface by allowing application data during rehandshake and implementations cache the messages until the handshake is complete. There is an interesting part of the triple handshake attack which can take advantage of applications which cache application data during rehandshake. Quoting: https://www.secure-resumption.com/ "... Consequently, A cannot read or send messages on these connections any more. However, its prior [to rehandshake] messages on both connections may well be prefixed to the messages sent after renegotiation." So an attacker could ensure that his messages are prefixed to the next session if he simply sends his application data during rehandshake. That was not possible with most implementations until now. So we are hitting less-tested protocol paths as well, not only code paths. regards, Nikos ___ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
[TLS] Review of https://tools.ietf.org/html/draft-ietf-tls-chacha20-poly1305-00
This is good. I have an editorial comment: can someone please go through and reconcile all the use of bits and bytes throughout. It actually seems like someone did a coin flip on every occurrence to decide which one to use. ___ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
Re: [TLS] Review of https://tools.ietf.org/html/draft-ietf-tls-chacha20-poly1305-00
On Thu, Nov 12, 2015 at 10:06 AM, Martin Thomson wrote: > This is good. > > I have an editorial comment: can someone please go through and > reconcile all the use of bits and bytes throughout. It actually seems > like someone did a coin flip on every occurrence to decide which one > to use. -01 already has some cleanups. But there's inevitably going to be some use of both bits and bytes in a draft such as this since keys are generally measured in bits but wire protocols are generally measured in bytes. I looked over each use of "bit" and "byte" in -01 and changed one key length to bits, but otherwise I think each use is about right. Cheers AGL -- Adam Langley a...@imperialviolet.org https://www.imperialviolet.org ___ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
Re: [TLS] Application data during renegotiation handshake
On Wed, Nov 11, 2015 at 10:43 PM Yoav Nir wrote: > > > On 12 Nov 2015, at 3:32 AM, Adam Langley wrote: > > > > The TLS 1.3 post-handshake client-auth was intended, as I recall, to > > support HTTP/1.1 over TLS 1.3. > > No, it was (and is) presented as a way to do client certificate > authentication with HTTP/2 not at the initial handshake. > > > With HTTP/2 isn't it cleaner to do client-auth at the HTTP layer (i.e. > > by signing exporter values)? > > It is. I thought that an HTTP authentication method based on certificates > could be a drop-in replacement for TLS layer authentication, but someone (I > think it was Mike) pointed out that with TLS-layer certificate > authentication the stream continues after the authentication, while with > HTTP-layer authentication, the stream ends with a 401 status code, and the > client has to start a new stream with the Authorization header. So > applications would need to be changed for this to work. > Using existing HTTP semantics would certainly be cleaner in a vacuum, but one could still do it in HTTP/2 layer without creating a new stream. Perhaps adapt SPDY's CREDENTIAL frame and add a new SWITCH_CREDENTIAL frame to swap a stream's credential slot mid-stream? Alternatively, HTTP/2 frontend could make the application think there were two independent requests. Am I misunderstanding the objection? What about this: 1. Client hits HTTP/2 frontend. Frontend talks to application which decides it needs client auth, expecting it on the same stream. 2. Frontend immediately aborts that request and returns a 401 to the client. Application thinks the client just gave up. 3. Client makes a new stream, now authenticated. The frontend hits the application fresh. Application requests client auth as before and frontend responds immediately with the certificate the client asserted. This is, by the way, how Chrome implements client auth today, even with renego. We never reconfigure client auth mid-stream. I think it would be helpful to have examples of exactly what the applications look like, to know what constraints the various interested parties are working with. For example, Apache httpd has some high-level configuration file. https://httpd.apache.org/docs/2.2/ssl/ssl_howto.html#arbitraryclients Existing Apache installs can easily compatibility regardless of how the HTTP/TLS interaction looks. On the other extreme, if the goal is to keep Apache httpd unchanged while only changing OpenSSL, then we have a very different picture because the OpenSSL API is SSL_renegotiate/SSL_do_handshake (send a HelloRequest) + SSL_set_state/SSL_do_handshake (don't continue until renego completes). That one is quite overfit to the old flow and will be difficult to reconcile with almost anything. draft-thomson-http2-client-certs-00's HTTP/2 mode seems to be targeting something in between. It's okay with adding a new application_context_id, but the client certificate still needs to be asserted at the transport. I'm having a hard time divining the constraints from this. David ___ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
Re: [TLS] SHA-1 patch updated with Russ' suggestion
