Re: add option for disabling TLS session tickets to libttls

Sun, 21 Aug 2016 21:55:32 -0700 

On 08/21/16 20:25, Ted Unangst wrote:

Andreas Bartelt wrote:

Since the use of TLS session tickets potentially interferes with forward
secrecy on a per-session basis, I'd personally prefer an opt-in in
libtls as well as in httpd with regard to its usage. However, such a
semantic change would not be transparent. Any opinions on this?


Defaulting to off makes sense to me. It's the marginally safer option and at
small scale probably not a performance concern. But if the default results in
900 "tutorials" telling people to turn it back on because web scale, then all
we've done is make things difficult.




I'm not so sure that disabling session tickets is only marginally safer. 
Please correct me if the following analysis is wrong.


With session tickets disabled:

- in case forward secrecy is not enabled and the attacker somehow 
obtains the server's private key -> attacker can decrypt past, present 
and future TLS traffic to this server
- in case forward secrecy is enabled and the attacker somehow obtains 
the server's private key -> attacker can conduct active MITM attacks on 
present and future TLS traffic to this server. However, passive MITM 
attacks won't succeed.


With session tickets enabled:

- in case the attacker somehow obtains the secret key which is used by 
the server to encrypt all of its session tickets -> attacker can conduct 
passive MITM attacks with regard to all TLS traffic to this server in 
the scope (i.e., lifetime) of the obtained secret key. This is because 
TLS clients send their session tickets back to the server during session 
resumption which enables a relatively straightforward way for snooping 
them on the wire. Decrypted session tickets might also enable active 
interference with their corresponding TLS sessions (e.g., the attacker 
could actively resume them).



In my opinion, the security of this TLS extension strongly depends on 
the assumptions about the attacker's capabilities and on the absence of 
other vulnerabilities (e.g., some kind of key leakage similar to 
heartbleed?). That being said, I still think that this TLS extension can 
be deployed with reasonable security. However, it doesn't look to me 
like a conservative ``default'' configuration.



As kind of a first step, the attached diff adds an function to libtls
which allows to (optionally) disable the use of tls session tickets.


Can you please add an option to enable tickets? That makes it easier to write
software that works with either default.



diff, which also disables session tickets by default in libtls, is attached.


Index: src/lib/libtls/tls.h
===================================================================
RCS file: /cvs/src/lib/libtls/tls.h,v
retrieving revision 1.33
diff -u -p -u -r1.33 tls.h
--- src/lib/libtls/tls.h        12 Aug 2016 15:10:59 -0000      1.33
+++ src/lib/libtls/tls.h        22 Aug 2016 03:59:02 -0000
@@ -41,6 +41,9 @@ extern "C" {
 #define TLS_WANT_POLLIN                -2
 #define TLS_WANT_POLLOUT       -3
 
+#define TLS_SESSION_TICKETS_DISABLE    0
+#define TLS_SESSION_TICKETS_ENABLE     1
+
 struct tls;
 struct tls_config;
 
@@ -73,6 +76,9 @@ int tls_config_set_keypair_mem(struct tl
     size_t _cert_len, const uint8_t *_key, size_t _key_len);
 void tls_config_set_protocols(struct tls_config *_config, uint32_t _protocols);
 void tls_config_set_verify_depth(struct tls_config *_config, int 
_verify_depth);
+
+void tls_config_enable_session_tickets(struct tls_config *_config);
+void tls_config_disable_session_tickets(struct tls_config *_config);
 
 void tls_config_prefer_ciphers_client(struct tls_config *_config);
 void tls_config_prefer_ciphers_server(struct tls_config *_config);
Index: src/lib/libtls/tls_config.c
===================================================================
RCS file: /cvs/src/lib/libtls/tls_config.c,v
retrieving revision 1.27
diff -u -p -u -r1.27 tls_config.c
--- src/lib/libtls/tls_config.c 13 Aug 2016 13:15:53 -0000      1.27
+++ src/lib/libtls/tls_config.c 22 Aug 2016 03:59:02 -0000
@@ -193,6 +193,8 @@ tls_config_new(void)
        tls_config_set_protocols(config, TLS_PROTOCOLS_DEFAULT);
        tls_config_set_verify_depth(config, 6);
 
