TLS 1.2 Session Tickets (opens in new tab)

(blog.filippo.io)

183 pointsgtank8y ago48 comments

48 comments

The article and the comments here lack a bit of context. At the time where tickets were starting to be deployed (around 2011), ECDH ciphers were not in use and PFS was therefore quite expensive (and therefore, almost never used). Around the same time, the move from 1024-bit certificates to 2048-bit certificates were making TLS difficult to deploy at scale for everyone except Google.

Session tickets were primarily a mechanism to help to reduce to load of TLS connections. The reduced latency is a happy side-effect. At the time, it was already well-known that this would negatively impact PFS (something I already mention in my own blog article about session tickets in 2011).

Moreover, many seem to build a scenario where session tickets are recovered by an attacker but not the private keys. Usually, session tickets are in memory only and private keys are persisted. This makes those tickets more unlikely to be recovered by anyone unless you get access to a running web server. In this case, you have far more serious trouble than those tickets (even if the attacker still cannot decode past recorded data).

Even today, TLS handshakes are quite expensive, both for the server and the clients. Using session tickets (with rotated keys) still outweigh the downsides of not using them. That's why every major site are using them.

xenophonf8y ago

So if like me you want to know how to disable session tickets in Apache httpd, you need to be running at least httpd 2.4.8 with OpenSSL 1.0.2. Then you can set:

  SSLOpenSSLConfCmd Options -SessionTicket

Alternatively, if you're running at least httpd 2.4.11 with OpenSSL 0.9.8f, you can set this instead:

  SSLSessionTickets off

https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslsessio...

xenophonf8y ago

Also, if you're running RHEL/CentOS 7, you'll want to switch to the SCL version of Apache httpd (2.4.25) as the version in the base repositories (2.4.6) is too old to support either setting:

https://www.softwarecollections.org/en/scls/rhscl/httpd24/

smegel8y ago

Well, technically RHEL7 runs httpd-2.4.6-67, which is RedHat's 67th patched version of 2.4.6.

They backport a lot of stuff from later versions, don't see why they could not have done this (they haven't, I checked).

tony1018y ago

> An attacker with the STEK doesn't need to wait until session resumption is attempted. Session Tickets containing the current session keys are sent at the beginning of every connection that merely supports Session Tickets. In plaintext on the wire, ready to be decrypted with the STEK, fully bypassing Diffie-Hellman.

I found this flaw to be the scariest, by far. It means that a connection with "forward secrecy" gives up this property as soon as it begins.

zaroth8y ago

Gives up the property before it begins even. But I completely agree with you. I would go as far to say a connection does not have PFS if you are sending the DH session key encrypted only by a [geographically replicated] static key before the session starts. You are literally destroying the entire purpose of the DH handshake in doing so.

I always assumed the STEK-encrypted session key was sent inside the established TLS PFS stream. To send it outside the stream is mind-numbingly insane!

Browsers should not report connections as having PFS if tickets are enabled in TLS 1.2. This is like NSA slide "PFS added and removed here :-)"

tptacek8y ago

You're clearly not destroying the entire purpose of the DH handshake, because the STEK is rotated and so the time window of compromise is limited to by the rotation interval. Even with poorly rotated ticket keys, you're still better off with a PFS suite than without it --- without the DH, every client has an unlimited window of exposure if the server's private key is compromised.

1 more reply

vbernat8y ago

This is by design. The primary goal of session tickets is to resume a session without doing excessive crypto (no asymmetric cryptography).

js28y ago

If you're using OpenSSL, you can disable RFC 5077 Session Tickets via SSL_OP_NO_TICKET:

https://wiki.openssl.org/index.php/SSL/TLS_Client#Session_Ti...

Figuring out how to access that option from your library/language is an exercise for the reader.

Looking into this for Python. Python 3 supports sessions and the tickets may be disabled:

https://docs.python.org/3/library/ssl.html#ssl.SSLSession

https://docs.python.org/3/library/ssl.html#ssl.OP_NO_TICKET

For Python 2, I see no way to get at the session object (at least on the client side), much less disable session tickets:

https://docs.python.org/2/library/ssl.html

Under Python 2, pyOpenSSL has better support. You can make use of it on Python2 (and 3) via requests by installing `requests[security]` instead of just `requests`. Using `[security]` causes requests to pull in pyOpenSSL, cryptography and idna packages.

