This is after my question about http and tls.
It seems that there is no mandate per RFC to invalidate an established TLS session if the underlying TCP connection is closed (and then reopened).
Is it safe to reuse the established TLS session over the new TCP connection?
Are there any known attacks (even at theoritical level) that could exploit this?
Thank you
Indeed there is such a mandate in RFC 2246 -- TLS 1.0 if the TCP connection is closed without sending a close_notify alert: see section 7.2.1 of the RFC 2246. This mandate was widely ignored in implementations that otherwise followed RFC 2246. Acknowledging this, TLS 1.1 and TLS 1.2 have eliminated the requirement.
TLS/SSL security does not rely on any properties of TCP, so things that happen at that level should not matter. In particular it should not matter whether you try to resume a TLS session on the same TCP connection or on a new TCP connection.
Related
I have a question about SSL. As I know, when we use browser to request from https server, it will make an SSL handshake first then all data will be encryption in the connection. But if I make a request without browser (like request module in nodejs, postman...), will it be an SSL handshake and data encryption on the connection?
Anyone know please explain to me, thank you.
First, stop saying SSL. Its successor is TLS, and it will have 20 years next January.
TLS is a protocol sitting on top of TCP typically (other variants can also use UDP), and provides on top of TCP features some new features about endpoints authentication and transport confidentiality and integrity.
In a way, you can understand it as being sandwiched between TCP and the higher level application protocol, like HTTP.
Saying otherwise you can use many others protocols on top of TLS: you have all email related ones (SMTP, IMAP, POP, etc.), you can have FTP on top of it (while probably not a good idea nowadays), XMPP for realtime communications, etc.
In short, any protocol using TCP could use TLS with some adaptation.
So HTTP is one case among others. HTTP is between an HTTP client and an HTTP server, or webserver for short.
A browser is an HTTP client. One among many ones. When you use curl or wget you are also an HTTP client. So if any HTTP client access an http:// link it will first do the TLS handshake, after the TCP connection and before starting to do anything really related to the HTTP protocol.
You have specialized libraries dealing with TLS so that not all program need to recode everything about this again, since it is also complicated.
I'm working on network program intended for (W)LAN-only applications. The program is going to exchange data over TCP. I want to introduce at least some level of security, therefore I'm thinking about securing raw TCP connections anonymous TLS.
I'm aware, that anonymous TLS has well-know vulnerabilities (man in the middle), but I cannot enforce (W)LAN members to obtain certificates and I'll have no authentication. As I understand anonymous TLS will ensure data integrity and encryption.
Do you think it's worth to play with TLS in my case? Maybe there's easier way to ensure data integrity and encryption?
I want to proxy WebSocket connections to multiple node.js servers using Amazon Elastic Load Balancer. Since Amazon ELB does not provide actual WebSocket support, I would need to use its vanilla TCP messaging. However, I'm trying to understand how this would work without some sort of sticky session functionality.
I understand that WebSockets work by first sending an HTTP Upgrade request from the client, which is handled by the server by sending a response which correctly handles key authentication. After the server sends that response and it is approved by the client, there is a bidirectional connection between that client and server.
However let's say the client, after approving the server response, sends data to the server. If it sends the data to the load balancer, and the load balancer then relays that data to a different server that did not handle the original WebSocket Upgrade request, then how will this new server be aware of the WebSocket connection? Or will the client automatically bypass the load balancer and send data directly to the server that handled the initial upgrade?
I think what we need to understand in order to answer this question is how exactly the underlying TCP connection evolves during the whole WebSocket creation process. You will realize that the sticky part of a WebSocket connection is the underlying TCP connection itself. I am not sure what you mean with "session" in the context of WebSockets.
At a high level, initiating a "WebSocket connection" requires the client to send an HTTP GET request to an HTTP server whereas the request includes the Upgrade header field. Now, for this request to happen the client needs to have established a TCP connection to the HTTP server (that might be obvious, but I think here it is important to point this out explicitly). The subsequent HTTP server response is then sent through the same TCP connection.
Note that now, after the server response has been sent, the TCP connection is still open/alive if not actively closed by either the client or the server.
Now, according to RFC 6455, the WebSocket standard, at the end of section 4.1:
If the server's response is validated as provided for above, it is
said that The WebSocket Connection is Established and that the
WebSocket Connection is in the OPEN state
I read from here that the same TCP connection that was initiated by the client before sending the initial HTTP GET (Upgrade) request will just be left open and will from now on serve as the transport layer for the full-duplex WebSocket connection. And this makes sense!
With respect to your question this means that a load balancer will only play a role before the initial HTTP GET (Upgrade) request is made, i.e. before the one and only TCP connection involved in said WebSocket connection creation is established between the two communication end points. Thereafter, the TCP connection stays established and cannot become "redirected" by a network device in between.