+       tls_config_disable_session_tickets(config);
+
        tls_config_prefer_ciphers_server(config);
 
        tls_config_verify(config);
@@ -524,6 +526,18 @@ void
 tls_config_set_verify_depth(struct tls_config *config, int verify_depth)
 {
        config->verify_depth = verify_depth;
+}
+
+void
+tls_config_enable_session_tickets(struct tls_config *config)
+{
+       config->session_tickets = TLS_SESSION_TICKETS_ENABLE;
+}
+
+void
+tls_config_disable_session_tickets(struct tls_config *config)
+{
+       config->session_tickets = TLS_SESSION_TICKETS_DISABLE;
 }
 
 void
Index: src/lib/libtls/tls_init.3
===================================================================
RCS file: /cvs/src/lib/libtls/tls_init.3,v
retrieving revision 1.66
diff -u -p -u -r1.66 tls_init.3
--- src/lib/libtls/tls_init.3   18 Aug 2016 15:43:12 -0000      1.66
+++ src/lib/libtls/tls_init.3   22 Aug 2016 03:59:02 -0000
@@ -39,6 +39,8 @@
 .Nm tls_config_set_keypair_mem ,
 .Nm tls_config_set_protocols ,
 .Nm tls_config_set_verify_depth ,
+.Nm tls_config_enable_session_tickets ,
+.Nm tls_config_disable_session_tickets ,
 .Nm tls_config_prefer_ciphers_client ,
 .Nm tls_config_prefer_ciphers_server ,
 .Nm tls_config_clear_keys ,
@@ -119,6 +121,10 @@
 .Fn tls_config_set_protocols "struct tls_config *config" "uint32_t protocols"
 .Ft "void"
 .Fn tls_config_set_verify_depth "struct tls_config *config" "int verify_depth"
+.Ft "void"
+.Fn tls_config_enable_session_tickets "struct tls_config *config"
+.Ft "void"
+.Fn tls_config_disable_session_tickets "struct tls_config *config"
 .Ft "void"
 .Fn tls_config_prefer_ciphers_client "struct tls_config *config"
 .Ft "void"
Index: src/lib/libtls/tls_internal.h
===================================================================
RCS file: /cvs/src/lib/libtls/tls_internal.h,v
retrieving revision 1.39
diff -u -p -u -r1.39 tls_internal.h
--- src/lib/libtls/tls_internal.h       15 Aug 2016 15:44:58 -0000      1.39
+++ src/lib/libtls/tls_internal.h       22 Aug 2016 03:59:02 -0000
@@ -64,6 +64,7 @@ struct tls_config {
        int ecdhecurve;
        struct tls_keypair *keypair;
        uint32_t protocols;
+       int session_tickets;
        int verify_cert;
        int verify_client;
        int verify_depth;
Index: src/lib/libtls/tls_server.c
===================================================================
RCS file: /cvs/src/lib/libtls/tls_server.c,v
retrieving revision 1.24
diff -u -p -u -r1.24 tls_server.c
--- src/lib/libtls/tls_server.c 18 Aug 2016 15:52:03 -0000      1.24
+++ src/lib/libtls/tls_server.c 22 Aug 2016 03:59:02 -0000
@@ -113,6 +113,10 @@ tls_configure_server_ssl(struct tls *ctx
        if (ctx->config->ciphers_server == 1)
                SSL_CTX_set_options(*ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
 
+       if (ctx->config->session_tickets == TLS_SESSION_TICKETS_DISABLE)
+               SSL_CTX_set_options(*ssl_ctx, SSL_OP_NO_TICKET);
+       else SSL_CTX_clear_options(*ssl_ctx, SSL_OP_NO_TICKET);
+
        /*
         * Set session ID context to a random value.  We don't support
         * persistent caching of sessions so it is OK to set a temporary






















					Reply via email to