Re: Banning TLS renegotiation

To: Wouter Verhelst <w@uter.be>
Cc: "Richard W.M. Jones" <rjones@redhat.com>, nbd@other.debian.org
Subject: Re: Banning TLS renegotiation
From: "Daniel P. Berrange" <berrange@redhat.com>
Date: Wed, 4 Oct 2017 08:39:38 +0100
Message-id: <[🔎] 20171004073938.GA14147@redhat.com>
Reply-to: "Daniel P. Berrange" <berrange@redhat.com>
In-reply-to: <[🔎] 20171003182649.oaktpp6yekyfe6ux@grep.be>
References: <[🔎] 20171003103256.GA23085@redhat.com> <[🔎] 20171003110836.GE4904@redhat.com> <[🔎] 20171003112132.GH4365@redhat.com> <[🔎] 20171003134855.GH4904@redhat.com> <[🔎] 20171003135930.GJ4365@redhat.com> <[🔎] 20171003182649.oaktpp6yekyfe6ux@grep.be>

On Tue, Oct 03, 2017 at 08:26:49PM +0200, Wouter Verhelst wrote:
> On Tue, Oct 03, 2017 at 02:59:31PM +0100, Richard W.M. Jones wrote:
> > On Tue, Oct 03, 2017 at 02:48:55PM +0100, Daniel P. Berrange wrote:
> > > I would say
> > > 
> > >   "a peer  SHOULD follow the TLS protocol spec for accepting
> > >    or rejecting a renegotiation, but MAY close the connection
> > >    abruptly"
> > 
> > How about this extension of the above:
> > 
> >   "A peer SHOULD follow the TLS protocol spec for accepting
> >   or rejecting a renegotiation, but MAY close the connection
> >   abruptly.  If the peer accepts renegotiation then it MUST
> >   follow RFC5746, and it MAY limit the number of times per
> >   connection that renegotiations are permitted in order to
> >   prevent a possible Denial of Service attack."
> 
> I can think of one situation where TLS renegotiation would be necessary
> or valid in an NBD context: if a client tries to connect to an export
> which requires client certificate, but a server has several exports and
> some do not. In that case, the client would do STARTTLS (the server
> necessarily allowing a negotiation without certificates), and then send
> NBD_OPT_GO for a certificate-requiring export. and then receive a
> renegotiation request from the server so that it can provide a
> certificate. The server shouldn't ask for renegotation followed by a
> NBD_REP_ACK in that case (to mitigate the mitm-vulnerability in
> renegotiation that was pointed to earlier), but instead some error, then
> perform the renegotiation, and then the client should try the NBD_OPT_GO
> again.

We shouldn't try to workaround TLS flaws in a layer above it, as that kind
of approach has a fine history of security screw ups. 

Latest TLS versions have a fixed renegotiation protocol and any good TLS
library impl will let you guarantee this is used. So anyone caring about
supporting TLS renegotiation should just use a fixed library, which will
be pretty much all of them at this point.

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

Reply to:

Follow-Ups:
- Re: Banning TLS renegotiation
  - From: Wouter Verhelst <w@uter.be>

References:
- Banning TLS renegotiation
  - From: "Richard W.M. Jones" <rjones@redhat.com>
- Re: Banning TLS renegotiation
  - From: "Daniel P. Berrange" <berrange@redhat.com>
- Re: Banning TLS renegotiation
  - From: "Richard W.M. Jones" <rjones@redhat.com>
- Re: Banning TLS renegotiation
  - From: "Daniel P. Berrange" <berrange@redhat.com>
- Re: Banning TLS renegotiation
  - From: "Richard W.M. Jones" <rjones@redhat.com>
- Re: Banning TLS renegotiation
  - From: Wouter Verhelst <w@uter.be>

Prev by Date: Re: Banning TLS renegotiation
Next by Date: Re: Banning TLS renegotiation
Previous by thread: Re: Banning TLS renegotiation
Next by thread: Re: Banning TLS renegotiation
Index(es):
- Date
- Thread