3.10 Safe Renegotiation

Some application protocols and implementations uses the TLS renegotiation feature in a manner that enables attackers to insert content of his choice in the beginning of a TLS session.

One easy to understand vulnerability is HTTPS when servers request client certificates optionally for certain parts of a web site. The attack works by having the attacker simulate a client and connect to a server, with server-only authentication, and send some data intended to cause harm. When the proper client attempts to contact the server, the attacker hijacks that connection and uses the TLS renegotiation feature with the server and splices in the client connection to the already established connection between the attacker and server. The attacker will not be able to read the data exchanged between the client and the server. However, the server will (incorrectly) assume that the data sent by the attacker was sent by the now authenticated client. The result is a prefix plain-text injection attack.

The above is just one example. Other vulnerabilities exists that do not rely on the TLS renegotiation to change the client’s authenticated status (either TLS or application layer).

While fixing these application protocols and implementations would be one natural reaction, an extension to TLS has been designed that cryptographically binds together any renegotiated handshakes with the initial negotiation. When the extension is used, the attack is detected and the session can be terminated. The extension is specified in [RFC5746] (see section Bibliography).

GnuTLS supports the safe renegotiation extension. The default behavior is as follows. Clients will attempt to negotiate the safe renegotiation extension when talking to servers. Servers will accept the extension when presented by clients. Clients and servers will permit an initial handshake to complete even when the other side does not support the safe renegotiation extension. Clients and servers will refuse renegotiation attempts when the extension has not been negotiated.

Note that permitting clients to connect to servers even when the safe renegotiation extension is not negotiated open up for some attacks. Changing this default behaviour would prevent interoperability against the majority of deployed servers out there. We will reconsider this default behaviour in the future when more servers have been upgraded. Note that it is easy to configure clients to always require the safe renegotiation extension from servers (see below on the %SAFE_RENEGOTIATION priority string).

To modify the default behaviour, we have introduced some new priority strings. The priority strings can be used by applications (see gnutls_priority_set) and end users (e.g., --priority parameter to gnutls-cli and gnutls-serv).

The %UNSAFE_RENEGOTIATION priority string permits (re-)handshakes even when the safe renegotiation extension was not negotiated. The default behavior is %PARTIAL_RENEGOTIATION that will prevent renegotiation with clients and servers not supporting the extension. This is secure for servers but leaves clients vulnerable to some attacks, but this is a tradeoff between security and compatibility with old servers. The %SAFE_RENEGOTIATION priority string makes clients and servers require the extension for every handshake. The latter is the most secure option for clients, at the cost of not being able to connect to legacy servers. Servers will also deny clients that do not support the extension from connecting.

It is possible to disable use of the extension completely, in both clients and servers, by using the %DISABLE_SAFE_RENEGOTIATION priority string however we strongly recommend you to only do this for debugging and test purposes.

The default values if the flags above are not specified are:

Server:

%PARTIAL_RENEGOTIATION

Client:

%PARTIAL_RENEGOTIATION

For applications we have introduced a new API related to safe renegotiation. The gnutls_safe_renegotiation_status function is used to check if the extension has been negotiated on a session, and can be used both by clients and servers.