We can conclude that -- in your session terminology -- the TCP connection defines the session. As long as a WebSocket connection is alive (i.e. is not terminated), it by definition provides and lives in its own session. Nothing can change this session. Speaking in this picture, two independent WebSocket connections, however, cannot share the same session.
If you referred to something else with "session", then it probably is a session that is introduced by the application layer and we cannot comment on that one.
Edit with respect to your comments:
so you're saying that the load balancer is not involved in the TCP
connection
No, that is not true, at least in general. It definitely can take influence upon TCP connection establishment, in the sense that it can decide what to do with the client connection attempt. The specifics depend on the exact type of load balancer (* , see below). Important: After the connection is established between two endpoints -- whereas I don't consider the load balancer to be an endpoint, I refer to WebSocket client and WebSocket server -- the two endpoints will not change anymore for the lifetime of the WebSocket connection. The load balancer might* still be in the network path, but can be assumed to not take influence anymore.
Therefore the full-duplex connection is between the client and the
end server?
Yes!
***There are different types of load balancing. Depending on the type, the role of the load balancer is different after connection establishment between the two end points. Examples:
If the load balancing happens on DNS basis, then the load balancer is not involved in the final TCP connection at all. It just tells the client to which host is has to connect directly.
If the load balancer works like the Layer 4 ELB from AWS (docs here), then it so to say proxies the TCP connection. So the client would actually see the ELB itself as the server. What happens, however, is that the ELB just forwards the packages in both directions, without change. Hence, it is still heavily involved in the TCP connection, just transparently. In this case there are actually two permanent TCP connections involved: one from you to the ELB, and one from the ELB to the server. These are again permanent for the lifetime of your WebSocket connection.
WebSocket uses a persistent TCP connection, and hence requires all IP packets for that TCP connection to be forwarded to the same backend server (for the lifetime of the TCP connection).
It needs to be sticky. This is different from L7 HTTP LBs which are able to dispatch on a per HTTP-request basis.
A LB can work sticky by different approaches, i.e.
hash the source IP/port to the set of alive backend servers
upon TCP connection establishment, choose a backend server and remember that
We've been having issues getting a successful SSL connection from a client app trying to connect using wininet on windows xp sp3 (ie v6). The client hello looks off to me, why would the hello state its version as SSL 2.0 and then state the handshake version as SSL 3.0? Is there something coded incorrectly from the app using wininet?
SSLv2 Record Layer: Client Hello
[Version: SSL 2.0 (0x0002)] <---------------------
Length: 76
Handshake Message Type: Client Hello (1)
Version: SSL 3.0 (0x0300) <---------------------
Cipher Spec Length: 51
Session ID Length: 0
Challenge Length: 16
Cipher Specs (17 specs)
Challenge
SSLv3 and TLSv1.x have a compatibility mode in case the client also supports v2 servers, as described in the TLS specification (Backward Compatibility With SSL).
Some clients support this. For example Oracle/Sun Java has an SSLv2Hello pseudo-protocol, which uses SSLv2 Hello, but doesn't actually support SSLv2.
I know this issue is solved but I will share some more info about the subject which may be useful for viewers
"The client sends a SSLv2 ClientHello so that a server who understands only SSLv2 can process that message, and continue with a SSLv2 handshake. But the SSLv2 ClientHello also says "by the way, I know SSLv3, so if you know SSLv3 too, let's do SSLv3 instead of SSLv2", which is what usually happens (servers who know only of SSLv2 are extremely rare nowadays)."
I took it from Thomas Pornin's comment, link
https://security.stackexchange.com/questions/34827/why-clients-offer-handshaking-with-ssl-2-0-protocol
According to wikipedia: http://en.wikipedia.org/wiki/Transport_Layer_Security
Seems like TLS is a replacement to SSL, but most websites are still using SSL?
In short, TLSv1.0 is more or less SSLv3.1. You can find more details in this question on ServerFault.
Most websites actually support both SSLv3 and TLSv1.0 at least, as this study indicates (Lee, Malkin, and Nahum's paper: Cryptographic Strength of SSL/TLS Servers: Current and Recent Practices, IMC 2007) (link obtained from the IETF TLS list). More than 98% support TLSv1+.
I think the reason why SSLv3 is still in use was for legacy support (although most browsers support TLSv1 and some TLSv1.1 or even TLSv1.2 nowadays). Until not so long ago, some distributions still had SSLv2 (considered insecure) on by default along with the others.
(You may also find this question interesting, although it's about the usage pattern of TLS rather than SSL vs. TLS (you could in fact have the same pattern with SSL). This does not apply to HTTPS anyway, since HTTPS uses SSL/TLS from the beginning of the connection.)
