Re: TLS ALPN Proposal v4

[Simone Bordet]

Hi,

On Mon, Sep 7, 2015 at 5:54 AM, Bradford Wetmore
 wrote:
> IMHO, the following works well.  I've added a new method that contains the
> ordered list of ciphersuites still to be tried which is a hint for ALPNinboked
> selection, but we delay the actual ciphersuite selection until after the
> ALPN value is chosen.  So the algorithm is now:
>
> 0.  Applications (especially server) might order suites with h2
> first for TLSv1.2. sslParameters.setUseCipherSuitesOrder(true)
> should be called on the server to ensure those suites are
> tried first.
>
> 1.  Start Handshake.
>
> 2.  Internal server handshaker chooses the TLS version.
>
> 3.  The internal server handshaker finds the client/server/protocol
> version intersection of the suites, loads the initial ordered
> list into a new method on a SSLSession (obtained by the
> getHandshakeSSLSession()), then iterates through the
> ordered list of ciphersuites as usual.
>
> 4.  For each "candidate" ciphersuite, first call the
> ApplicationProtocolSelector to choose an appropriate ALPN value.
> The getHandshakeSSLSession() contains the negotiated TLS
> protocol version and the ordered ciphersuite list with the
> "candidate" suite as the first entry.
>
> Note:  If the client sent unsupported ALPN values, the Selector
> can throw a SSLHandshakeException at this point and generate the
> "no_application_protocol" alert.
>inboked
> The Selector can also either choose to ignore/skip the suite, or
> accept the suite but choose no ALPN value.
>
> 5.  Continue the ciphersuite selection routine as usual (check for
> appropriate Keys, etc).  The KeyManager now has access to the
> negotiated TLS version and ALPN value along with theit
> ciphersuite via the same/usual
> getHandshakeSSLSession().
> This satisfies the RFC 7301 goal of having
> the certificate selection mechanism use the ALPN value.
>
> As ciphersuites are removed from consideration via the
> internal iterator in 3, they are also removed from the
> corresponding SSLSession entry.
>
> 6.  When handshaking is complete, the applications should verify
> that the session parameters (protocol version, ALPN value, and
> ciphersuites, etc.) are suitable, and send a HTTP-level
> INADEQUATE_SECURITY (H2) if there's a problem.
>
> In general, if the ciphersuites aren't ordered properly, that should be
> considered a configuration error on the part of the application(s). However,
> this dynamic ALPN selection approach still allows for appropriate ALPN
> values to be selected for each possible ciphersuite. That is, if the suites
> were ordered H1/H2, the ALPN value should be H1.
>
> For an example of such a selector, please see the new H2/H2+H1/H1
> ApplicationProtocolSelector implementions in
> ApplicationProtocolSelector.java, and how they are called in
> ServerHandshaker.java.
>
>
> Here is the latest:
>
> http://cr.openjdk.java.net/~wetmore/8051498/webrev.09

Are you sure this is the latest code ?
The relevant changes in ServerHandshaker are commented out.

I have the feeling that ApplicationProtocolSelector (APS) is not
really an application protocol selector, but a cipher suite selector.

APS seem to conflate cipher suite selection with application protocol
selection: the return value of select() actually is a 2-tuple that
means (ciphers[0], protocol) so that returning the empty string or
null does not have any effect on protocol selection, but only on
cipher selection.
You can for example implement APS without even looking at the
application protocol, just to exclude dynamically certain ciphers from
selection (e.g. based on performance or remote IP).

I don't understand exactly bullet 5 above. If APS chooses a cipher and
a protocol, but this is not a valid combination for the KeyManager to
select a certificate, what happens ? That APS is called again, right ?
But what if that was the last cipher ? Then APS won't be called again.
How can an application know that it is done trying to select a
protocol and that the protocol it chose is actually used ?

I guess this also brings to bullet 6: how can an application verify
that the N-tuple chosen is actually a correct one ? Is there an
additional callback that is being invoked (that applications can
implement) before the ServerHello is actually sent to the client ?

A very important point that I saw in the comments is support for TLS
session resumption - this has been asked multiple times by Jetty users
that were using Jetty's ALPN (and we implemented it).
Just make sure that whatever proposal enters JDK 9, session resumption
is supported.

My preference would go to the previous proposal (akin to Jetty - I
know I am biased) where protocol selection was happening in isolation
*after* cipher 

TLS ALPN Proposal v4

[Bradford Wetmore]

Hi all,

Simone/Xuelei/I wrote:

Per my understanding, application protocol should be negotiated before
>>>cipher suite and protocol version negotiated.

