summaryrefslogtreecommitdiff
path: root/doc/cha-intro-tls.texi
blob: 7646992fba1726260033c135f35bf3ba914d0725 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
@node Introduction to TLS
@chapter Introduction to @acronym{TLS} and @acronym{DTLS}

@acronym{TLS} stands for ``Transport Layer Security'' and is the
successor of SSL, the Secure Sockets Layer protocol @xcite{SSL3}
designed by Netscape.  @acronym{TLS} is an Internet protocol, defined
by @acronym{IETF}@footnote{IETF, or Internet Engineering Task Force,
is a large open international community of network designers,
operators, vendors, and researchers concerned with the evolution of
the Internet architecture and the smooth operation of the Internet.
It is open to any interested individual.}, described in @acronym{RFC}
4346 and also in @xcite{RESCORLA}.  The protocol provides
confidentiality, and authentication layers over any reliable transport
layer.  The description, below, refers to @acronym{TLS} 1.0 but also
applies to @acronym{TLS} 1.2 @xcite{RFC4346} and @acronym{SSL} 3.0,
since the differences of these protocols are not major.  

The @acronym{DTLS} protocol, or ``Datagram @acronym{TLS}'' is a
protocol with identical goals as @acronym{TLS}, but can operate
under unreliable transport layers, such as @acronym{UDP}. The
discussions below apply to this protocol as well, except when
noted otherwise.

Older protocols such as @acronym{SSL} 2.0 are not discussed nor implemented in
@acronym{GnuTLS} since they are not considered secure today.  

@menu
* TLS layers::
* The transport layer::
* The TLS record protocol::
* The TLS Alert Protocol::
* The TLS Handshake Protocol::
* TLS Extensions::
* Selecting cryptographic key sizes::
* On SSL 2 and older protocols::
@end menu

@node TLS layers
@section TLS Layers
@cindex TLS Layers

@acronym{TLS} is a layered protocol, and consists of the Record
Protocol, the Handshake Protocol and the Alert Protocol. The Record
Protocol is to serve all other protocols and is above the transport
layer.  The Record protocol offers symmetric encryption, data
authenticity, and optionally compression.

The Alert protocol offers some signaling to the other protocols. It
can help informing the peer for the cause of failures and other error
conditions.  @xref{The Alert Protocol}, for more information.  The
alert protocol is above the record protocol.

The Handshake protocol is responsible for the security parameters'
negotiation, the initial key exchange and authentication.  @xref{The
Handshake Protocol}, for more information about the handshake
protocol.  The protocol layering in TLS is shown in the figure below.

@image{gnutls-layers,12cm,8cm}

@node The transport layer
@section The Transport Layer
@cindex Transport protocol

@acronym{TLS} is not limited to one transport layer, it can be used
above any transport layer, as long as it is a reliable one.  A set of
functions is provided and their purpose is to load to @acronym{GnuTLS} the
required callbacks to access the transport layer.

@itemize
@item @ref{gnutls_transport_set_push_function}
@item @ref{gnutls_transport_set_vec_push_function}
@item @ref{gnutls_transport_set_pull_timeout_function} (for @acronym{DTLS} only)
@item @ref{gnutls_transport_set_pull_function}
@item @ref{gnutls_transport_set_ptr}
@item @ref{gnutls_transport_set_errno}
@end itemize

These functions accept a callback function as a parameter.  The
callback functions should return the number of bytes written, or -1 on
error and should set @code{errno} appropriately.

In some environments, setting @code{errno} is unreliable, for example
Windows have several errno variables in different CRTs, or it may be
that errno is not a thread-local variable.  If this is a concern to
you, call @code{gnutls_transport_set_errno} with the intended errno
value instead of setting @code{errno} directly.

@acronym{GnuTLS} currently only interprets the EINTR and EAGAIN errno
values and returns the corresponding @acronym{GnuTLS} error codes
@code{GNUTLS_E_INTERRUPTED} and @code{GNUTLS_E_AGAIN}.  These values
are usually returned by interrupted system calls, or when non blocking
IO is used.  All @acronym{GnuTLS} functions can be resumed (called
again), if any of these error codes is returned.  The error codes
above refer to the system call, not the @acronym{GnuTLS} function,
since signals do not interrupt @acronym{GnuTLS}' functions.

@acronym{DTLS} however deviates from this rule. Because it requires
timers and waiting for peer's messages during the handshake process,
@acronym{GnuTLS} will block and might be interrupted by signals. The
blocking operation of @acronym{GnuTLS} during @acronym{DTLS} handshake
can be changed using the appropriate flags in @ref{gnutls_init}.