From http://www.thoughtcrime.org/blog/ssl-and-the-future-of-authenticity/
In the early 90’s, at the dawn of the World Wide Web, some engineers at Netscape developed a protocol for making secure HTTP requests, and what they came up with was called SSL. Given the relatively scarce body of knowledge concerning secure protocols at the time, as well the intense pressure everyone at Netscape was working under, their efforts can only be seen as incredibly heroic. It’s amazing that SSL has endured for as long as it has, in contrast to a number of other protocols from the same vintage. We’ve definitely learned a lot since then, though, but the thing about protocols and APIs is that there’s very little going back.
There were two major updates to the SSL protocol, SSL 2 (1995) and SSL 3 (1996). These were carefully done to be backwards compatible, to ease adoption. However backwards compatibility is a constraint for a security protocol for which it can mean backwards vulnerable.
Thus it was decided to break backwards compatiblity, and the new protocol named TLS 1.0 (1999). (In hindsight, it might have been clearer to name it TLS 4)
The differences between this protocol and SSL 3.0 are not dramatic, but they are significant enough that TLS 1.0 and SSL 3.0 do not interoperate.
TLS has been revised twice, TLS 1.1 (2006) and TLS 1.2 (2008).
As of 2015, all SSL versions are broken and insecure (the POODLE attack) and browsers are removing support. TLS 1.0 is ubiquitous, but only 60% of sites support TLS 1.1 and 1.2, a sorry state of affairs.
If you're interested in this stuff, I recommend Moxie Marlinspike's clever and funny talk at
https://www.youtube.com/watch?v=Z7Wl2FW2TcA
tls1.0 means sslv3.1
tls1.1 means sslv3.2
tls1.2 means sslv3.3
the rfc just changed the name, you could find tls1.0's hex code is 0x0301, which means sslv3.1
TLS maintains backward compatibility with SSL and therefore the communication protocol is nearly identical in any of the mentioned versions herein. The two important differences between SSL v.3, TLS 1.0, and TLS 1.2, is the pseudo-random function (PRF) and the HMAC hashing function (SHA, MD5, handshake), which is used to construct a block of symmetric keys for Application Data encryption (server keys + client keys + IV). Major difference between TLS 1.1 and TLS 1.2 is that 1.2 requires use-of "explicit" IV to protect against CBC attacks, although there is no changes to PRF or protocol needed for this. TLS 1.2 PRF is cipher-suite-specific, which means PRF can be negotiated during handshake. SSL was originally developed by Netscape Communications (historic) and later maintained by Internet Engineering Task Force (IETF, current). TLS is maintained by the Network Working Group. Here are difference between PRF HMAC functions in TLS:
TLS 1.0 and 1.1
PRF(secret, label, seed) = P_MD5(S1, label + seed) XOR P_SHA-1(S2, label + seed);
TLS 1.2
PRF(secret, label, seed) = P_hash(secret, label + seed)
"If it ain't broken, don't touch it". SSL3 works fine in most scenarios (there was a fundamental flaw found in SSL/TLS protocol back in October, but this is a flaw of applications more than of a procol itself), so developers don't hurry to upgrade their SSL modules. TLS brings a number of useful extensions and security algorithms, but they are handy addition and not a must. So TLS on most servers remains an option. If both server and client support it, it will be used.
Update: in '2016 SSL 3, and even TLS up to 1.2 are found to be vulnerable to various attacks and migration to TLS 1.2 is recommended. There exist attacks on implementations of TLS 1.2 as well, though they are server-dependent. TLS 1.3 is currently in development. And now TLS 1.2 is a must.
https://hpbn.co/transport-layer-security-tls/ is a good introduction
The SSL protocol was originally developed at Netscape to enable ecommerce transaction security on the Web, which required encryption to protect customers’ personal data, as well as authentication and integrity guarantees to ensure a safe transaction. To achieve this, the SSL protocol was implemented at the application layer, directly on top of TCP (Figure 4-1), enabling protocols above it (HTTP, email, instant messaging, and many others) to operate unchanged while providing communication security when communicating across the network.
When SSL is used correctly, a third-party observer can only infer the connection endpoints, type of encryption, as well as the frequency and an approximate amount of data sent, but cannot read or modify any of the actual data.
SSL 2.0 was the first publicly released version of the protocol, but it was quickly replaced by SSL 3.0 due to a number of discovered security flaws. Because the SSL protocol was proprietary to Netscape, the IETF formed an effort to standardize the protocol, resulting in RFC 2246, which was published in January 1999 and became known as TLS 1.0. Since then, the IETF has continued iterating on the protocol to address security flaws, as well as to extend its capabilities: TLS 1.1 (RFC 2246) was published in April 2006, TLS 1.2 (RFC 5246) in August 2008, and work is now underway to define TLS 1.3.
Feature
SSL
TLS
Full Name
Secure Socket layer
Transport layer security
Created By
Netscape in 1994
In 1994, IETF took over the maintenance of SSL and later renamed it
Note: The world used the mostly TLS over SSL.