diff options
Diffstat (limited to 'doc/protocol/rfc3546.txt')
-rw-r--r-- | doc/protocol/rfc3546.txt | 1627 |
1 files changed, 0 insertions, 1627 deletions
diff --git a/doc/protocol/rfc3546.txt b/doc/protocol/rfc3546.txt deleted file mode 100644 index 4392449068..0000000000 --- a/doc/protocol/rfc3546.txt +++ /dev/null @@ -1,1627 +0,0 @@ - - - - - - -Network Working Group S. Blake-Wilson -Request for Comments: 3546 BCI -Updates: 2246 M. Nystrom -Category: Standards Track RSA Security - D. Hopwood - Independent Consultant - J. Mikkelsen - Transactionware - T. Wright - Vodafone - June 2003 - - - Transport Layer Security (TLS) Extensions - -Status of this Memo - - This document specifies an Internet standards track protocol for the - Internet community, and requests discussion and suggestions for - improvements. Please refer to the current edition of the "Internet - Official Protocol Standards" (STD 1) for the standardization state - and status of this protocol. Distribution of this memo is unlimited. - -Copyright Notice - - Copyright (C) The Internet Society (2003). All Rights Reserved. - -Abstract - - This document describes extensions that may be used to add - functionality to Transport Layer Security (TLS). It provides both - generic extension mechanisms for the TLS handshake client and server - hellos, and specific extensions using these generic mechanisms. - - The extensions may be used by TLS clients and servers. The - extensions are backwards compatible - communication is possible - between TLS 1.0 clients that support the extensions and TLS 1.0 - servers that do not support the extensions, and vice versa. - -Conventions used in this Document - - The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", - "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this - document are to be interpreted as described in BCP 14, RFC 2119 - [KEYWORDS]. - - - - - - -Blake-Wilson, et. al. Standards Track [Page 1] - -RFC 3546 TLS Extensions June 2003 - - -Table of Contents - - 1. Introduction ............................................. 2 - 2. General Extension Mechanisms ............................. 4 - 2.1. Extended Client Hello ............................... 5 - 2.2. Extended Server Hello ............................... 5 - 2.3. Hello Extensions .................................... 6 - 2.4. Extensions to the handshake protocol ................ 7 - 3. Specific Extensions ...................................... 8 - 3.1. Server Name Indication .............................. 8 - 3.2. Maximum Fragment Length Negotiation ................. 10 - 3.3. Client Certificate URLs ............................. 11 - 3.4. Trusted CA Indication ............................... 14 - 3.5. Truncated HMAC ...................................... 15 - 3.6. Certificate Status Request........................... 16 - 4. Error alerts .............................................. 18 - 5. Procedure for Defining New Extensions...................... 20 - 6. Security Considerations .................................. 21 - 6.1. Security of server_name ............................. 21 - 6.2. Security of max_fragment_length ..................... 21 - 6.3. Security of client_certificate_url .................. 22 - 6.4. Security of trusted_ca_keys ......................... 23 - 6.5. Security of truncated_hmac .......................... 23 - 6.6. Security of status_request .......................... 24 - 7. Internationalization Considerations ...................... 24 - 8. IANA Considerations ...................................... 24 - 9. Intellectual Property Rights ............................. 26 - 10. Acknowledgments .......................................... 26 - 11. Normative References ..................................... 27 - 12. Informative References ................................... 28 - 13. Authors' Addresses ....................................... 28 - 14. Full Copyright Statement ................................. 29 - -1. Introduction - - This document describes extensions that may be used to add - functionality to Transport Layer Security (TLS). It provides both - generic extension mechanisms for the TLS handshake client and server - hellos, and specific extensions using these generic mechanisms. - - TLS is now used in an increasing variety of operational environments - - many of which were not envisioned when the original design criteria - for TLS were determined. The extensions introduced in this document - are designed to enable TLS to operate as effectively as possible in - new environments like wireless networks. - - - - - - -Blake-Wilson, et. al. Standards Track [Page 2] - -RFC 3546 TLS Extensions June 2003 - - - Wireless environments often suffer from a number of constraints not - commonly present in wired environments. These constraints may - include bandwidth limitations, computational power limitations, - memory limitations, and battery life limitations. - - The extensions described here focus on extending the functionality - provided by the TLS protocol message formats. Other issues, such as - the addition of new cipher suites, are deferred. - - Specifically, the extensions described in this document are designed - to: - - - Allow TLS clients to provide to the TLS server the name of the - server they are contacting. This functionality is desirable to - facilitate secure connections to servers that host multiple - 'virtual' servers at a single underlying network address. - - - Allow TLS clients and servers to negotiate the maximum fragment - length to be sent. This functionality is desirable as a result of - memory constraints among some clients, and bandwidth constraints - among some access networks. - - - Allow TLS clients and servers to negotiate the use of client - certificate URLs. This functionality is desirable in order to - conserve memory on constrained clients. - - - Allow TLS clients to indicate to TLS servers which CA root keys - they possess. This functionality is desirable in order to prevent - multiple handshake failures involving TLS clients that are only - able to store a small number of CA root keys due to memory - limitations. - - - Allow TLS clients and servers to negotiate the use of truncated - MACs. This functionality is desirable in order to conserve - bandwidth in constrained access networks. - - - Allow TLS clients and servers to negotiate that the server sends - the client certificate status information (e.g., an Online - Certificate Status Protocol (OCSP) [OCSP] response) during a TLS - handshake. This functionality is desirable in order to avoid - sending a Certificate Revocation List (CRL) over a constrained - access network and therefore save bandwidth. - - In order to support the extensions above, general extension - mechanisms for the client hello message and the server hello message - are introduced. - - - - - -Blake-Wilson, et. al. Standards Track [Page 3] - -RFC 3546 TLS Extensions June 2003 - - - The extensions described in this document may be used by TLS 1.0 - clients and TLS 1.0 servers. The extensions are designed to be - backwards compatible - meaning that TLS 1.0 clients that support the - extensions can talk to TLS 1.0 servers that do not support the - extensions, and vice versa. - - Backwards compatibility is primarily achieved via two considerations: - - - Clients typically request