By default, if the transport functions are not set, @acronym{GnuTLS}
will use the Berkeley Sockets functions. 

@node The TLS record protocol
@section The TLS Record Protocol
@cindex Record protocol

The Record protocol is the secure communications provider. Its purpose
is to encrypt, authenticate and ---optionally--- compress packets.
The following functions are available:

@table @asis

@item @ref{gnutls_record_send}:
To send a record packet with application data.

@item @ref{gnutls_record_recv}:
To receive a record packet with application data.

@item @ref{gnutls_record_recv_seq}:
To receive a record packet with application data as well
as the sequence number of that. This is useful in @acronym{DTLS}
where packets might be lost or received out of order.

@item @ref{gnutls_record_get_direction}:
To get the direction of the last interrupted function call.
@end table

In @acronym{TLS} those functions can be called at any time after
the handshake process is finished, when there is need to receive
or send data. In @acronym{DTLS} however, due to re-transmission
timers used in the handshake out-of-order handshake data might
be received for some time (maximum 60 seconds) after the handshake
process is finished. For this reason programs using @acronym{DTLS}
should call @ref{gnutls_record_recv} or @ref{gnutls_record_recv_seq}
for every packet received by the peer, even if no data were
expected. 

As you may have already noticed, the functions which access the Record
protocol, are quite limited, given the importance of this protocol in
@acronym{TLS}.  This is because the Record protocol's parameters are
all set by the Handshake protocol.

The Record protocol initially starts with NULL parameters, which means
no encryption, and no MAC is used. Encryption and authentication begin
just after the handshake protocol has finished.

@menu
* Encryption algorithms used in the record layer::
* Compression algorithms used in the record layer::
* Weaknesses and countermeasures::
* On Record Padding::
@end menu

@node Encryption algorithms used in the record layer
@subsection Encryption Algorithms Used in the Record Layer
@cindex Symmetric encryption algorithms

Confidentiality in the record layer is achieved by using symmetric
block encryption algorithms like @code{3DES}, @code{AES}@footnote{AES,
or Advanced Encryption Standard, is actually the RIJNDAEL algorithm.
This is the algorithm that replaced DES.}, or stream algorithms like
@code{ARCFOUR_128}@footnote{@code{ARCFOUR_128} is a compatible
algorithm with RSA's RC4 algorithm, which is considered to be a trade
secret.}. Ciphers are encryption algorithms that use a single, secret,
key to encrypt and decrypt data. Block algorithms in TLS also provide
protection against statistical analysis of the data.  Thus, if you're
using the @acronym{TLS} protocol, a random number of blocks will be
appended to data, to prevent eavesdroppers from guessing the actual
data size.

Supported cipher algorithms:

@table @code
@item 3DES_CBC
@code{3DES_CBC} is the DES block cipher algorithm used with triple
encryption (EDE). Has 64 bits block size and is used in CBC mode.

@item ARCFOUR_128
ARCFOUR is a fast stream cipher.

@item ARCFOUR_40
This is the ARCFOUR cipher that is fed with a 40 bit key,
which is considered weak.

@item AES_CBC
AES or RIJNDAEL is the block cipher algorithm that replaces the old
DES algorithm.  Has 128 bits block size and is used in CBC mode.

@item AES_GCM
This is the AES algorithm in the authenticated encryption GCM mode.
This mode combines message authentication and encryption.

@item CAMELLIA_CBC
CAMELLIA is an 128-bit block cipher developed by Mitsubish and NTT. It
is one of the approved ciphers of the European NESSIE and Japanese
CRYPTREC projects.

@end table


Supported MAC algorithms:

@table @code
@item MAC_MD5
MD5 is a cryptographic hash algorithm designed by Ron Rivest. Outputs
128 bits of data.

@item MAC_SHA
SHA is a cryptographic hash algorithm designed by NSA. Outputs 160
bits of data.

@item MAC_SHA256
SHA256 is a cryptographic hash algorithm designed by NSA. Outputs 256
bits of data.

@item MAC_AEAD
This indicates that an authenticated encryption algorithm, such as
GCM, is in use.