Under the covers, requests is using urllib3 and it ends up makes this call if pyOpenSSL is installed:

    urllib3.contrib.pyopenssl.inject_into_urllib3()

http://urllib3.readthedocs.io/en/latest/reference/urllib3.co...

That's as far as I've gotten. There's no documentation so it's going to require reading the urllib3 source to figure out what's going on under the hood.

Edit: nope, urllib3 doesn't support SSL session re-use. There's an open PR:

https://github.com/shazow/urllib3/issues/590

jgrahamc8y ago

sdevlin8y ago

What is Cloud Flare's policy for managing STEKs? Are they distinct per geographic region as the article recommends?

prdonahue8y ago

TL/DR: we rotate them every hour, but need to keep history of previous STEKs for 18 hours to support the maximum session lifetime:

$ openssl s_client -connect cloudflare.com:443 2>/dev/null | grep "lifetime hint" TLS session ticket lifetime hint: 64800 (seconds)

We've written about how we manage TLS session tickets here: https://blog.cloudflare.com/tls-session-resumption-full-spee....

Additionally, I wrote here about a bug that we encountered with Microsoft's implementation of TLS session resumption: https://blog.cloudflare.com/microsoft-tls-downgrade-schannel....

Here's a snippet from my blog post:

Session Tickets at CloudFlare CloudFlare’s solution to this problem, documented in previous blog posts, is to frequently regenerate and synchronize these session ticket keys across our entire global network. We currently do this once per hour. This means we need a mechanism for turning over session ticket keys. For instance, if a client instantiates an HTTPS session at 12:00pm and continues using that ticket past 1:00pm, our edge network will re-encrypt the ticket with a brand new session ticket key.

To accomplish this, our web servers must have both the full history of all previous keys that could have encrypted the ticket (i.e., one per hour dating back to the maximum session lifetime of 64,800 seconds) as well as immediate access to each newly generated key. The previous keys are used exclusively to decrypt tickets presented by the client, while the new keys are used to "refresh" the encryption on existing tickets and encrypt tickets for entirely new sessions.

1 more reply

zaroth8y ago

It says in that deck: Distribute globally, rotate hourly, expire after 18 hours.

1 more reply

dward8y ago

One of the original goals of Google's QUIC[0] protocol was to achieve 0-RTT handshake. I wonder how TLS 1.{2,3} Session Tickets will affect the future of that protocol. Has it achieved it's purpose (applying the right pressure to the TLS working group)? Will it be phased out now?

[0] https://blog.chromium.org/2013/06/experimenting-with-quic.ht...

baby8y ago

I felt like Google was not going to move to TLS 1.3 if they had not included 0-RTT. Now that TLS 1.3 has agreed to include it, it seems logical to terminate QUIC crypto.

tedunangst8y ago

TLS 1.3 also supports 0 RTT. Subject to some replay attacks, the solution to which is “the application should detect and ignore that.”

e12e8y ago

Hm, looks like maybe a ticket should be filed against:

https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deploym...

As it stands, the point on resumption reads a little on the positive side?:

> 3.2 Use Session Resumption

> Session resumption is a performance-optimization technique that makes it possible to save the results of costly cryptographic operations and to reuse them for a period of time. A disabled or nonfunctional session resumption mechanism may introduce a significant performance penalty.

Does http2 have similar issues with session resumption (especially: compromised pfs)?

I came across this, which documents how cloudscape does this securely - at least they rotate - but looks like read access to memcache+compromise of a single web server is enough to compromise the past hour or two of ssl traffic that goes through cloudflare?

https://blog.cloudflare.com/tls-session-resumption-full-spee...

[ed: also came over this:

https://github.com/mozilla/cipherscan

Which looks very handy for sanity-checking servers.]

Hello718y ago

> I came across this, which documents how cloudscape does this securely - at least they rotate - but looks like read access to memcache+compromise of a single web server is enough to compromise the past hour or two of ssl traffic that goes through cloudflare?

but (depending on how you get in) you can probably also compromise the next few hours, so one extra hour doesn't seem like a huge difference, given that the scenario is somewhat unlikely in the first place.

e12e8y ago

It's relevant in terms of pfs. Say, you happen to have ciphertext of all traffic to a domain for the past three years (whitepower.forum.example.ru), and you get an urgent need to read that ciphertext. Now, if you could get physical access to any one cloudflare server, and perhaps dump the ram, or do a cold boot attack - that might have been enough to read all that data. Assume for the sake of argument, that the servers hosting the site is (physically) out of reach.

