1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
|
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<!-- This manual is last updated 4 March 2015 for version
3.5.3 of GnuTLS.
Copyright (C) 2001-2015 Free Software Foundation, Inc.\\
Copyright (C) 2001-2015 Nikos Mavrogiannopoulos
Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License, Version 1.3 or
any later version published by the Free Software Foundation; with no
Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A
copy of the license is included in the section entitled "GNU Free
Documentation License". -->
<!-- Created by GNU Texinfo 6.1, http://www.gnu.org/software/texinfo/ -->
<head>
<title>GnuTLS 3.5.3: Upward negotiation</title>
<meta name="description" content="GnuTLS 3.5.3: Upward negotiation">
<meta name="keywords" content="GnuTLS 3.5.3: Upward negotiation">
<meta name="resource-type" content="document">
<meta name="distribution" content="global">
<meta name="Generator" content="makeinfo">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<link href="index.html#Top" rel="start" title="Top">
<link href="Function-and-Data-Index.html#Function-and-Data-Index" rel="index" title="Function and Data Index">
<link href="index.html#SEC_Contents" rel="contents" title="Table of Contents">
<link href="How-to-use-TLS-in-application-protocols.html#How-to-use-TLS-in-application-protocols" rel="up" title="How to use TLS in application protocols">
<link href="On-SSL-2-and-older-protocols.html#On-SSL-2-and-older-protocols" rel="next" title="On SSL 2 and older protocols">
<link href="Separate-ports.html#Separate-ports" rel="prev" title="Separate ports">
<style type="text/css">
<!--
a.summary-letter {text-decoration: none}
blockquote.indentedblock {margin-right: 0em}
blockquote.smallindentedblock {margin-right: 0em; font-size: smaller}
blockquote.smallquotation {font-size: smaller}
div.display {margin-left: 3.2em}
div.example {margin-left: 3.2em}
div.lisp {margin-left: 3.2em}
div.smalldisplay {margin-left: 3.2em}
div.smallexample {margin-left: 3.2em}
div.smalllisp {margin-left: 3.2em}
kbd {font-style: oblique}
pre.display {font-family: inherit}
pre.format {font-family: inherit}
pre.menu-comment {font-family: serif}
pre.menu-preformatted {font-family: serif}
pre.smalldisplay {font-family: inherit; font-size: smaller}
pre.smallexample {font-size: smaller}
pre.smallformat {font-family: inherit; font-size: smaller}
pre.smalllisp {font-size: smaller}
span.nolinebreak {white-space: nowrap}
span.roman {font-family: initial; font-weight: normal}
span.sansserif {font-family: sans-serif; font-weight: normal}
ul.no-bullet {list-style: none}
body {
margin: 2%;
padding: 0 5%;
background: #ffffff;
}
h1,h2,h3,h4,h5 {
font-weight: bold;
padding: 5px 5px 5px 5px;
background-color: #c2e0ff;
color: #336699;
}
h1 {
padding: 2em 2em 2em 5%;
color: white;
background: #336699;
text-align: center;
letter-spacing: 3px;
}
h2 { text-decoration: underline; }
pre {
margin: 0 5%;
padding: 0.5em;
}
pre.example,pre.verbatim {
padding-bottom: 1em;
border: solid #c2e0ff;
background: #f0faff;
border-width: 1px 1px 1px 5px;
margin: 1em auto;
width: 90%;
}
div.node {
margin: 0 -5% 0 -2%;
padding: 0.5em 0.5em;
margin-top: 0.5em;
margin-bottom: 0.5em;
font-weight: bold;
}
dd, li {
padding-top: 0.1em;
padding-bottom: 0.1em;
}
div.float {
margin-bottom: 0.5em;
text-align: center;
}
table {
text-align: left;
margin-left:auto;
margin-right:auto;
border-spacing: 7px;
width: 50%;
}
th {
padding: 0;
color: #336699;
background-color: #c2e0ff;
border: solid #000000;
border-width: 0px;
margin: 1em auto;
text-align: center;
margin-left:auto;
margin-right:auto;
}
td {
padding: 0;
border: solid #000000;
background-color: #f0faff;
border-width: 0px;
margin: 1em auto;
text-align: left;
margin-left:auto;
margin-right:auto;
padding-left: 1em;
}
dl {
text-align: left;
margin-left:auto;
margin-right:auto;
width: 50%;
padding-left: 1em;
border: solid #c2e0ff;
background: #f0faff;
border-width: 5px 1px 1px 1px;
margin: 1em auto;
}
-->
</style>
</head>
<body lang="en">
<a name="Upward-negotiation"></a>
<div class="header">
<p>
Previous: <a href="Separate-ports.html#Separate-ports" accesskey="p" rel="prev">Separate ports</a>, Up: <a href="How-to-use-TLS-in-application-protocols.html#How-to-use-TLS-in-application-protocols" accesskey="u" rel="up">How to use TLS in application protocols</a> [<a href="index.html#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="Function-and-Data-Index.html#Function-and-Data-Index" title="Index" rel="index">Index</a>]</p>
</div>
<hr>
<a name="Upward-negotiation-1"></a>
<h4 class="subsection">3.7.2 Upward negotiation</h4>
<p>Other application protocols<a name="DOCF7" href="#FOOT7"><sup>7</sup></a> use a
different approach to enable the secure layer. They use something
often called as the “TLS upgrade” method. This method is quite tricky but it
is more flexible. The idea is to extend the application protocol to
have a “STARTTLS” request, whose purpose it to start the TLS
protocols just after the client requests it. This approach
does not require any extra port to be reserved.