@end table

@node Compression algorithms used in the record layer
@subsection Compression Algorithms Used in the Record Layer
@cindex Compression algorithms

The TLS record layer also supports compression.  The algorithms
implemented in @acronym{GnuTLS} can be found in the table below.
All the algorithms except for DEFLATE which is
referenced in @xcite{RFC3749}, should be considered as
@acronym{GnuTLS}' extensions@footnote{You should use
@ref{gnutls_handshake_set_private_extensions} to enable private
extensions.}, and should be advertised only when the peer is known to
have a compliant client, to avoid interoperability problems.

The included algorithms perform really good when text, or other
compressible data are to be transfered, but offer nothing on already
compressed data, such as compressed images, zipped archives etc.
These compression algorithms, may be useful in high bandwidth TLS
tunnels, and in cases where network usage has to be minimized. As a
drawback, compression increases latency.

The record layer compression in @acronym{GnuTLS} is implemented based
on the proposal @xcite{RFC3749}.
The supported compression algorithms are:

@table @code
@item DEFLATE
Zlib compression, using the deflate algorithm.

@item NULL
No compression.

@end table

@node Weaknesses and countermeasures
@subsection Weaknesses and Countermeasures

Some weaknesses that may affect the security of the Record layer have
been found in @acronym{TLS} 1.0 protocol. These weaknesses can be
exploited by active attackers, and exploit the facts that

@enumerate

@item
@acronym{TLS} has separate alerts for ``decryption_failed'' and
``bad_record_mac''

@item
The decryption failure reason can be detected by timing the response
time.

@item
The IV for CBC encrypted packets is the last block of the previous
encrypted packet.

@end enumerate

Those weaknesses were solved in @acronym{TLS} 1.1 @xcite{RFC4346}
which is implemented in @acronym{GnuTLS}. For a detailed discussion
see the archives of the TLS Working Group mailing list and the paper
@xcite{CBCATT}.

@node On Record Padding
@subsection On Record Padding
@cindex Record padding
@cindex Bad record MAC

The TLS protocol allows for random padding of records, to make it more
difficult to perform analysis on the length of exchanged messages (RFC 5246 6.2.3.2).  
GnuTLS appears to be one of few implementation that take advantage of this text, 
and pad records by a random length.

The TLS implementation in the Symbian operating system, frequently
used by Nokia and Sony-Ericsson mobile phones, cannot handle
non-minimal record padding.  What happens when one of these clients
handshake with a GnuTLS server is that the client will fail to compute
the correct MAC for the record.  The client sends a TLS alert
(@code{bad_record_mac}) and disconnects.  Typically this will result
in error messages such as 'A TLS fatal alert has been received', 'Bad
record MAC', or both, on the GnuTLS server side.

GnuTLS implements a work around for this problem.  However, it has to
be enabled specifically.  It can be enabled by using
@ref{gnutls_record_disable_padding}, or @ref{gnutls_priority_set} with
the @code{%COMPAT} priority string.

If you implement an application that have a configuration file, we
recommend that you make it possible for users or administrators to
specify a GnuTLS protocol priority string, which is used by your
application via @ref{gnutls_priority_set}.  To allow the best
flexibility, make it possible to have a different priority string for
different incoming IP addresses.

To enable the workaround in the @code{gnutls-cli} client or the
@code{gnutls-serv} server, for testing of other implementations, use
the following parameter: @code{--priority "NORMAL:%COMPAT"}.


@node The TLS Alert Protocol
@section The TLS Alert Protocol
@anchor{The Alert Protocol}
@cindex Alert protocol

The Alert protocol is there to allow signals to be sent between peers.
These signals are mostly used to inform the peer about the cause of a
protocol failure. Some of these signals are used internally by the
protocol and the application protocol does not have to cope with them
(see @code{GNUTLS_A_CLOSE_NOTIFY}), and others refer to the
application protocol solely (see @code{GNUTLS_A_USER_CANCELLED}).  An
alert signal includes a level indication which may be either fatal or
warning. Fatal alerts always terminate the current connection, and
prevent future renegotiations using the current session ID.

The alert messages are protected by the record protocol, thus the
information that is included does not leak. You must take extreme care
for the alert information not to leak to a possible attacker, via
public log files etc.

@table @asis
@item @ref{gnutls_alert_send}:
To send an alert signal.

@item @ref{gnutls_error_to_alert}:
To map a gnutls error number to an alert signal.

@item @ref{gnutls_alert_get}:
Returns the last received alert.

@item @ref{gnutls_alert_get_name}:
Returns the name, in a character array, of the given alert.

@end table

@node The TLS Handshake Protocol
@section The TLS Handshake Protocol
@anchor{The Handshake Protocol}
@cindex Handshake protocol

The Handshake protocol is responsible for the ciphersuite negotiation,
the initial key exchange, and the authentication of the two peers.
This is fully controlled by the application layer, thus your program
has to set up the required parameters. Available functions to control
the handshake protocol include:

@table @asis
@item @ref{gnutls_priority_init}:
To initialize a priority set of ciphers.

@item @ref{gnutls_priority_deinit}:
To deinitialize a priority set of ciphers.

@item @ref{gnutls_priority_set}:
To associate a priority set with a @acronym{TLS} session.

@item @ref{gnutls_priority_set_direct}:
To directly associate a session with a given priority string.

@item @ref{gnutls_credentials_set}:
To set the appropriate credentials structures.

@item @ref{gnutls_certificate_server_set_request}:
To set whether client certificate is required or not.

@item @ref{gnutls_handshake}:
To initiate the handshake.
@end table

@menu
* TLS Cipher Suites::           TLS session parameters.
* Priority Strings::            Defining how parameters are negotiated.
* Client Authentication::       Requesting a certificate from the client.
* Resuming Sessions::           Reusing previously established keys.
* Resuming Internals::          More information on reusing previously established keys.
* Interoperability::            About interoperability with other implementations.
@end menu

@node TLS Cipher Suites
@subsection TLS Cipher Suites

The Handshake Protocol of @acronym{TLS} negotiates cipher suites of
the form @code{TLS_DHE_RSA_WITH_3DES_CBC_SHA}.  The usual cipher
suites contain these parameters:

@itemize

@item The key exchange algorithm.
@code{DHE_RSA} in the example.

@item The Symmetric encryption algorithm and mode
@code{3DES_CBC} in this example.

@item The MAC@footnote{MAC stands for Message Authentication Code. It can be described as a keyed hash algorithm. See RFC2104.} algorithm used for authentication.
@code{MAC_SHA} is used in the above example.

@end itemize

The cipher suite negotiated in the handshake protocol will affect the
Record Protocol, by enabling encryption and data authentication.  Note
that you should not over rely on @acronym{TLS} to negotiate the
strongest available cipher suite. Do not enable ciphers and algorithms
that you consider weak.

All the supported ciphersuites are shown in @ref{ciphersuites}.

@node Priority Strings
@subsection Priority Strings

In order to specify cipher suite preferences, the
previously shown priority functions accept a string
that specifies the algorithms to be enabled in a TLS handshake.
That string may contain some high level keyword such as:

@table @asis
@item PERFORMANCE:
All the "secure" ciphersuites are enabled,
limited to 128 bit ciphers and sorted by terms of speed
performance.

@item NORMAL:
Means all "secure" ciphersuites. The 256-bit ciphers are
included as a fallback only.  The ciphers are sorted by security
margin.

@item SECURE128: 
Means all "secure" ciphersuites with ciphers up to 128
bits, sorted by security margin.

@item SECURE256:
Means all "secure" ciphersuites including the 256 bit
ciphers, sorted by security margin.

@item EXPORT:
Means all ciphersuites are enabled, including the
low-security 40 bit ciphers.

@item NONE:
Means nothing is enabled.  This disables even protocols and
compression methods. It should be followed by the
algorithms to be enabled.

@end table

or it might contain special keywords, that will be explained
later on.

Unless the first keyword is "NONE" the defaults (in preference
order) are for TLS protocols TLS 1.2, TLS1.1, TLS1.0, SSL3.0; for
compression NULL; for certificate types X.509, OpenPGP.
For key exchange algorithms when in NORMAL or SECURE levels the
perfect forward secrecy algorithms take precedence of the other
protocols.  In all cases all the supported key exchange algorithms
 are enabled (except for the RSA-EXPORT which is only enabled in
EXPORT level).

The NONE keyword is followed by the algorithms to be enabled,
and is used to provide the exact list of requested algorithms@footnote{
To avoid collisions in order to specify a compression algorithm in
this string you have to prefix it with "COMP-", protocol versions
with "VERS-", signature algorithms with "SIGN-" and certificate types with "CTYPE-". All other
algorithms don't need a prefix.}. The order with which every algorithm
is specified is significant. Similar algorithms specified before others
will take precedence.

Keywords prepended to individual algorithms:
@table @asis

@item '!' or '-' 
appended with an algorithm will remove this algorithm.

@item "+" 
appended with an algorithm will add this algorithm.

@end table

Individual algorithms:
@table @asis
@item Ciphers: 
AES-128-CBC, AES-256-CBC, AES-128-GCM, CAMELLIA-128-CBC,
CAMELLIA-256-CBC, ARCFOUR-128, 3DES-CBC ARCFOUR-40. Catch all
name is CIPHER-ALL which will add all the algorithms from NORMAL
priority.

@item Key exchange: 
RSA, DHE-RSA, DHE-DSS, SRP, SRP-RSA, SRP-DSS,
PSK, DHE-PSK, ECDHE-RSA, ANON-ECDH, ANON-DH, RSA-EXPORT. The
Catch all name is KX-ALL which will add all the algorithms from NORMAL
priority.

@item MAC: 
MD5, SHA1, SHA256, AEAD (used with
GCM ciphers only). All algorithms from NORMAL priority can be accessed with MAC-ALL.

@item Compression algorithms: 
COMP-NULL, COMP-DEFLATE. Catch all is COMP-ALL.

@item TLS versions: 
VERS-SSL3.0, VERS-TLS1.0, VERS-TLS1.1,
VERS-TLS1.2. Catch all is VERS-TLS-ALL.

@item Signature algorithms: 
SIGN-RSA-SHA1, SIGN-RSA-SHA224, 
SIGN-RSA-SHA256, SIGN-RSA-SHA384, SIGN-RSA-SHA512, SIGN-DSA-SHA1, 
SIGN-DSA-SHA224, SIGN-DSA-SHA256, SIGN-RSA-MD5. Catch all
is SIGN-ALL. This is only valid for TLS 1.2 and later.

@item Elliptic curves:
CURVE-SECP224R1, CURVE-SECP256R1, CURVE-SECP384R1, CURVE-SECP521R1. Catch all is CURVE-ALL.

@end table


Special keywords:
@table @asis

@item %COMPAT:
will enable compatibility mode. It might mean that violations
of the protocols are allowed as long as maximum compatibility with
problematic clients and servers is achieved.

@item %DISABLE_SAFE_RENEGOTIATION:
will disable safe renegotiation
completely.  Do not use unless you know what you are doing.
Testing purposes only.

@item %UNSAFE_RENEGOTIATION:
will allow handshakes and rehandshakes
without the safe renegotiation extension.  Note that for clients
this mode is insecure (you may be under attack), and for servers it
will allow insecure clients to connect (which could be fooled by an
attacker).  Do not use unless you know what you are doing and want
maximum compatibility.

@item %PARTIAL_RENEGOTIATION:
will allow initial handshakes to proceed,
but not rehandshakes.  This leaves the client vulnerable to attack,
and servers will be compatible with non-upgraded clients for
initial handshakes.  This is currently the default for clients and
servers, for compatibility reasons.

@item %SAFE_RENEGOTIATION:
will enforce safe renegotiation.  Clients and
servers will refuse to talk to an insecure peer.  Currently this
causes operability problems, but is required for full protection.

@item %SSL3_RECORD_VERSION:
will use SSL3.0 record version in client hello.
This is the default.

@item %LATEST_RECORD_VERSION:
will use the latest TLS version record version in client hello.

@item %VERIFY_ALLOW_SIGN_RSA_MD5:
will allow RSA-MD5 signatures in certificate chains.

@item %VERIFY_ALLOW_X509_V1_CA_CRT:
will allow V1 CAs in chains.

@end table

@node Client Authentication
@subsection Client Authentication
@cindex Client Certificate authentication

In the case of ciphersuites that use certificate authentication, the
authentication of the client is optional in @acronym{TLS}.  A server
may request a certificate from the client --- using the
@ref{gnutls_certificate_server_set_request} function. If a certificate
is to be requested from the client during the handshake, the server
will send a certificate request message that contains a list of
acceptable certificate signers. In @acronym{GnuTLS} the certificate
signers list is constructed using the trusted Certificate Authorities
by the server. That is the ones set using
@itemize
@item @ref{gnutls_certificate_set_x509_trust_file}
@item @ref{gnutls_certificate_set_x509_trust_mem}
@end itemize

Sending of the names of the CAs can be controlled using
@ref{gnutls_certificate_send_x509_rdn_sequence}. The client, then, may
send a certificate, signed by one of the server's acceptable signers.