1 more reply

CaliforniaKarl8y ago

If I understand the article correctly, are all of the issues listed addressed by TLS 1.3?

FiloSottile8y ago

Strongly mitigated if not entirely fixed, but TLS 1.3 deployment is stalled on awful middleboxes breaking connections they have no business in, and TLS 1.2 is not nearly broken enough to see a significant exodus.

So this is what we are stuck with for the time being.

colmmacc8y ago

TLS 1.3 still has problems with STEKs. If you use STEKs with 0-RTT mode, then you lose forward secrecy and that's where the most sensitive data is likely to be: your request, password, credit card number, etc ...

0-RTT doesn't have to use STEKs, there's a better way to do it, but TLS1.3 won't enforce or require it (though it could), so it'll be up to the marketplace of ideas and security standards to sort it out.

niftich8y ago

0-RTT is an awful idea anyway; the equivalent of spray-and-pray. Some folks under HTTPbis are working on an Internet Draft on Early Data's (~0-RTT's) ramifications [1] in HTTP.

0-RTT trades performance at the expense of security properties inside the same tunable protocol, which is the sort of wishy-washy stuff I (and others) were hopeful we'd get away from, the same way PFS ciphersuites went from obscure to preferred overnight, the same way cleartext HTTP has been marginalized, the same way broken ciphersuites were aggressively blacklisted and underused ciphersuites were pruned.

[1] https://tools.ietf.org/html/draft-ietf-httpbis-replay-00

tony1018y ago

I believe you're correct.

CaliforniaKarl8y ago

OK, cool! In that case, I wish the article title was different, to reflect that the issues detailed in the article have all been fixed in TLS 1.3. I think it wasn't until the end of the first issue that "fixed in TLS 1.3" was mentioned.

Bhilai8y ago

I understand that TLS 1.3 is in draft stage currently. Is there an expected date of when TLS1.3 is supposed to be available in common libs and browsers ?

Also at current rate it sounds like it’s going to take years to phase out TLS 1.1. Would mordern browsers take a stand and refuse to initiate connections for older versions of TLS and its not just browsers right, there are other odd ball clients and enterprises using IE7 or something super old. I liked the way Apple had taken a stand with App Transport Security initially but even they backed down and pushed the deadline indefinitely.

Panino8y ago

> Also at current rate it sounds like it’s going to take years to phase out TLS 1.1.

It's already more or less phased out. On my webservers, TLS 1.1 accounts for 0.1% of traffic, and about half of that is junk requests like exploit attempts.

Check out SSL Pulse, specifically the Protocol Support graph:

https://www.ssllabs.com/ssl-pulse/

This used to show 100% support for TLS 1.0, which is now at 92.6% as some sites are now going 1.2-only. That's just webserver support, not usage. Huge real-world difference. Like my car supports not wearing a seal-belt but I always use it. The vast majority of usage is 1.2, and a large percentage of 1.0/1.1 traffic is unwanted garbage traffic. Hence why some people are disabling 1.0/1.1 in their webservers. It also exposes more code for questionable benefit.

BTW I'd love to know what sites support TLS 1.0 but not 1.2. What's the breakdown of the Alexa Top 1000 or so? I suspect it's mostly banks and unknown sites.

cesarb8y ago

> It's already more or less phased out.

Was TLS 1.1 ever "phased in"? It was the "most recent" TLS version for only a couple of years, so the early adopters went quickly to TLS 1.2, while the late adopters stayed at TLS 1.0 (or even "TLS 1.0 but disabled by default, therefore actually SSL 3.0"). Once the later adopters catch up, there's no reason for them to not jump directly to TLS 1.2.

agl8y ago

We are still working around bugs in network middleware. I hope that it will be available in Chrome and on Google's servers in Q1, 2018.

jessaustin8y ago

Is that a euphemism for "waiting for BlueCoat shitboxes to die and get replaced"?

ramshanker8y ago

We are doing all these session tickets gymnastic to reduce the round trip. Mostly considering web applications. In case of native mobile application, we could just add a splash-screen/quick 2 sec animation hiding the worst case 3x200ms round trip latency overhead. So at the start of the app we simply create a fresh perfectly secured TLS connection.