the use of extensions via the extended - client hello message described in Section 2.1. TLS 1.0 [TLS] - requires servers to accept extended client hello messages, even if - the server does not "understand" the extension. - - - For the specific extensions described here, no mandatory server - response is required when clients request extended functionality. - - Note however, that although backwards compatibility is supported, - some constrained clients may be forced to reject communications with - servers that do not support the extensions as a result of the limited - capabilities of such clients. - - The remainder of this document is organized as follows. Section 2 - describes general extension mechanisms for the client hello and - server hello handshake messages. Section 3 describes specific - extensions to TLS 1.0. Section 4 describes new error alerts for use - with the TLS extensions. The final sections of the document address - IPR, security considerations, registration of the application/pkix- - pkipath MIME type, acknowledgements, and references. - -2. General Extension Mechanisms - - This section presents general extension mechanisms for the TLS - handshake client hello and server hello messages. - - These general extension mechanisms are necessary in order to enable - clients and servers to negotiate whether to use specific extensions, - and how to use specific extensions. The extension formats described - are based on [MAILING LIST]. - - Section 2.1 specifies the extended client hello message format, - Section 2.2 specifies the extended server hello message format, and - Section 2.3 describes the actual extension format used with the - extended client and server hellos. - - - - - - - - -Blake-Wilson, et. al. Standards Track [Page 4] - -RFC 3546 TLS Extensions June 2003 - - -2.1. Extended Client Hello - - Clients MAY request extended functionality from servers by sending - the extended client hello message format in place of the client hello - message format. The extended client hello message format is: - - struct { - ProtocolVersion client_version; - Random random; - SessionID session_id; - CipherSuite cipher_suites<2..2^16-1>; - CompressionMethod compression_methods<1..2^8-1>; - Extension client_hello_extension_list<0..2^16-1>; - } ClientHello; - - Here the new "client_hello_extension_list" field contains a list of - extensions. The actual "Extension" format is defined in Section 2.3. - - In the event that a client requests additional functionality using - the extended client hello, and this functionality is not supplied by - the server, the client MAY abort the handshake. - - Note that [TLS], Section 7.4.1.2, allows additional information to be - added to the client hello message. Thus the use of the extended - client hello defined above should not "break" existing TLS 1.0 - servers. - - A server that supports the extensions mechanism MUST accept only - client hello messages in either the original or extended ClientHello - format, and (as for all other messages) MUST check that the amount of - data in the message precisely matches one of these formats; if not - then it MUST send a fatal "decode_error" alert. This overrides the - "Forward compatibility note" in [TLS]. - -2.2. Extended Server Hello - - The extended server hello message format MAY be sent in place of the - server hello message when the client has requested extended - functionality via the extended client hello message specified in - Section 2.1. The extended server hello message format is: - - - - - - - - - - - -Blake-Wilson, et. al. Standards Track [Page 5] - -RFC 3546 TLS Extensions June 2003 - - - struct { - ProtocolVersion server_version; - Random random; - SessionID session_id; - CipherSuite cipher_suite; - CompressionMethod compression_method; - Extension server_hello_extension_list<0..2^16-1>; - } ServerHello; - - Here the new "server_hello_extension_list" field contains a list of - extensions. The actual "Extension" format is defined in Section 2.3. - - Note that the extended server hello message is only sent in response - to an extended client hello message. This prevents the possibility - that the extended server hello message could "break" existing TLS 1.0 - clients. - -2.3. Hello Extensions - - The extension format for extended client hellos and extended server - hellos is: - - struct { - ExtensionType extension_type; - opaque extension_data<0..2^16-1>; - } Extension; - - Here: - - - "extension_type" identifies the particular extension type. - - - "extension_data" contains information specific to the particular - extension type. - - The extension types defined in this document are: - - enum { - server_name(0), max_fragment_length(1), - client_certificate_url(2), trusted_ca_keys(3), - truncated_hmac(4), status_request(5), (65535) - } ExtensionType; - - Note that for all extension types (including those defined in - future), the extension type MUST NOT appear in the extended server - hello unless the same extension type appeared in the corresponding - client hello. Thus clients MUST abort the handshake if they receive - an extension type in the extended server hello that they did not - request in the associated (extended) client hello. - - - -Blake-Wilson, et. al. Standards Track [Page 6] - -RFC 3546 TLS Extensions June 2003 - - - Nonetheless "server initiated" extensions may be provided in the - future within this framework by requiring the client to first send an - empty extension to indicate that it supports a particular extension. - - Also note that when multiple extensions of different types are - present in the extended client hello or the extended server hello, - the extensions may appear in any order. There MUST NOT be more than - one extension of the same type. - - Finally note that all the extensions defined in this document are - relevant only when a session is initiated. However, a client that - requests resumption of a session does not in general know whether the - server will accept this request, and therefore it SHOULD send an - extended client hello if it would normally do so for a new session. - If the resumption request is denied, then a new set of extensions - will be negotiated as normal. If, on the other hand, the older - session is resumed, then the server MUST ignore extensions appearing - in the client hello, and send a server hello containing no - extensions; in this case the extension functionality negotiated - during the original session initiation is applied to the resumed - session. - -2.4. Extensions to the handshake protocol - - This document suggests the use of two new handshake messages, - "CertificateURL" and "CertificateStatus". These messages are - described in Section 3.3 and Section 3.6, respectively. The new - handshake message structure therefore becomes: - - enum { - hello_request(0), client_hello(1), server_hello(2), - certificate(11), server_key_exchange (12), - certificate_request(13), server_hello_done(14), - certificate_verify(15), client_key_exchange(16), - finished(20), certificate_url(21), certificate_status(22), - (255) - } HandshakeType; - - - - - - - - - - - - - - -Blake-Wilson, et. al. Standards Track [Page 7] - -RFC 3546 TLS Extensions June 2003 - - - struct { - HandshakeType msg_type; /* handshake type */ - uint24 length; /* bytes in message */ - select (HandshakeType) { - case hello_request: HelloRequest; - case client_hello: ClientHello; - case server_hello: ServerHello; - case certificate: Certificate; - case server_key_exchange: ServerKeyExchange; - case certificate_request: CertificateRequest; - case server_hello_done: ServerHelloDone; - case certificate_verify: CertificateVerify; - case client_key_exchange: ClientKeyExchange; - case finished: Finished; - case certificate_url: CertificateURL; - case certificate_status: CertificateStatus; - } body; - } Handshake; - -3. Specific Extensions - - This section describes the specific TLS extensions specified in this - document. - - Note that any messages associated with these extensions that are sent - during the TLS handshake MUST be included in the hash calculations - involved in "Finished" messages. - - Section 3.1 describes the extension of TLS to allow a client to - indicate which server it is contacting. Section 3.2 describes the - extension to provide maximum fragment length negotiation. Section - 3.3 describes the extension to allow client certificate URLs. - Section 3.4 describes the extension to allow a client to indicate - which CA root keys it possesses. Section 3.5 describes the extension - to allow the use of truncated HMAC. Section 3.6 describes the - extension to support integration of certificate status information - messages into TLS handshakes. - -3.1. Server Name Indication - - [TLS] does not provide a mechanism for a client to tell a server the - name of the server it is contacting. It may be desirable for clients - to provide this information to facilitate secure connections to - servers that host multiple 'virtual' servers at a single underlying - network address. - - - - - - -Blake-Wilson, et. al. Standards Track [Page 8] - -RFC 3546 TLS Extensions June 2003 - - - In order to provide the server name, clients MAY include an extension - of type "server_name" in the (extended) client hello. The - "extension_data" field of this extension SHALL contain - "ServerNameList" where: - - struct { - NameType name_type; - select (name_type) { - case host_name: HostName; - } name; - } ServerName; - - enum { - host_name(0), (255) - } NameType; - - opaque HostName<1..2^16-1>; - - struct { - ServerName server_name_list<1..2^16-1> - } ServerNameList; - - Currently the only server names supported are DNS hostnames, however - this does not imply any dependency of TLS on DNS, and other name - types may be added in the future (by an RFC that Updates this - document). TLS MAY treat provided server names as opaque data and - pass the names and types to the application. - - "HostName" contains the fully qualified DNS hostname of the server, - as understood by the client. The hostname is represented as a byte - string using UTF-8 encoding [UTF8], without a trailing dot. - - If the hostname labels contain only US-ASCII characters, then the - client MUST ensure that labels are separated only by the byte 0x2E, - representing the dot character U+002E (requirement 1 in section 3.1 - of [IDNA] notwithstanding). If the server needs to match the HostName - against names that contain non-US-ASCII characters, it MUST perform - the conversion operation described in section 4 of [IDNA], treating - the HostName as a "query string" (i.e. the AllowUnassigned flag MUST - be set). Note that IDNA allows labels to be separated by any of the - Unicode characters U+002E, U+3002, U+FF0E, and U+FF61, therefore - servers MUST accept any of these characters as a label separator. If - the server only needs to match the HostName against names containing - exclusively ASCII characters, it MUST compare ASCII names case- - insensitively. - - Literal IPv4 and IPv6 addresses are not permitted in "HostName". - - - - -Blake-Wilson, et. al. Standards Track [Page 9] - -RFC 3546 TLS Extensions June 2003 - - - It is RECOMMENDED that clients include an extension of type - "server_name" in the client hello whenever they locate a server by a - supported name type. - - A server that receives a client hello containing the "server_name" - extension, MAY use the information contained in the extension to - guide its selection of an appropriate certificate to return to the - client, and/or other aspects of security policy. In this event, the - server SHALL include an extension of type "server_name" in the - (extended) server hello. The "extension_data" field of this - extension SHALL be empty. - - If the server understood the client hello extension but does not - recognize the server name, it SHOULD send an "unrecognized_name" - alert (which MAY be fatal). - - If an application negotiates a server name using an application - protocol, then upgrades to TLS, and a server_name extension is sent, - then the extension SHOULD contain the same name that was negotiated - in the application protocol. If the server_name is established in - the TLS session handshake, the client SHOULD NOT attempt to request a - different server name at the application layer. - -3.2. Maximum Fragment Length Negotiation - - [TLS] specifies a fixed maximum plaintext fragment length of 2^14 - bytes. It may be desirable for constrained clients to negotiate a - smaller maximum fragment length due to memory limitations or - bandwidth limitations. - - In order to negotiate smaller maximum fragment lengths, clients MAY - include an extension of type "max_fragment_length" in the (extended) - client hello. The "extension_data" field of this extension SHALL - contain: - - enum{ - 2^9(1), 2^10(2), 2^11(3), 2^12(4), (255) - } MaxFragmentLength; - - whose value is the desired maximum fragment length. The allowed - values for this field are: 2^9, 2^10, 2^11, and 2^12. - - - - - - - - - - -Blake-Wilson, et. al. Standards Track [Page 10] - -RFC 3546 TLS Extensions June 2003 - - - Servers that receive an extended client hello containing a - "max_fragment_length" extension, MAY accept the requested maximum - fragment length by including an extension of type - "max_fragment_length" in the (extended) server hello. The - "extension_data" field of this extension SHALL contain - "MaxFragmentLength" whose value is the same as the requested maximum - fragment length. - - If a server receives a maximum fragment length negotiation request - for a value other than the allowed values, it MUST abort the - handshake with an "illegal_parameter" alert. Similarly, if a client - receives a maximum fragment length negotiation response that differs - from the length it requested, it MUST also abort the handshake with - an "illegal_parameter" alert. - - Once a maximum fragment length other than 2^14 has been successfully - negotiated, the client and server MUST immediately begin fragmenting - messages (including handshake messages), to ensure that no fragment - larger than the negotiated length is sent. Note that TLS already - requires clients and servers to support fragmentation of handshake - messages. - - The negotiated length applies for the duration of the session - including session resumptions. - - The negotiated length limits the input that the record layer may - process without fragmentation (that is, the maximum value of - TLSPlaintext.length; see [TLS] section 6.2.1). Note that the output - of the record layer may be larger. For example, if the negotiated - length is 2^9=512, then for currently defined cipher suites (those - defined in [TLS], [KERB], and [AESSUITES]), and when null compression - is used, the record layer output can be at most 793 bytes: 5 bytes of - headers, 512 bytes of application data, 256 bytes of padding, and 20 - bytes of MAC. That means that in this event a TLS record layer peer - receiving a TLS record layer message larger than 793 bytes may - discard the message and send a "record_overflow" alert, without - decrypting the message. - -3.3. Client Certificate URLs - - [TLS] specifies that when client authentication is performed, client - certificates are sent by clients to servers during the TLS handshake. - It may be desirable for constrained clients to send certificate URLs - in place of certificates, so that they do not need to store their - certificates and can therefore save memory. - - - - - - -Blake-Wilson, et. al. Standards Track [Page 11] - -RFC 3546 TLS Extensions June 2003 - - - In order to negotiate to send certificate URLs to a server, clients - MAY include an extension of type "client_certificate_url" in the - (extended) client hello. The "extension_data" field of this - extension SHALL be empty. - - (Note that it is necessary to negotiate use of client certificate - URLs in order to avoid "breaking" existing TLS 1.0 servers.) - - Servers that receive an extended client hello containing a - "client_certificate_url" extension, MAY indicate that they are - willing to accept certificate URLs by including an extension of type - "client_certificate_url" in the (extended) server hello. The - "extension_data" field of this extension SHALL be empty. - - After negotiation of the use of client certificate URLs has been - successfully completed (by exchanging hellos including - "client_certificate_url" extensions), clients MAY send a - "CertificateURL" message in place of a "Certificate" message: - - enum { - individual_certs(0), pkipath(1), (255) - } CertChainType; - - enum { - false(0), true(1) - } Boolean; - - struct { - CertChainType type; - URLAndOptionalHash url_and_hash_list<1..2^16-1>; - } CertificateURL; - - struct { - opaque url<1..2^16-1>; - Boolean hash_present; - select (hash_present) { - case false: struct {}; - case true: SHA1Hash; - } hash; - } URLAndOptionalHash; - - opaque SHA1Hash[20]; - - Here "url_and_hash_list" contains a sequence of URLs and optional - hashes. - - - - - - -Blake-Wilson, et. al. Standards Track [Page 12] - -RFC 3546 TLS Extensions June 2003 - - - When X.509 certificates are used, there are two possibilities: - - - if CertificateURL.type is "individual_certs", each URL refers to a - single DER-encoded X.509v3 certificate, with the URL for the - client's certificate first, or - - - if CertificateURL.type is "pkipath", the list contains a single - URL referring to a DER-encoded certificate chain, using the type - PkiPath described in Section 8. - - When any other certificate format is used, the specification that - describes use of that format in TLS should define the encoding format - of certificates or certificate chains, and any constraint on their - ordering. - - The hash corresponding to each URL at the client's discretion is - either not present or is the SHA-1 hash of the certificate or - certificate chain (in the case of X.509 certificates, the DER-encoded - certificate or the DER-encoded PkiPath). - - Note that when a list of URLs for X.509 certificates is used, the - ordering of URLs is the same as that used in the TLS Certificate - message (see [TLS] Section 7.4.2), but opposite to the order in which - certificates are encoded in PkiPath. In either case, the self-signed - root certificate MAY be omitted from the chain, under the assumption - that the server must already possess it in order to validate it. - - Servers receiving "CertificateURL" SHALL attempt to retrieve the - client's certificate chain from the URLs, and then process the - certificate chain as usual. A cached copy of the content of any URL - in the chain MAY be used, provided that a SHA-1 hash is present for - that URL and it matches the hash of the cached copy. - - Servers that support this extension MUST support the http: URL scheme - for certificate URLs, and MAY support other schemes. - - If the protocol used to retrieve certificates or certificate chains - returns a MIME formatted response (as HTTP does), then the following - MIME Content-Types SHALL be used: when a single X.509v3 certificate - is returned, the Content-Type is "application/pkix-cert" [PKIOP], and - when a chain of X.509v3 certificates is returned, the Content-Type is - "application/pkix-pkipath" (see Section 8). - - - - - - - - - -Blake-Wilson, et. al. Standards Track [Page 13] - -RFC 3546 TLS Extensions June 2003 - - - If a SHA-1 hash is present for an URL, then the server MUST check - that the SHA-1 hash of the contents of the object retrieved from that - URL (after decoding any MIME Content-Transfer-Encoding) matches the - given hash. If any retrieved object does not have the correct SHA-1 - hash, the server MUST abort the handshake with a - "bad_certificate_hash_value" alert. - - Note that clients may choose to send either "Certificate" or - "CertificateURL" after successfully negotiating the option to send - certificate URLs. The option to send a certificate is included to - provide flexibility to clients possessing multiple certificates. - - If a server encounters an unreasonable delay in obtaining - certificates in a given CertificateURL, it SHOULD time out and signal - a "certificate_unobtainable" error alert. - -3.4. Trusted CA Indication - - Constrained clients that, due to memory limitations, possess only a - small number of CA root keys, may wish to indicate to servers which - root keys they possess, in order to avoid repeated handshake - failures. - - In order to indicate which CA root keys they possess, clients MAY - include an extension of type "trusted_ca_keys" in the (extended) - client hello. The "extension_data" field of this extension SHALL - contain "TrustedAuthorities" where: - - struct { - TrustedAuthority trusted_authorities_list<0..2^16-1>; - } TrustedAuthorities; - - struct { - IdentifierType identifier_type; - select (identifier_type) { - case pre_agreed: struct {}; - case key_sha1_hash: SHA1Hash; - case x509_name: DistinguishedName; - case cert_sha1_hash: SHA1Hash; - } identifier; - } TrustedAuthority; - - enum { - pre_agreed(0), key_sha1_hash(1), x509_name(2), - cert_sha1_hash(3), (255) - } IdentifierType; - - opaque DistinguishedName<1..2^16-1>; - - - -Blake-Wilson, et. al. Standards Track [Page 14] - -RFC 3546 TLS Extensions June 2003 - - - Here "TrustedAuthorities" provides a list of CA root key identifiers - that the client possesses. Each CA root key is identified via - either: - - - "pre_agreed" - no CA root key identity supplied. - - - "key_sha1_hash" - contains the SHA-1 hash of the CA root key. For - DSA and ECDSA keys, this is the hash of the "subjectPublicKey" - value. For RSA keys, the hash is of the big-endian byte string - representation of the modulus without any initial 0-valued bytes. - (This copies the key hash formats deployed in other environments.) - - - "x509_name" - contains the DER-encoded X.509 DistinguishedName of - the CA. - - - "cert_sha1_hash" - contains the SHA-1 hash of a DER-encoded - Certificate containing the CA root key. - - Note that clients may include