@node Resuming Sessions
@subsection Resuming Sessions
@anchor{resume}
@cindex Resuming sessions

The @ref{gnutls_handshake} function, is expensive since a lot of
calculations are performed. In order to support many fast connections
to the same server a client may use session resuming. @strong{Session
resuming} is a feature of the @acronym{TLS} protocol which allows a
client to connect to a server, after a successful handshake, without
the expensive calculations.  This is achieved by using the previously
established keys. @acronym{GnuTLS} supports this feature, and the
example (@pxref{ex:resume-client}) illustrates a typical use of it.

Keep in mind that sessions are expired after some time, for security
reasons, thus it may be normal for a server not to resume a session
even if you requested that.  Also note that you must enable, using the
priority functions, at least the algorithms used in the last session.

@node Resuming Internals
@subsection Resuming Internals

The resuming capability, mostly in the server side, is one of the
problems of a thread-safe TLS implementations. The problem is that all
threads must share information in order to be able to resume
sessions. The gnutls approach is, in case of a client, to leave all
the burden of resuming to the client. I.e., copy and keep the
necessary parameters. See the functions:

@itemize

@item @ref{gnutls_session_get_data}

@item @ref{gnutls_session_get_id}

@item @ref{gnutls_session_set_data}

@end itemize

The server side is different. A server has to specify some callback
functions which store, retrieve and delete session data. These can be
registered with:

@itemize

@item @ref{gnutls_db_set_remove_function}

@item @ref{gnutls_db_set_store_function}

@item @ref{gnutls_db_set_retrieve_function}

@item @ref{gnutls_db_set_ptr}

@end itemize

It might also be useful to be able to check for expired sessions in
order to remove them, and save space. The function
@ref{gnutls_db_check_entry} is provided for that reason.

@node Interoperability
@subsection Interoperability

The @acronym{TLS} handshake is a complex procedure that negotiates all
required parameters for a secure session. @acronym{GnuTLS} supports
several @acronym{TLS} extensions, as well as the latest @acronym{TLS} protocol 
version 1.2. However few implementations are not able to
properly interoperate once faced with extensions or version protocols
they do not support and understand. The @acronym{TLS} protocol allows for a
graceful downgrade to the commonly supported options, but practice shows 
it is not always implemented correctly. 

Because there is no way to achieve maximum interoperability with broken peers
without sacrificing security, @acronym{GnuTLS} ignores such peers by default. 
This might not be acceptable in cases where maximum compatibility
is required. Thus we allow enabling compatibility with broken peers using
priority strings (see @ref{Priority Strings}). An example priority string that
is known to provide wide compatibility even with broken peers
is shown below:
@example
NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0:+VERS-SSL3.0:%COMPAT
@end example
This priority string will only enable SSL 3.0 and TLS 1.0 as protocols and
will disable, via the @code{%COMPAT} keyword, several @acronym{TLS} protocol
options that are known to cause compatibility problems.
We suggest however only to use this mode if compatibility issues occur.

@node TLS Extensions
@section TLS Extensions
@cindex TLS Extensions

A number of extensions to the @acronym{TLS} protocol have been
proposed mainly in @xcite{TLSEXT}. The extensions supported
in @acronym{GnuTLS} are:

@itemize
@item Maximum fragment length negotiation
@item Server name indication
@item Session tickets
@item Safe Renegotiation
@end itemize

and they will be discussed in the subsections that follow.

@subsection Maximum Fragment Length Negotiation
@cindex TLS Extensions
@cindex Maximum fragment length

This extension allows a @acronym{TLS} implementation to negotiate a
smaller value for record packet maximum length. This extension may be
useful to clients with constrained capabilities. See the
@ref{gnutls_record_set_max_size} and the
@ref{gnutls_record_get_max_size} functions.

@subsection Server Name Indication
@anchor{serverind}
@cindex TLS Extensions
@cindex Server name indication

A common problem in @acronym{HTTPS} servers is the fact that the
@acronym{TLS} protocol is not aware of the hostname that a client
connects to, when the handshake procedure begins. For that reason the
@acronym{TLS} server has no way to know which certificate to send.

This extension solves that problem within the @acronym{TLS} protocol,
and allows a client to send the HTTP hostname before the handshake
begins within the first handshake packet.  The functions
@ref{gnutls_server_name_set} and @ref{gnutls_server_name_get} can be
used to enable this extension, or to retrieve the name sent by a
client.

@subsection Session Tickets
@cindex TLS Extensions
@cindex Session Tickets
@cindex Ticket

To resume a TLS session the server normally store some state.  This
complicates deployment, and typical situations the client can cache
information and send it to the server instead.  The Session Ticket
extension implements this idea, and it is documented in
RFC 5077 @xcite{TLSTKT}.