It appears a better choice from security standpoint, UI can always be cleverly tricked into being smooth.

gruturo8y ago

In case of 2.5G connections (I still get 2.5G on a regular basis, e.g. in some specific train stations on my way to work in the morning) it can easily be 800ms per RTT - so 2.4 seconds before you have a chance to request any content.

And no, you cannot really ignore this if you are interested in fostering TLS' adoption in the real world. Every tenth of a second causes a measurable loss in user interest, and in many organizations this metric will drive the decision. We cannot legislate from our ivory tower and expect the world to follow against their (perceived) best interest.

tptacek8y ago

It's not just reducing RTT latency; it's also reducing the number of bignum crypto operations the server needs to perform, which carry a significant computational cost.

maerek8y ago

For HAProxy 1.7 (may be present in older versions, didn't check), there's the 'no-ssl-reuse'[0] directive for the server.

[0]:https://cbonte.github.io/haproxy-dconv/1.7/configuration.htm...

anonacct378y ago

Well, on the bright side h2 and keepalive are other ways of reducing the overall number of tls handhakes required if you're doing http.

Too bad session resumption has issues.

bearhsiung8y ago

NewSessionTicket is sent before ChangeCipherSpec means the message is not encrypted using the master secret exchanged with the handshake and is not necessary means that the session ticket is in plaintext. Quite contrary, it has been encrypted using the server secret key. In the page 3 of RFC5077, it states "a ticket that is encrypted and integrity-protected by a key known only to the server." and in the page 11, "Tickets must be authenticated and encrypted to prevent modification or eavesdropping by an attacker."

j / k navigate · click thread line to collapse

48 comments

vbernat8y ago

xenophonf8y ago

So if like me you want to know how to disable session tickets in Apache httpd, you need to be running at least httpd 2.4.8 with OpenSSL 1.0.2. Then you can set:

  SSLOpenSSLConfCmd Options -SessionTicket

Alternatively, if you're running at least httpd 2.4.11 with OpenSSL 0.9.8f, you can set this instead:

  SSLSessionTickets off

https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslsessio...

xenophonf8y ago

Also, if you're running RHEL/CentOS 7, you'll want to switch to the SCL version of Apache httpd (2.4.25) as the version in the base repositories (2.4.6) is too old to support either setting:

https://www.softwarecollections.org/en/scls/rhscl/httpd24/

smegel8y ago

Well, technically RHEL7 runs httpd-2.4.6-67, which is RedHat's 67th patched version of 2.4.6.

They backport a lot of stuff from later versions, don't see why they could not have done this (they haven't, I checked).

tony1018y ago

I found this flaw to be the scariest, by far. It means that a connection with "forward secrecy" gives up this property as soon as it begins.

zaroth8y ago

I always assumed the STEK-encrypted session key was sent inside the established TLS PFS stream. To send it outside the stream is mind-numbingly insane!

Browsers should not report connections as having PFS if tickets are enabled in TLS 1.2. This is like NSA slide "PFS added and removed here :-)"

tptacek8y ago

1 more reply

vbernat8y ago

This is by design. The primary goal of session tickets is to resume a session without doing excessive crypto (no asymmetric cryptography).

js28y ago

If you're using OpenSSL, you can disable RFC 5077 Session Tickets via SSL_OP_NO_TICKET:

https://wiki.openssl.org/index.php/SSL/TLS_Client#Session_Ti...

Figuring out how to access that option from your library/language is an exercise for the reader.

Looking into this for Python. Python 3 supports sessions and the tickets may be disabled:

https://docs.python.org/3/library/ssl.html#ssl.SSLSession

https://docs.python.org/3/library/ssl.html#ssl.OP_NO_TICKET

For Python 2, I see no way to get at the session object (at least on the client side), much less disable session tickets:

https://docs.python.org/2/library/ssl.html

Under the covers, requests is using urllib3 and it ends up makes this call if pyOpenSSL is installed:

    urllib3.contrib.pyopenssl.inject_into_urllib3()

http://urllib3.readthedocs.io/en/latest/reference/urllib3.co...

That's as far as I've gotten. There's no documentation so it's going to require reading the urllib3 source to figure out what's going on under the hood.