none, some, or all of the CA root keys - they possess in this extension. - - Note also that it is possible that a key hash or a Distinguished Name - alone may not uniquely identify a certificate issuer - for example if - a particular CA has multiple key pairs - however here we assume this - is the case following the use of Distinguished Names to identify - certificate issuers in TLS. - - The option to include no CA root keys is included to allow the client - to indicate possession of some pre-defined set of CA root keys. - - Servers that receive a client hello containing the "trusted_ca_keys" - extension, MAY use the information contained in the extension to - guide their selection of an appropriate certificate chain to return - to the client. In this event, the server SHALL include an extension - of type "trusted_ca_keys" in the (extended) server hello. The - "extension_data" field of this extension SHALL be empty. - -3.5. Truncated HMAC - - Currently defined TLS cipher suites use the MAC construction HMAC - with either MD5 or SHA-1 [HMAC] to authenticate record layer - communications. In TLS the entire output of the hash function is - used as the MAC tag. However it may be desirable in constrained - environments to save bandwidth by truncating the output of the hash - function to 80 bits when forming MAC tags. - - - - - - -Blake-Wilson, et. al. Standards Track [Page 15] - -RFC 3546 TLS Extensions June 2003 - - - In order to negotiate the use of 80-bit truncated HMAC, clients MAY - include an extension of type "truncated_hmac" in the extended client - hello. The "extension_data" field of this extension SHALL be empty. - - Servers that receive an extended hello containing a "truncated_hmac" - extension, MAY agree to use a truncated HMAC by including an - extension of type "truncated_hmac", with empty "extension_data", in - the extended server hello. - - Note that if new cipher suites are added that do not use HMAC, and - the session negotiates one of these cipher suites, this extension - will have no effect. It is strongly recommended that any new cipher - suites using other MACs consider the MAC size as an integral part of - the cipher suite definition, taking into account both security and - bandwidth considerations. - - If HMAC truncation has been successfully negotiated during a TLS - handshake, and the negotiated cipher suite uses HMAC, both the client - and the server pass this fact to the TLS record layer along with the - other negotiated security parameters. Subsequently during the - session, clients and servers MUST use truncated HMACs, calculated as - specified in [HMAC]. That is, CipherSpec.hash_size is 10 bytes, and - only the first 10 bytes of the HMAC output are transmitted and - checked. Note that this extension does not affect the calculation of - the PRF as part of handshaking or key derivation. - - The negotiated HMAC truncation size applies for the duration of the - session including session resumptions. - -3.6. Certificate Status Request - - Constrained clients may wish to use a certificate-status protocol - such as OCSP [OCSP] to check the validity of server certificates, in - order to avoid transmission of CRLs and therefore save bandwidth on - constrained networks. This extension allows for such information to - be sent in the TLS handshake, saving roundtrips and resources. - - In order to indicate their desire to receive certificate status - information, clients MAY include an extension of type - "status_request" in the (extended) client hello. The - "extension_data" field of this extension SHALL contain - "CertificateStatusRequest" where: - - - - - - - - - -Blake-Wilson, et. al. Standards Track [Page 16] - -RFC 3546 TLS Extensions June 2003 - - - struct { - CertificateStatusType status_type; - select (status_type) { - case ocsp: OCSPStatusRequest; - } request; - } CertificateStatusRequest; - - enum { ocsp(1), (255) } CertificateStatusType; - - struct { - ResponderID responder_id_list<0..2^16-1>; - Extensions request_extensions; - } OCSPStatusRequest; - - opaque ResponderID<1..2^16-1>; - opaque Extensions<0..2^16-1>; - - In the OCSPStatusRequest, the "ResponderIDs" provides a list of OCSP - responders that the client trusts. A zero-length "responder_id_list" - sequence has the special meaning that the responders are implicitly - known to the server - e.g., by prior arrangement. "Extensions" is a - DER encoding of OCSP request extensions. - - Both "ResponderID" and "Extensions" are DER-encoded ASN.1 types as - defined in [OCSP]. "Extensions" is imported from [PKIX]. A zero- - length "request_extensions" value means that there are no extensions - (as opposed to a zero-length ASN.1 SEQUENCE, which is not valid for - the "Extensions" type). - - In the case of the "id-pkix-ocsp-nonce" OCSP extension, [OCSP] is - unclear about its encoding; for clarification, the nonce MUST be a - DER-encoded OCTET STRING, which is encapsulated as another OCTET - STRING (note that implementations based on an existing OCSP client - will need to be checked for conformance to this requirement). - - Servers that receive a client hello containing the "status_request" - extension, MAY return a suitable certificate status response to the - client along with their certificate. If OCSP is requested, they - SHOULD use the information contained in the extension when selecting - an OCSP responder, and SHOULD include request_extensions in the OCSP - request. - - Servers return a certificate response along with their certificate by - sending a "CertificateStatus" message immediately after the - "Certificate" message (and before any "ServerKeyExchange" or - "CertificateRequest" messages). If a server returns a - - - - - -Blake-Wilson, et. al. Standards Track [Page 17] - -RFC 3546 TLS Extensions June 2003 - - - "CertificateStatus" message, then the server MUST have included an - extension of type "status_request" with empty "extension_data" in the - extended server hello. - - struct { - CertificateStatusType status_type; - select (status_type) { - case ocsp: OCSPResponse; - } response; - } CertificateStatus; - - opaque OCSPResponse<1..2^24-1>; - - An "ocsp_response" contains a complete, DER-encoded OCSP response - (using the ASN.1 type OCSPResponse defined in [OCSP]). Note that - only one OCSP response may be sent. - - The "CertificateStatus" message is conveyed using the handshake - message type "certificate_status". - - Note that a server MAY also choose not to send a "CertificateStatus" - message, even if it receives a "status_request" extension in the - client hello message. - - Note in addition that servers MUST NOT send the "CertificateStatus" - message unless it received a "status_request" extension in the client - hello message. - - Clients requesting an OCSP response, and receiving an OCSP response - in a "CertificateStatus" message MUST check the OCSP response and - abort the handshake if the response is not satisfactory. - -4. Error Alerts - - This section defines new error alerts for use with the TLS extensions - defined in this document. - - The following new error alerts are defined. To avoid "breaking" - existing clients and servers, these alerts MUST NOT be sent unless - the sending party has received an extended hello message from the - party they are communicating with. - - - "unsupported_extension" - this alert is sent by clients that - receive an extended server hello containing an extension that they - did not put in the corresponding client hello (see Section 2.3). - This message is always fatal. - - - - - -Blake-Wilson, et. al. Standards Track [Page 18] - -RFC 3546 TLS Extensions June 2003 - - - - "unrecognized_name" - this alert is sent by servers that receive a - server_name extension request, but do not recognize the server - name. This message MAY be fatal. - - - "certificate_unobtainable" - this alert is sent by servers who are - unable to retrieve a certificate chain from the URL supplied by - the client (see Section 3.3). This message MAY be fatal - for - example if client authentication is required by the server for the - handshake to continue and the server is unable to retrieve the - certificate chain, it may send a fatal alert. - - - "bad_certificate_status_response" - this alert is sent by clients - that receive an invalid certificate status response (see Section - 3.6). This message is always fatal. - - - "bad_certificate_hash_value" - this alert is sent by servers when - a certificate hash does not match a client provided - certificate_hash. This message is always fatal. - - These error alerts are conveyed using the following syntax: - - enum { - close_notify(0), - unexpected_message(10), - bad_record_mac(20), - decryption_failed(21), - record_overflow(22), - decompression_failure(30), - handshake_failure(40), - /* 41 is not defined, for historical reasons */ - bad_certificate(42), - unsupported_certificate(43), - certificate_revoked(44), - certificate_expired(45), - certificate_unknown(46), - illegal_parameter(47), - unknown_ca(48), - access_denied(49), - decode_error(50), - decrypt_error(51), - export_restriction(60), - protocol_version(70), - insufficient_security(71), - internal_error(80), - user_canceled(90), - no_renegotiation(100), - unsupported_extension(110), /* new */ - certificate_unobtainable(111), /* new */ - - - -Blake-Wilson, et. al. Standards Track [Page 19] - -RFC 3546 TLS Extensions June 2003 - - - unrecognized_name(112), /* new */ - bad_certificate_status_response(113), /* new */ - bad_certificate_hash_value(114), /* new */ - (255) - } AlertDescription; - -5. Procedure for Defining New Extensions - - Traditionally for Internet protocols, the Internet Assigned Numbers - Authority (IANA) handles the allocation of new values for future - expansion, and RFCs usually define the procedure to be used by the - IANA. However, there are subtle (and not so subtle) interactions - that may occur in this protocol between new features and existing - features which may result in a significant reduction in overall - security. - - Therefore, requests to define new extensions (including assigning - extension and error alert numbers) must be approved by IETF Standards - Action. - - The following considerations should be taken into account when - designing new extensions: - - - All of the extensions defined in this document follow the - convention that for each extension that a client requests and that - the server understands, the server replies with an extension of - the same type. - - - Some cases where a server does not agree to an extension are error - conditions, and some simply a refusal to support a particular - feature. In general error alerts should be used for the former, - and a field in the server extension response for the latter. - - - Extensions should as far as possible be designed to prevent any - attack that forces use (or non-use) of a particular feature by - manipulation of handshake messages. This principle should be - followed regardless of whether the feature is believed to cause a - security problem. - - Often the fact that the extension fields are included in the - inputs to the Finished message hashes will be sufficient, but - extreme care is needed when the extension changes the meaning of - messages sent in the handshake phase. Designers and implementors - should be aware of the fact that until the handshake has been - authenticated, active attackers can modify messages and insert, - remove, or replace extensions. - - - - - -Blake-Wilson, et. al. Standards Track [Page 20] - -RFC 3546 TLS Extensions June 2003 - - - - It would be technically possible to use extensions to change major - aspects of the design of TLS; for example the design of cipher - suite negotiation. This is not recommended; it would be more - appropriate to define a new version of TLS - particularly since - the TLS handshake algorithms have specific protection against - version rollback attacks based on the version number, and the - possibility of version rollback should be a significant - consideration in any major design change. - -6. Security Considerations - - Security considerations for the extension mechanism in general, and - the design of new extensions, are described in the previous section. - A security analysis of each of the extensions defined in this - document is given below. - - In general, implementers should continue to monitor the state of the - art, and address any weaknesses identified. - - Additional security considerations are described in the TLS 1.0 RFC - [TLS]. - -6.1. Security of server_name - - If a single server hosts several domains, then clearly it is - necessary for the owners of each domain to ensure that this satisfies - their security needs. Apart from this, server_name does not appear - to introduce significant security issues. - - Implementations MUST ensure that a buffer overflow does not occur - whatever the values of the length fields in server_name. - - Although this document specifies an encoding for internationalized - hostnames in the server_name extension, it does not address any - security issues associated with the use of internationalized - hostnames in TLS - in particular, the consequences of "spoofed" names - that are indistinguishable from another name when displayed or - printed. It is recommended that server certificates not be issued - for internationalized hostnames unless procedures are in place to - mitigate the risk of spoofed hostnames. - -6.2. Security of max_fragment_length - - The maximum fragment length takes effect immediately, including for - handshake messages. However, that does not introduce any security - complications that are not already present in TLS, since [TLS] - requires implementations to be able to handle fragmented handshake - messages. - - - -Blake-Wilson, et. al. Standards Track [Page 21] - -RFC 3546 TLS Extensions June 2003 - - - Note that as described in section 3.2, once a non-null cipher suite - has been activated, the effective maximum fragment length depends on - the cipher suite and compression method, as well as on the negotiated - max_fragment_length. This must be taken into account when sizing - buffers, and checking for buffer overflow. - -6.3. Security of client_certificate_url - - There are two major issues with this extension. - - The first major issue is whether or not clients should include - certificate hashes when they send certificate URLs. - - When client authentication is used *without* the - client_certificate_url extension, the client certificate chain is - covered by the Finished message hashes. The purpose of including - hashes and checking them against the retrieved certificate chain, is - to ensure that the same property holds when this extension is used - - i.e., that all of the information in the certificate chain retrieved - by the server is as the client intended. - - On the other hand, omitting certificate hashes enables functionality - that is desirable in some circumstances - for example clients can be - issued daily certificates that are stored at a fixed URL and need not - be provided to the client. Clients that choose to omit certificate - hashes should be aware of the possibility of an attack in which the - attacker obtains a valid certificate on the client's key that is - different from the certificate the client intended to provide. - Although TLS uses both MD5 and SHA-1 hashes in several other places, - this was not believed to be necessary here. The property required of - SHA-1 is second pre-image resistance. - - The second major issue is that support for client_certificate_url - involves the server acting as a client in another URL protocol. The - server therefore becomes subject to many of the same security - concerns that clients of the URL scheme are subject to, with the - added concern that the client can attempt to prompt the server to - connect to some, possibly weird-looking URL. - - In general this issue means that an attacker might use the server to - indirectly attack another host that is vulnerable to some security - flaw. It also introduces the possibility of denial of service - attacks in which an attacker makes many connections to the server, - each of which results in the server attempting a connection to the - target of the attack. - - - - - - -Blake-Wilson, et. al. Standards Track [Page 22] - -RFC 3546 TLS Extensions June 2003 - - - Note that the server may be behind a firewall or otherwise able to - access hosts that would not be directly accessible from the public - Internet; this could exacerbate the potential security and denial of - service problems described above, as well as allowing the existence - of internal hosts to be confirmed when they would otherwise be - hidden. - - The detailed security concerns involved will depend on the URL - schemes supported by the server. In the case of HTTP, the concerns - are similar to those that apply to a publicly accessible HTTP proxy - server. In the case of HTTPS, the possibility for loops and - deadlocks to be created exists and should be addressed. In the case - of FTP, attacks similar to FTP bounce attacks arise. - - As a result of this issue, it is RECOMMENDED that the - client_certificate_url extension should have to be specifically - enabled by a server administrator, rather than being enabled by - default. It is also RECOMMENDED that URI protocols be enabled by the - administrator individually, and only a minimal set of protocols be - enabled, with unusual protocols offering limited security or whose - security is not well-understood being avoided. - - As discussed in [URI], URLs that specify ports other than the default - may cause problems, as may very long URLs (which are more likely to - be useful in exploiting buffer overflow bugs). - - Also note that HTTP caching proxies are common on the Internet, and - some proxies do not check for the latest version of an object - correctly. If a request using HTTP (or another caching protocol) - goes through a misconfigured or otherwise broken proxy, the proxy may - return an out-of-date response. - -6.4. Security of trusted_ca_keys - - It is possible that which CA root keys a client possesses could be - regarded as confidential information. As a result, the CA root key - indication extension should be used with care. - - The use of the SHA-1 certificate hash alternative ensures that each - certificate is specified unambiguously. As for the previous - extension, it was not believed necessary to use both MD5 and SHA-1 - hashes. - -6.5. Security of truncated_hmac - - It is possible that truncated MACs are weaker than "un-truncated" - MACs. However, no significant weaknesses are currently known or - expected to exist for HMAC with MD5 or SHA-1, truncated to 80 bits. - - - -Blake-Wilson, et. al. Standards Track [Page 23] - -RFC 3546 TLS Extensions June 2003 - - - Note that the output length of a MAC need not be as long as the - length of a symmetric cipher key, since forging of MAC values cannot - be done off-line: in TLS, a single failed MAC guess will cause the - immediate termination of the TLS session. - - Since the MAC algorithm only takes effect after the handshake - messages have been authenticated by the hashes in the Finished - messages, it is not possible for an active attacker to force - negotiation of the truncated HMAC extension where it would not - otherwise be used (to the extent that the handshake authentication is - secure). Therefore, in the event that any security problem were - found with truncated HMAC in future, if either the client or the - server for a given session were updated to take into account the - problem, they would be able to veto use of this extension. - -6.6. Security of status_request - - If a client requests an OCSP response, it must take into account that - an attacker's server using a compromised key could (and probably - would) pretend not to support the extension. A client that requires - OCSP validation of certificates SHOULD either contact the OCSP server - directly in this case, or abort the handshake. - - Use of the OCSP nonce request extension (id-pkix-ocsp-nonce) may - improve security against attacks that attempt to replay OCSP - responses; see section 4.4.1 of [OCSP] for further details. - -7. Internationalization Considerations - - None of the extensions defined here directly use strings subject to - localization. Domain Name System (DNS) hostnames are encoded using - UTF-8. If future extensions use text strings, then - internationalization should be considered in their design. - -8. IANA Considerations - - The MIME type "application/pkix-pkipath" has been registered by the - IANA with the following template: - - To: ietf-types@iana.org Subject: Registration of MIME media type - application/pkix-pkipath - - MIME media type name: application - - MIME subtype name: pkix-pkipath - - Required parameters: none - - - - -Blake-Wilson, et. al. Standards Track [Page 24] - -RFC 3546 TLS Extensions June 2003 - - - Optional parameters: version (default value is "1") - - Encoding considerations: - This MIME type is a DER encoding of the ASN.1 type PkiPath, - defined as follows: - PkiPath ::= SEQUENCE OF Certificate - PkiPath is used to represent a certification path. Within the - sequence, the order of certificates is such that the subject of - the first certificate is the issuer of the second certificate, - etc. - - This is identical to the definition that will be published in - [X509-4th-TC1]; note that it is different from that in [X509-4th]. - - All Certificates MUST conform to [PKIX]. (This should be - interpreted as a requirement to encode only PKIX-conformant - certificates using this type. It does not necessarily require - that all certificates that are not strictly PKIX-conformant must - be rejected by relying parties, although the security consequences - of accepting any such certificates should be considered - carefully.) - - DER (as opposed to BER) encoding MUST be used. If this type is - sent over a 7-bit transport, base64 encoding SHOULD be used. - - Security considerations: - The security considerations of [X509-4th] and [PKIX] (or any - updates to them) apply, as well as those of any protocol that uses - this type (e.g., TLS). - - Note that this type only specifies a certificate chain that can be - assessed for validity according to the relying party's existing - configuration of trusted CAs; it is not intended to be used to - specify any change to that configuration. - - Interoperability considerations: - No specific interoperability problems are known with this type, - but for recommendations relating to X.509 certificates in general, - see [PKIX]. - - Published specification: this memo, and [PKIX]. - - Applications which use this media type: TLS. It may also be used by - other protocols, or for general interchange of PKIX certificate - chains. - - - - - - -Blake-Wilson, et. al. Standards Track [Page 25] - -RFC 3546 TLS Extensions June 2003 - - - Additional information: - Magic number(s): DER-encoded ASN.1 can be easily recognized. - Further parsing is required to distinguish from other ASN.1 - types. - File extension(s): .pkipath - Macintosh File Type Code(s): not specified - - Person & email address to contact for further information: - Magnus Nystrom <magnus@rsasecurity.com> - - Intended usage: COMMON - - Author/Change controller: - Magnus Nystrom <magnus@rsasecurity.com> - -9. Intellectual Property Rights - - The IETF takes no position regarding the validity or scope of any - intellectual property or other rights that might be claimed to - pertain to the implementation or use of the technology described in - this document or the extent to which any license under such rights - might or might not be available; neither does it represent that it - has made any effort to identify any such rights. Information on the - IETF's procedures with respect to rights in standards-track and - standards-related documentation can be found in RFC 2028. Copies of - claims of rights made available for publication and any assurances of - licenses to be made available, or the result of an attempt made to - obtain a general license or permission for the use of such - proprietary rights by implementors or users of this specification can - be obtained from the IETF Secretariat. - - The IETF invites any interested party to bring to its attention any - copyrights, patents or patent applications, or other proprietary - rights which may cover technology that may be required to practice - this document. Please address the information to the IETF Executive - Director. - -10. Acknowledgments - - The authors wish to thank the TLS Working Group and the WAP Security - Group. This document is based on discussion within these groups. - - - - - - - - - - -Blake-Wilson, et. al. Standards Track [Page 26] - -RFC 3546 TLS Extensions June 2003 - - -11. Normative References - - [HMAC] Krawczyk, H., Bellare, M. and R. Canetti, "HMAC: - Keyed-hashing for message authentication", RFC 2104, - February 1997. - - [HTTP] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., - Masinter, L., Leach, P. and T. Berners-Lee, "Hypertext - Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999. - - [IDNA] Faltstrom, P., Hoffman, P. and A. Costello, - "Internationalizing Domain Names in Applications - (IDNA)", RFC 3490, March 2003. - - [KEYWORDS] Bradner, S., "Key words for use in RFCs to Indicate - Requirement Levels", BCP 14, RFC 2119, March 1997. - - [OCSP] Myers, M., Ankney, R., Malpani, A., Galperin, S. and - C. Adams, "Internet X.509 Public Key Infrastructure: - Online Certificate Status Protocol - OCSP", RFC 2560, - June 1999. - - [PKIOP] Housley, R. and P. Hoffman, "Internet X.509 Public Key - Infrastructure - Operation Protocols: FTP and HTTP", - RFC 2585, May 1999. - - [PKIX] Housley, R., Polk, W., Ford, W. and D. Solo, "Internet - Public Key Infrastructure - Certificate and - Certificate Revocation List (CRL) Profile", RFC 3280, - April 2002. - - [TLS] Dierks, T. and C. Allen, "The TLS Protocol Version - 1.0", RFC 2246, January 1999. - - [URI] Berners-Lee, T., Fielding, R. and L. Masinter, - "Uniform Resource Identifiers (URI): Generic Syntax", - RFC 2396, August 1998. - - [UTF8] Yergeau, F., "UTF-8, a transformation format of ISO - 10646", RFC 2279, January 1998. - - [X509-4th] ITU-T Recommendation X.509 (2000) | ISO/IEC 9594- - 8:2001, "Information Systems - Open Systems - Interconnection - The Directory: Public key and - attribute certificate frameworks." - - - - - - -Blake-Wilson, et. al. Standards Track [Page 27] - -RFC 3546 TLS Extensions June 2003 - - - [X509-4th-TC1] ITU-T Recommendation X.509(2000) Corrigendum 1(2001) | - ISO/IEC 9594-8:2001/Cor.1:2002, Technical Corrigendum - 1 to ISO/IEC 9594:8:2001. - -12. Informative References - - [KERB] Medvinsky, A. and M. Hur, "Addition of Kerberos Cipher - Suites to Transport Layer Security (TLS)", RFC 2712, - October 1999. - - [MAILING LIST] J. Mikkelsen, R. Eberhard, and J. Kistler, "General - ClientHello extension mechanism and virtual hosting," - ietf-tls mailing list posting, August 14, 2000. - - [AESSUITES] Chown, P., "Advanced Encryption Standard (AES) - Ciphersuites for Transport Layer Security (TLS)", RFC - 3268, June 2002. - -13. Authors' Addresses - - Simon Blake-Wilson - BCI - EMail: sblakewilson@bcisse.com - - Magnus Nystrom - RSA Security - EMail: magnus@rsasecurity.com - - David Hopwood - Independent Consultant - EMail: david.hopwood@zetnet.co.uk - - Jan Mikkelsen - Transactionware - EMail: janm@transactionware.com - - Tim Wright - Vodafone - EMail: timothy.wright@vodafone.com - - - - - - - - - - - - -Blake-Wilson, et. al. Standards Track [Page 28] - -RFC 3546 TLS Extensions June 2003 - - -14. Full Copyright Statement - - Copyright (C) The Internet Society (2003). All Rights Reserved. - - This document and translations of it may be copied and furnished to - others, and derivative works that comment on or otherwise explain it - or assist in its implementation may be prepared, copied, published - and distributed, in whole or in part, without restriction of any - kind, provided that the above copyright notice and this paragraph are - included on all such copies and derivative works. However, this - document itself may not be modified in any way, such as by removing - the copyright notice or references to the Internet Society or other - Internet organizations, except as needed for the purpose of - developing Internet standards in which case the procedures for - copyrights defined in the Internet Standards process must be - followed, or as required to translate it into languages other than - English. - - The limited permissions granted above are perpetual and will not be - revoked by the Internet Society or its successors or assigns. - - This document and the information contained herein is provided on an - "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING - TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING - BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION - HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF - MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. - -Acknowledgement - - Funding for the RFC Editor function is currently provided by the - Internet Society. - - - - - - - - - - - - - - - - - - - -Blake-Wilson, et. al. Standards Track [Page 29] - |