Clients can enable support for TLS tickets with
@ref{gnutls_session_ticket_enable_client} and servers use
@ref{gnutls_session_ticket_key_generate} to generate a key and
@ref{gnutls_session_ticket_enable_server} to enable the extension.
Clients resume sessions using the ticket using the normal session
resume functions, @ref{resume}.

@subsection Safe Renegotiation
@cindex renegotiation

TLS gives the option to two communicating parties to renegotiate
and update their security parameters. One useful example of this feature
was for a client to initially connect using anonymous negotiation to a
server, and the renegotiate using some authenticated ciphersuite. This occured
to avoid having the client sending its credentials in the clear.

However this renegotiation, as initially designed would not ensure that
the party one is renegotiating is the same as the one in the initial negotiation.
For example one server could forward all renegotiation traffic to an other
server who will see this traffic as an initial negotiation attempt.

This might be seen as a valid design decision, but it seems it was
not widely known or understood, thus today some application protocols the TLS
renegotiation feature in a manner that enables a malicious server to insert
content of his choice in the beginning of a TLS session.

The most prominent vulnerability was with HTTPS. There servers request
a renegotiation to enforce an anonymous user to use a certificate in order
to access certain parts of a web site.  The
attack works by having the attacker simulate a client and connect to a
server, with server-only authentication, and send some data intended
to cause harm.  The server will then require renegotiation from him
in order to perform the request. 
When the proper client attempts to contact the server,
the attacker hijacks that connection and forwards traffic to
the initial server that requested renegotiation.  The
attacker will not be able to read the data exchanged between the
client and the server.  However, the server will (incorrectly) assume
that the initial request sent by the attacker was sent by the now authenticated
client.  The result is a prefix plain-text injection attack.

The above is just one example.  Other vulnerabilities exists that do
not rely on the TLS renegotiation to change the client's authenticated
status (either TLS or application layer).

While fixing these application protocols and implementations would be
one natural reaction, an extension to TLS has been designed that
cryptographically binds together any renegotiated handshakes with the
initial negotiation.  When the extension is used, the attack is
detected and the session can be terminated.  The extension is
specified in @xcite{RFC5746}.

GnuTLS supports the safe renegotiation extension.  The default
behavior is as follows.  Clients will attempt to negotiate the safe
renegotiation extension when talking to servers.  Servers will accept
the extension when presented by clients.  Clients and servers will
permit an initial handshake to complete even when the other side does
not support the safe renegotiation extension.  Clients and servers
will refuse renegotiation attempts when the extension has not been
negotiated.

Note that permitting clients to connect to servers when the safe
renegotiation extension is not enabled, is open up for attacks.
Changing this default behaviour would prevent interoperability against
the majority of deployed servers out there.  We will reconsider this
default behaviour in the future when more servers have been upgraded.
Note that it is easy to configure clients to always require the safe
renegotiation extension from servers (see below on the
@code{%SAFE_RENEGOTIATION} priority string).

To modify the default behaviour, we have introduced some new priority
strings.  The priority strings can be used by applications
(@pxref{gnutls_priority_set}) and end users (e.g., @code{--priority}
parameter to @code{gnutls-cli} and @code{gnutls-serv}).

The @code{%UNSAFE_RENEGOTIATION} priority string permits
(re-)handshakes even when the safe renegotiation extension was not
negotiated. The default behavior is @code{%PARTIAL_RENEGOTIATION} that will
prevent renegotiation with clients and servers not supporting the
extension. This is secure for servers but leaves clients vulnerable
to some attacks, but this is a tradeoff between security and compatibility
with old servers. The @code{%SAFE_RENEGOTIATION} priority string makes
clients and servers require the extension for every handshake. The latter
is the most secure option for clients, at the cost of not being able
to connect to legacy servers. Servers will also deny clients that
do not support the extension from connecting.

It is possible to disable use of the extension completely, in both
clients and servers, by using the @code{%DISABLE_SAFE_RENEGOTIATION}
priority string however we strongly recommend you to only do this for
debugging and test purposes.

The default values if the flags above are not specified are:
@table @code

@item Server:
%PARTIAL_RENEGOTIATION

@item Client:
%PARTIAL_RENEGOTIATION

@end table

For applications we have introduced a new API related to safe
renegotiation.  The @ref{gnutls_safe_renegotiation_status} function is
used to check if the extension has been negotiated on a session, and
can be used both by clients and servers.