Edit: nope, urllib3 doesn't support SSL session re-use. There's an open PR:

https://github.com/shazow/urllib3/issues/590

jgrahamc8y ago

sdevlin8y ago

What is Cloud Flare's policy for managing STEKs? Are they distinct per geographic region as the article recommends?

prdonahue8y ago

TL/DR: we rotate them every hour, but need to keep history of previous STEKs for 18 hours to support the maximum session lifetime:

$ openssl s_client -connect cloudflare.com:443 2>/dev/null | grep "lifetime hint" TLS session ticket lifetime hint: 64800 (seconds)

We've written about how we manage TLS session tickets here: https://blog.cloudflare.com/tls-session-resumption-full-spee....

Additionally, I wrote here about a bug that we encountered with Microsoft's implementation of TLS session resumption: https://blog.cloudflare.com/microsoft-tls-downgrade-schannel....

Here's a snippet from my blog post:

1 more reply

zaroth8y ago

It says in that deck: Distribute globally, rotate hourly, expire after 18 hours.

1 more reply

dward8y ago

[0] https://blog.chromium.org/2013/06/experimenting-with-quic.ht...

baby8y ago

I felt like Google was not going to move to TLS 1.3 if they had not included 0-RTT. Now that TLS 1.3 has agreed to include it, it seems logical to terminate QUIC crypto.

tedunangst8y ago

TLS 1.3 also supports 0 RTT. Subject to some replay attacks, the solution to which is “the application should detect and ignore that.”

e12e8y ago

Hm, looks like maybe a ticket should be filed against:

https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deploym...

As it stands, the point on resumption reads a little on the positive side?:

> 3.2 Use Session Resumption

Does http2 have similar issues with session resumption (especially: compromised pfs)?

https://blog.cloudflare.com/tls-session-resumption-full-spee...

[ed: also came over this:

https://github.com/mozilla/cipherscan

Which looks very handy for sanity-checking servers.]

Hello718y ago

e12e8y ago

1 more reply

CaliforniaKarl8y ago

If I understand the article correctly, are all of the issues listed addressed by TLS 1.3?

FiloSottile8y ago

So this is what we are stuck with for the time being.

colmmacc8y ago

niftich8y ago

0-RTT is an awful idea anyway; the equivalent of spray-and-pray. Some folks under HTTPbis are working on an Internet Draft on Early Data's (~0-RTT's) ramifications [1] in HTTP.

[1] https://tools.ietf.org/html/draft-ietf-httpbis-replay-00

tony1018y ago

I believe you're correct.

CaliforniaKarl8y ago

Bhilai8y ago

I understand that TLS 1.3 is in draft stage currently. Is there an expected date of when TLS1.3 is supposed to be available in common libs and browsers ?

Panino8y ago

> Also at current rate it sounds like it’s going to take years to phase out TLS 1.1.

It's already more or less phased out. On my webservers, TLS 1.1 accounts for 0.1% of traffic, and about half of that is junk requests like exploit attempts.

Check out SSL Pulse, specifically the Protocol Support graph:

https://www.ssllabs.com/ssl-pulse/

BTW I'd love to know what sites support TLS 1.0 but not 1.2. What's the breakdown of the Alexa Top 1000 or so? I suspect it's mostly banks and unknown sites.

cesarb8y ago

> It's already more or less phased out.

agl8y ago

We are still working around bugs in network middleware. I hope that it will be available in Chrome and on Google's servers in Q1, 2018.

jessaustin8y ago

Is that a euphemism for "waiting for BlueCoat shitboxes to die and get replaced"?

ramshanker8y ago

It appears a better choice from security standpoint, UI can always be cleverly tricked into being smooth.

gruturo8y ago

tptacek8y ago

It's not just reducing RTT latency; it's also reducing the number of bignum crypto operations the server needs to perform, which carry a significant computational cost.

maerek8y ago

For HAProxy 1.7 (may be present in older versions, didn't check), there's the 'no-ssl-reuse'[0] directive for the server.

[0]:https://cbonte.github.io/haproxy-dconv/1.7/configuration.htm...

anonacct378y ago

Well, on the bright side h2 and keepalive are other ways of reducing the overall number of tls handhakes required if you're doing http.

Too bad session resumption has issues.

bearhsiung8y ago

j / k navigate · click thread line to collapse