subject:"Re\: dynamic renegotiation"

Re: dynamic renegotiation

1999-04-16 Thread Matthias Loepfe


Ralf S. Engelschall wrote:
 
 On Wed, Apr 14, 1999, Matthias Loepfe wrote:
 
  A renegotiation only happens if:
 
  1.) if current cipher is not contained in the new cipher list
  2.) if current cert chain length is longer than the verify depth
  3.) if verify client is required and no peer cert is available
  4.) 
 
 Ok, I've though about this now again and think your suggestions are ok, but
 technically read the following for mod_ssl:
 
 A renegotiation _has_ to be performed...
 
 o If the currently active cipher is not contained in the
   reconfigured/new cipher suite.
 o If the currently active verify type is less (strong) than
   the reconfigured/new verify type
   (order is: none  optional_no_ca  optional  require)
 o If the currently active verify depth is greater than the
   reconfigured/new verify depth.
 
 Additionally the following optimization is possible: When the currently active
 verify type is "none" but a client certificate is already known/present, it's
 enough to manually force a client verification but skip the renegotation
 handshake itself.

Thats exactly what I meant. But As soon a you enable your EXPERIMENTAL code
(ServerCert, CACerts) there will come aditional rules.

 
 Is this optimized approach still secure?

This morning a had a longer discussion with the security responsibles of a
large bank. At the end we concluded that it should be ok to do it this way.
The only thing which arose was that you cannot guarantee a client that
there will be always the best possible cipher used. That means if you
have two location with different cipher-lists configured, it is possible
that the client chooses tho different cipers to communicate with one of
thge locations depending if before there was a communication with the
other one:

Example: 

Location /a
SSLCipherSuite DES-CBC3-SHA:RC4-SHA
/Location

Location /b
SSLCipherSuite RC4-SHA
/Location


If the client first connect to '/b' and the to '/a' it will use
RC4-SHA other wise it will use DES-CBC3-SHA

But we also agreed that this is not really a reason not to optimize
the renegotiation.


regards

Matthias

---
Matthias Loepfe, AdNovum Informatik AG, Roentgenstr. 22, CH-8005 Zurich
Email: [EMAIL PROTECTED]   Voice: +41 1 272 6111   Fax: +41 1 272 6312
__
Apache Interface to OpenSSL (mod_ssl)  www.engelschall.com/sw/mod_ssl/
Official Support Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: dynamic renegotiation

1999-04-16 Thread Ralf S. Engelschall


On Fri, Apr 16, 1999, Matthias Loepfe wrote:

[...]
  A renegotiation _has_ to be performed...
  
  o If the currently active cipher is not contained in the
reconfigured/new cipher suite.
  o If the currently active verify type is less (strong) than
the reconfigured/new verify type
(order is: none  optional_no_ca  optional  require)
  o If the currently active verify depth is greater than the
reconfigured/new verify depth.
  
  Additionally the following optimization is possible: When the currently active
  verify type is "none" but a client certificate is already known/present, it's
  enough to manually force a client verification but skip the renegotation
  handshake itself.
 
 Thats exactly what I meant. But As soon a you enable your EXPERIMENTAL code
 (ServerCert, CACerts) there will come aditional rules.

Additional rules? You mean when people use it they will find out more
optimization possibilities? Ok, as long as they're not causing
security risks, that's no problem.

BTW, I've now implemented it this way: Unless one uses "SSLOptions
+OptRenegotiate" the paranoid approach is used where a renegotiation is forced
whenever something is changed on the parameters.  With "+OptRenegotiate" it's
done the optimized way described above.

I've just still one problem: The "manually force a client verification" seems
to be not supported by OpenSSL and is actually not possible when the client
already resumed the connection. And I'm still not sure what we can assume in
this situation (i.e. whether the present cert is really already verified).

So the problem is this:
1. The client connects with a certificate and sends the HTTP request.
2. mod_ssl determines that client auth is needed on a per-dir basis
   and foces a renegotiation.
3. The client now upgrades the connection by presenting the client
   certificate.
4. mod_ssl accepts it and sends the response.
5. The client creates a new forthcoming or even parallel
   connection by resuming the last session, i.e. it immediately connects with
   the _upgraded_ state, i.e.  already presents the certificate in the initial
   handshake. 
6. The clients HTTP request again hits the per-dir client auth requirements.
7. What can mod_ssl now assume when it finds out that client auth is requested
   and a peer certficate is present?

Because under 7.) mod_ssl usually _CANNOT_ any longer verify the certificate
chain because it's no longer present (OpenSSL stores only the peer certificate
but not the chain). Can mod_ssl now assume that it already has verified it
once in a previous session? I think mod_ssl can assume this as long as it can
make sure the connection is a resumed one. When it's a not-resumed one (i.e.
client connected with a certificate although mod_ssl hasn't requested it) I
think mod_ssl has to still force a renegotiation, because the present
certificate then wasn't verified.

 Location /a
 SSLCipherSuite DES-CBC3-SHA:RC4-SHA
 /Location
 SSLCipherSuite RC4-SHA
 /Location
 
 If the client first connect to '/b' and the to '/a' it will use
 RC4-SHA other wise it will use DES-CBC3-SHA
 But we also agreed that this is not really a reason not to optimize
 the renegotiation.

Yes, I've thought about this, too. And that actually was the initial reason I
created the OptRenegotiate option.  To allow the user to choose himself
whether this optimization is wanted by him.

   Ralf S. Engelschall
   [EMAIL PROTECTED]
   www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl)  www.engelschall.com/sw/mod_ssl/
Official Support Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: dynamic renegotiation

1999-04-15 Thread Ralf S. Engelschall


On Wed, Apr 14, 1999, Matthias Loepfe wrote:

 From my point of view there happen much too much renegotiations 

Yes, that's correct. We've recognized this some time ago, too.  I've written
it down on my TODO list, but it's non-trivial to make better.

 which is
 especially anoying if client certs are requested because there is always
 a user interaction required. Could the logic which determines a renegotiation
 be slightly changed?
 
 A renegotiation only happens if:
 1.) if current cipher is not contained in the new cipher list
 2.) if current cert chain length is longer than the verify depth
 3.) if verify client is required and no peer cert is available
 4.) 

Hmm... good suggestions, but as I already said once in the past: One has to be
_VERY_ carefully when doing short-cuts or optimizations for this stuff because
one can too easily introduce security holes. That's why I currently
implemented it this way: mod_ssl checks whether the parameters change in _any_
way and when it changed it forces a renegotiation.  You're right that this
often still is too much renegotiation.  I'll try to sit down in a silent
minute and think about the possible and safe optimizations again.

 During my tests I found a behaviour which I don't understand. Probably
 someone can explain it to me:
 
 The following two cipher lists are the same:
HIGH:+MEDIUM
HIGH:+MEDIUM:+EXP
 But the following contains the export ciphers as expected
   HIGH:+MEDIUM:EXP
 You can verify it with 'openssl ciphers -v list'

grin That's because Eric's syntax is strange.  The "+XXX" does _NOT_ mean
"plus XXX" or "add XXX to the cipher suite". It means "move XXX to this place
of the ordering". When you don't have XXX in the cipher suite "+XXX" is
useless. That why CipherSuite strings usually start with some "XXX:YYY:ZZZ"
followed with appended ":+AAA:+BBB" where AAA and BBB are subparts of XXX, YYY
or ZZZ. Read the mod_ssl user manual carefully. I think I've explained it
there in detail.
   Ralf S. Engelschall
   [EMAIL PROTECTED]
   www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl)  www.engelschall.com/sw/mod_ssl/
Official Support Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: dynamic renegotiation

1999-04-15 Thread Ralf S. Engelschall


On Wed, Apr 14, 1999, Matthias Loepfe wrote:

 A renegotiation only happens if:
 
 1.) if current cipher is not contained in the new cipher list
 2.) if current cert chain length is longer than the verify depth
 3.) if verify client is required and no peer cert is available
 4.) 

Ok, I've though about this now again and think your suggestions are ok, but
technically read the following for mod_ssl:

A renegotiation _has_ to be performed...

o If the currently active cipher is not contained in the
  reconfigured/new cipher suite.
o If the currently active verify type is less (strong) than 
  the reconfigured/new verify type 
  (order is: none  optional_no_ca  optional  require)
o If the currently active verify depth is greater than the
  reconfigured/new verify depth.

Additionally the following optimization is possible: When the currently active
verify type is "none" but a client certificate is already known/present, it's
enough to manually force a client verification but skip the renegotation
handshake itself.

Is this optimized approach still secure?

   Ralf S. Engelschall
   [EMAIL PROTECTED]
   www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl)  www.engelschall.com/sw/mod_ssl/
Official Support Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: dynamic renegotiation

Re: dynamic renegotiation

Re: dynamic renegotiation

Re: dynamic renegotiation

4 matches

Site Navigation

Mail list logo

Footer information