There is even an extension to HTTP protocol to support
this method [<em>RFC2817</em>].
</p>
<p>The tricky part, in this method, is that the “STARTTLS” request is
sent in the clear, thus is vulnerable to modifications. A typical
attack is to modify the messages in a way that the client is fooled
and thinks that the server does not have the “STARTTLS” capability.
See a typical conversation of a hypothetical protocol:
</p>
<blockquote>
<p>(client connects to the server)
</p>
<p>CLIENT: HELLO I’M MR. XXX
</p>
<p>SERVER: NICE TO MEET YOU XXX
</p>
<p>CLIENT: PLEASE START TLS
</p>
<p>SERVER: OK
</p>
<p>*** TLS STARTS
</p>
<p>CLIENT: HERE ARE SOME CONFIDENTIAL DATA
</p></blockquote>
<p>And an example of a conversation where someone is acting
in between:
</p>
<blockquote>
<p>(client connects to the server)
</p>
<p>CLIENT: HELLO I’M MR. XXX
</p>
<p>SERVER: NICE TO MEET YOU XXX
</p>
<p>CLIENT: PLEASE START TLS
</p>
<p>(here someone inserts this message)
</p>
<p>SERVER: SORRY I DON’T HAVE THIS CAPABILITY
</p>
<p>CLIENT: HERE ARE SOME CONFIDENTIAL DATA
</p></blockquote>
<p>As you can see above the client was fooled, and was naïve enough to
send the confidential data in the clear, despite the server telling the
client that it does not support “STARTTLS”.
</p>
<p>How do we avoid the above attack? As you may have already noticed this
situation is easy to avoid. The client has to ask the user before it
connects whether the user requests <acronym>TLS</acronym> or not. If the user
answered that he certainly wants the secure layer the last
conversation should be:
</p>
<blockquote>
<p>(client connects to the server)
</p>
<p>CLIENT: HELLO I’M MR. XXX
</p>
<p>SERVER: NICE TO MEET YOU XXX
</p>
<p>CLIENT: PLEASE START TLS
</p>
<p>(here someone inserts this message)
</p>
<p>SERVER: SORRY I DON’T HAVE THIS CAPABILITY
</p>
<p>CLIENT: BYE
</p>
<p>(the client notifies the user that the secure connection was not possible)
</p></blockquote>
<p>This method, if implemented properly, is far better than the
traditional method, and the security properties remain the same, since
only denial of service is possible. The benefit is that the server may
request additional data before the <acronym>TLS</acronym> Handshake protocol
starts, in order to send the correct certificate, use the correct
password file, or anything else!
</p>
<div class="footnote">
<hr>
<h4 class="footnotes-heading">Footnotes</h4>
<h3><a name="FOOT7" href="#DOCF7">(7)</a></h3>
<p>See LDAP, IMAP etc.</p>
</div>
<hr>
<div class="header">
<p>
Previous: <a href="Separate-ports.html#Separate-ports" accesskey="p" rel="prev">Separate ports</a>, Up: <a href="How-to-use-TLS-in-application-protocols.html#How-to-use-TLS-in-application-protocols" accesskey="u" rel="up">How to use TLS in application protocols</a> [<a href="index.html#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="Function-and-Data-Index.html#Function-and-Data-Index" title="Index" rel="index">Index</a>]</p>
</div>
</body>
</html>
|