>>
>>This is not possible for HTTP/2.
>>Application protocol negotiation MUST happen*after*  the TLS protocol
>>and the TLS cipher are negotiated.

>
>Yes, that's my understanding as well.

What are the behaviors of other vendors?  Can we ask for a clarification
from both HTTP/2 and TLS WG?


and then Simone wrote:

I support Xuelei in that you should ask confirmation to the HTTP/2
editor.


Thanks for the encouragement, Simone.  As you've probably heard, I did 
contact the IETF HTTP/2 working group and posed several questions about 
expected usage[1].  I'm combining those responses plus several other 
points that came up since the last discussion.  This may be repeating 
some things already said, but serves as useful background info for those 
here that might not be following closely:


1.  HTTP/2 (aka H2) and TLSv1.3 were developed in parallel.  The H2 
designers wanted the ciphersuite restrictions in the proposed TLSv1.3. 
But since TLSv1.3 wasn't ready, they compromised by allowing TLSv1.2 to 
be used but with the restriction that only those ciphersuites that were 
expected/allowed for TLSv1.3 could be used.  That is, there is a 
blacklist of ciphersuites for TLSv1.2:  if a suite is present, it can't 
be used in TLSv1.2.  (e.g. no RSA KeyExchange, no CBC-based block 
ciphers, no stream ciphers, etc.)


2. RFC 7301 says in a couple places that it would be advantageous to 
have the chosen ALPN value used by the certificate selection mechanism 
(See sections 1 & 4).  Without a radical rewrite of the current 
selection mechanism (n-tuple), that means ALPN selection should be done 
before the ciphersuite is selected.  We could also check after, but I 
have a different approach (see below).


3. From the H2 working group discussion, a server instance will very 
likely support both H2 and legacy HTTP/1.1. This means for servers that 
prefer H2, any iterative cipher selection mechanisms needs to try the 
H2-specific ciphersuites first, then legacy non-H2 suites.  That is, the 
suites must be ordered appropriately so that the ciphersuite selection 
mechanism won't attempt a blacklisted suite before exhausting all 
H2-acceptable suites.  This ordering can be requested today in JSSE by 
the server calling sslParameters.setUseCipherSuitesOrder(true).  This 
particular point won't matter when TLSv1.3 is in play, as we wouldn't 
try those suites at all.


4. Clients may not know whether a server will be H2 or HTTP/1.1, so they 
should also appropriately sort ciphersuites based on their ALPN 
preferences.  (H2 first, H1 second.)


5. For our SunJSSE, while I think our current enabled list order is 
generally ok, we should probably reorder the ciphersuite priorities so 
that the TLSv1.3 acceptable suites are up front, with the others 
following. This prefers forward secrecy ciphersuites to our current 
ordering. I am thinking we should probably do this for JDK 9, and maybe 
backport as well. The current webrev (link below) doesn't have this yet.


6.  To avoid downgrade attacks, applications should not provide for a 
fallback mechanism.  This includes ALPN selection.


Connection#1:  {"h2", "http/1.1"} // Don't make two connections.
Connection#2:  {"http/1.1"}

POODLE was a good example where allowing fallbacks bit hard.

Of course, we can't control this at the JSSE layer, it's the application 
layer responsibility.



Tradeoff between A) change radically the OpenJDK implementation to
support an iterative processing of TLS protocols, extensions (all of
them), ciphers, aliases, etc. that would be future proof (if that is
even possible) and B) hack in just enough of what is needed to support
H2 today (for which we already have working examples) ?


Given where we are now schedule wise (integration currently due at the 
end of September), and that SunJSSE is such an iterative implementation, 
coming up with a multi-selector API is likely beyond what we can do at 
this point.


(webrev link below).

IMHO, the following works well.  I've added a new method that contains 
the ordered list of ciphersuites still to be tried which is a hint for 
ALPN selection, but we delay the actual ciphersuite selection until 
after the ALPN value is chosen.  So the algorithm is now:


0.  Applications (especially server) might order suites with h2
first for TLSv1.2. sslParameters.setUseCipherSuitesOrder(true)
should be called on the server to ensure those suites are
tried first.

1.  Start Handshake.

2.  Internal server handshaker chooses the TLS version.

3.  The internal server handshaker finds the client/server/protocol
version intersection of the suites, loads the initial ordered
list into a new method on a SSLSession (obtained by the
getHandshakeSSLSession()), then iterates through the
ordered list of