TLS Triple Handshakes

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

TLS Triple Handshakes

Fedor Brunner
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512



Hi,
the attack described in https://secure-resumption.com/ breaks also tls
channel binding tls-unique RFC 5929.

I would still like to use tls-unique for channel binding as defined in
SCRAM (RFC 5802). Can OpenSSL be used for channel binding and protect
against this attack if the session caching is disabled?

SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF)

Is it necessary to disable resumption using a different function?

Kind regards,
Fedor Brunner



-----BEGIN PGP SIGNATURE-----

iQJ8BAEBCgBmBQJTFb30XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4QkVFQ0NBRDcyNzU1RTk2RTQwMzlEQjc2
RTE3NDA5NTQwNTY2M0FEAAoJEG4XQJVAVmOtHQIP/iF2Zg0pgBGbCpjACOI/Ug2e
wWitxzPhAF0CF6ATE69uke+Q5QaSBee6w1y0hlKuLpayl1wZOqEnhLEUokpOkQZR
DEOUFgk/EmU6RaMv0xRlUaB3VdT1F2zMvZ/gwK+3FrM6mNfEYG04JIIZhrD4DCtk
4Ce8FWRzTNIC4HG/OqA2PRp9dGPwm/JhEoTqexu282Qz1icGHQuNLq1HMj9gESbe
dkuMg0v7W1YtrFJa1LYc2wOCugG3glya+zn+VRsC/8Ki8bejqkGWTYeAtDeg8yUm
+9CFPhSoHYqNgOhAZ4SrRGyaKblnBI+NLEjOfCASqgCc7oJT3LNtWNNGJNgXoqiG
5gP9WLot39fKJ0g/gW0+PJQyCGMGYtYqJ9Xc93xcWmPZ7NGvn4p5wr/orBwyEB4S
s62Q/HKzYb9xVpLvXhwHnjbHpWZS18wHNwIGquU6RL6Rl6Vzznl73+HC6u097zAG
O+h/lfMmxsXIUbjMxpGazYjmNDR9rGCXzZ9xE498rkWIQIZBwTyyWxj2QSMtLv1v
sQ6fmvnLP1aGEByrMjthHPQoFQtVruuGqmKoZ74lrIjttF5WgTBn5OdRoxeJUZPd
eTZYrRe1zTKC+k6xqcixliQB2HB+zd4PAHt2IZiUaKR+W5Cu4ypJc4c0G4xNEtuN
CZt2VD2yTjfTdlcjKSTH
=nIoa
-----END PGP SIGNATURE-----
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: TLS Triple Handshakes

Dr. Stephen Henson
On Tue, Mar 04, 2014, Fedor Brunner wrote:

>
> Hi,
> the attack described in https://secure-resumption.com/ breaks also tls
> channel binding tls-unique RFC 5929.
>
> I would still like to use tls-unique for channel binding as defined in
> SCRAM (RFC 5802). Can OpenSSL be used for channel binding and protect
> against this attack if the session caching is disabled?
>
> SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF)
>
> Is it necessary to disable resumption using a different function?
>

You'd also need to disable session tickets too.

Note the initiial phase of the attack requires that the attacker possess a
private key and certificate the client trusts. I'd be interested to know how
that could happen under your circumstances.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]