@node Selecting cryptographic key sizes
@section Selecting Cryptographic Key Sizes
@cindex key sizes

In TLS, since a lot of algorithms are involved, it is not easy to set
a consistent security level.  For this reason this section will
present some correspondance between key sizes of symmetric algorithms
and public key algorithms based on the ``ECRYPT II Yearly Report on Algorithms and Keysizes (2009-2010)''
in @xcite{ECRYPT}.  Those can be used to generate certificates with
appropriate key sizes as well as parameters for Diffie-Hellman and SRP
authentication.

@multitable @columnfractions .10 .15 .10 .20 .35

@item Security bits
@tab RSA, DH and SRP parameter size
@tab ECC key size
@tab @code{gnutls_sec_param_t}
@tab Description

@item 64
@tab 816
@tab 128
@tab @code{WEAK}
@tab Very short term protection against small organizations

@item 80
@tab 1248
@tab 160
@tab @code{LOW}
@tab Very short term protection against agencies

@item 112
@tab 2432
@tab 224
@tab @code{NORMAL}
@tab Medium-term protection

@item 128
@tab 3248
@tab 256
@tab @code{HIGH}
@tab Long term protection

@item 256
@tab 15424
@tab 512
@tab @code{ULTRA}
@tab Foreseeable future

@end multitable

The first column provides a security parameter in a number of bits. This
gives an indication of the number of combinations to be tried by an adversary
to brute force a key. For example to test all possible keys in a 112 bit security parameter
@math{2^{112}} combinations have to be tried. For today's technology this is infeasible.
The next two columns correlate the security
parameter with actual bit sizes of parameters for DH, RSA, SRP and ECC algorithms.
A mapping to @code{gnutls_sec_param_t} value is given for each security parameter, on
the next column, and finally a brief description of the level.

Note however that the values suggested here are nothing more than an
educated guess that is valid today. There are no guarrantees that an
algorithm will remain unbreakable or that these values will remain
constant in time. There could be scientific breakthroughs that cannot
be predicted or total failure of the current public key systems by
quantum computers. On the other hand though the cryptosystems used in
TLS are selected in a conservative way and such catastrophic
breakthroughs or failures are believed to be unlikely.

NIST publication SP 800-57 @xcite{NISTSP80057} contains a similar
table.

When using @acronym{GnuTLS} and a decision on bit sizes for a public
key algorithm is required, use of the following functions is  
recommended:
@itemize

@item @ref{gnutls_pk_bits_to_sec_param}

@item @ref{gnutls_sec_param_to_pk_bits}

@end itemize
Those functions will convert a human understandable security parameter
of @code{gnutls_sec_param_t} type, to a number of bits suitable for a public 
key algorithm.

@node On SSL 2 and older protocols
@section On SSL 2 and Older Protocols
@cindex SSL 2

One of the initial decisions in the @acronym{GnuTLS} development was
to implement the known security protocols for the transport layer.
Initially @acronym{TLS} 1.0 was implemented since it was the latest at
that time, and was considered to be the most advanced in security
properties.  Later the @acronym{SSL} 3.0 protocol was implemented
since it is still the only protocol supported by several servers and
there are no serious security vulnerabilities known.

One question that may arise is why we didn't implement @acronym{SSL}
2.0 in the library.  There are several reasons, most important being
that it has serious security flaws, unacceptable for a modern security
library.  Other than that, this protocol is barely used by anyone
these days since it has been deprecated since 1996.  The security
problems in @acronym{SSL} 2.0 include:

@itemize

@item Message integrity compromised.
The @acronym{SSLv2} message authentication uses the MD5 function, and
is insecure.

@item Man-in-the-middle attack.
There is no protection of the handshake in @acronym{SSLv2}, which
permits a man-in-the-middle attack.

@item Truncation attack.
@acronym{SSLv2} relies on TCP FIN to close the session, so the
attacker can forge a TCP FIN, and the peer cannot tell if it was a
legitimate end of data or not.

@item Weak message integrity for export ciphers.
The cryptographic keys in @acronym{SSLv2} are used for both message
authentication and encryption, so if weak encryption schemes are
negotiated (say 40-bit keys) the message authentication code use the
same weak key, which isn't necessary.

@end itemize

@cindex PCT
Other protocols such as Microsoft's @acronym{PCT} 1 and @acronym{PCT}
2 were not implemented because they were also abandoned and deprecated
by @acronym{SSL} 3.0 and later @acronym{TLS} 1.0.