On 5 November 2015 at 15:53, Dave Garrett wrote: > "Trusted self-signatures SHOULD be validated before adding to a trust store > and SHOULD NOT be re-checked at runtime." But we're getting slightly out of > scope here, which is why I'm thinking that elaborating on this topic exactly > as suggested is not needed in the document. A trust anchor is a container for a public key and maybe some ancillary information. You don't actually need to check the signature because the process by which you determine that the information is correct doesn't depend on the signature. For example, the certificates that are in the Mozilla trust store all rely on the fact that you downloaded a valid version of Firefox and the mechanisms by which we safeguard that process. The signatures on trust anchors could be garbage and everything would still be fine. The intent of the change is to point this out. I'll rebase it and maybe add the pointer Russ provided, then we can double check that it's right. Right now, it's all dependent on other PRs and hard to follow. ___ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
Re: [TLS] Application data during renegotiation handshake
Doing it at the HTTP layer (as an authentication mechanism) is challenging, since applications aren’t expecting to receive it that way, and moves the authenticated exchange onto a different stream than triggered it. I know that there’s the possibility for a layer to fake the client going away while actually sending a 401, but then you have to be able to tie the client’s second attempt back to the challenge, don’t you? When I say “application,” I mean the code being hosted by the web server that’s actually responding to the interpreted requests. While I’d like to minimize code changes in the HTTP server, my primary constraint is that I don’t change the application they’re hosting at all. The change to HTTP/2 and/or TLS 1.3 should be as transparent as possible. Keeping auth that’s currently done via TLS still in TLS helps to reduce those changes at higher layers. In the HttpBis working group meeting, there was fairly strong consensus that we needed a backward-compatibility mechanism for existing apps moving to HTTP/2 over TLS 1.[23]; there was also interest in defining something cleaner in the future for new apps that could adopt something brand new, but not at the expense of quickly enabling current apps to keep working. The draft below is the current candidate for least-ugly compat solution. Doing it at the framing layer is definitely a good option for the something cleaner. From: David Benjamin [mailto:david...@chromium.org] Sent: Thursday, November 12, 2015 12:43 PM To: Yoav Nir ; Adam Langley Cc: Mike Bishop ; tls@ietf.org Subject: Re: [TLS] Application data during renegotiation handshake On Wed, Nov 11, 2015 at 10:43 PM Yoav Nir mailto:ynir.i...@gmail.com>> wrote: > On 12 Nov 2015, at 3:32 AM, Adam Langley > mailto:a...@imperialviolet.org>> wrote: > > The TLS 1.3 post-handshake client-auth was intended, as I recall, to > support HTTP/1.1 over TLS 1.3. No, it was (and is) presented as a way to do client certificate authentication with HTTP/2 not at the initial handshake. > With HTTP/2 isn't it cleaner to do client-auth at the HTTP layer (i.e. > by signing exporter values)? It is. I thought that an HTTP authentication method based on certificates could be a drop-in replacement for TLS layer authentication, but someone (I think it was Mike) pointed out that with TLS-layer certificate authentication the stream continues after the authentication, while with HTTP-layer authentication, the stream ends with a 401 status code, and the client has to start a new stream with the Authorization header. So applications would need to be changed for this to work. Using existing HTTP semantics would certainly be cleaner in a vacuum, but one could still do it in HTTP/2 layer without creating a new stream. Perhaps adapt SPDY's CREDENTIAL frame and add a new SWITCH_CREDENTIAL frame to swap a stream's credential slot mid-stream? Alternatively, HTTP/2 frontend could make the application think there were two independent requests. Am I misunderstanding the objection? What about this: 1. Client hits HTTP/2 frontend. Frontend talks to application which decides it needs client auth, expecting it on the same stream. 2. Frontend immediately aborts that request and returns a 401 to the client. Application thinks the client just gave up. 3. Client makes a new stream, now authenticated. The frontend hits the application fresh. Application requests client auth as before and frontend responds immediately with the certificate the client asserted. This is, by the way, how Chrome implements client auth today, even with renego. We never reconfigure client auth mid-stream. I think it would be helpful to have examples of exactly what the applications look like, to know what constraints the various interested parties are working with. For example, Apache httpd has some high-level configuration file. https://httpd.apache.org/docs/2.2/ssl/ssl_howto.html#arbitraryclients Existing Apache installs can easily compatibility regardless of how the HTTP/TLS interaction looks. On the other extreme, if the goal is to keep Apache httpd unchanged while only changing OpenSSL, then we have a very different picture because the OpenSSL API is SSL_renegotiate/SSL_do_handshake (send a HelloRequest) + SSL_set_state/SSL_do_handshake (don't continue until renego completes). That one is quite overfit to the old flow and will be difficult to reconcile with almost anything. draft-thomson-http2-client-certs-00's HTTP/2 mode seems to be targeting something in between. It's okay with adding a new application_context_id, but the client certificate still needs to be asserted at the transport. I'm having a hard time divining the constraints from this. David ___ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
