Kyle Nekritz wrote: > > I do think this should be allowed if the client is satisfied with the > previous identities presented. We currently allow resumption across > domains supported by our wildcard certificate (I believe this is fairly > common practice), and our clients take advantage of this to improve their > resumption rate. In regards to the referenced paper, I don't think this > is any more dangerous than the wildcard certificate itself as a full > handshake would succeed anyway. I don't think it's entirely necessary > for the server to opt-in to this either, if the server wants it can > simply reject the resumption attempt.
I think it is a bad idea to look at this purely from the perspective of whether this represents an obvious attack vector. And there are two entirely *independent* decisions involved. (1) whether the TLS client proposes resumption for a session (i.e. client-side cache management) (2) whether the TLS server agrees to a proposed resumption or whether it performs a full handshake instead And there are _different_ security trade-offs in these two distinct decisions. As I previously described my position, I'm perfectly OK with a server performing a resumption if the full handshake would cause the server to send/present the very same TLS server certificate as in the full handshake that created the session that is proposed for resumption ... and that is actually the behaviour which I implemented, and what comes out naturally if you implement TLS extension SNI support _outside_ of the TLS stack on the server side. However, I believe that the server agreeing to resumption with a different SNI hostname is a use case, that with a sensible generic TLS client, should never actually occur in practice. Except for bugs or design flaws in the client-side session cache management maybe. The client does _not_ know which TLS server certificates the server has available, and what criteria it will apply for selecting one or the other. The existence of a wildcard certificate does not unconditionally preclude existence of host-specific certificates for specific services that are technically covered by the wildcard. I really dislike seemingly non-deterministic behaviour, and therefore try to avoid it as much as possible in whatever I implement. The decision to accept a particular server certificate for one specific hostname/target does not (should not) necessarily apply to *each* other possible servername covered/conveyed by that server certificate. Special-casing stuff makes the behaviour also difficult to comprehend for end-users / consumers (and implementers get it wrong more easily). What if the server certificate is "manually" confirmed by the end-user (for whatever reason: it's self-signed/untrusted or from DANE rather that PKIX) should that "acceptance" still/also transcend to all other hostnames (why or why not)? My client-side TLS session cache management (which I implemented above the TLS stack), uses the target hostname as one of the session cache lookup parameters, and I don't think it would be sensible to propose arbitrary sessions for resumption. The performance overhead for a full handshake per hostname is completely negligible (and if the server operator cares, he could simply avoid spreading content over distinct server hostnames). What I found painful instead, is the server-side behaviour implemented by Microsoft IIS / SChannel in the past, because when configured for optional client certificates, the server exhibits Alzheimer towards certificate-less clients (or at least it did so in the past), because it would force each client without client cert through a full renegotiation handshake after resumption for each new connection, failing to memorize that the resumed session was created by renegotiation where the server did ask for a client cert and the client did turn down that request. -Martin _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls