Schannel and Session Renegotiation

Discussion:

(too old to reply)

Mark M.

2003-08-28 18:23:40 UTC

Hi Folks - (in particular Vishal Mishra & John Banes from MS...)

A question regarding SSL session key renegotiation in SChannel.

(FYI - Vishal has previously pointed out that in fact CLIENT-side initiated
Session Renegotiation is NOT supported by SChannel on W2K(before SP5) or WXP
(before SP2). The first time thats been mentioned anywhere by MS AFAIK)

Anyway - here goes for SERVER-side initiated Renegotation (the usual
scenario...)

Question: How are Encrypted Application Layer Records from the server
handled by an Schannel client
during a Session renegotiation?

Detail:
1. A server requests a renegotiation by sending a HELLO_REQUEST, that the
clients DecrpytMessage() recognises by returning SEC_I_RENEGOTIATE.

2. The client can then kick off a new handshake loop at its leisure (the
server MAY enforce the renegotiation, or it may not). The client could in
fact ignore the request...lets say it'd like to comply.....

3. The client makes repeated calls to InitializeSecurityContext() during the
handshake loop, the first one passing in empty buffers & building a
CLIENT_HELLO, which it sends back to the server begin the renegotiation
proper.

4. The client read() 's data returned by the server & passes it into
InitializeSecurityContext() until complete....

BUT: PROBLEM: When a client is in a "handshake loop" in it is entirely
possible to read()
application layer records (not "handshake" records) "from-the-wire" -
sent by the server before IT received the
initial CLIENT_HELLO.

If the SDK samples are followed, these records will all be handled by
InitializeSecurityContext().
This works fine if the records are indeed all handshake records, but
what is InitializeSecurityContext()'s behaviour if passed in data that
contains an application layer record encrypted
with the "old" session keys?

There is no reason for the server NOT to continue sending encrypted data
having requested a renegotiation, as it is allowed for the client to ignore
the renegotiate request!
Of course once the server receives the CLIENT_HELLO - it should stop sending
further encrypted data.

One _could_ have a look at the records as they come in (during the handshake
loop) & explicitly check for handshake type messages
[first byte in the record - 0x17 for application layer data, 0x16 for
Handshake messages]
Then pass any App records to DecryptMessage, until we get a Handshake
message, at which point we continue
with our InitializeSecurityContext loop as normal.
[ Even then - whats to stop the Handshake message being another
HELLO_REQUEST, which is properly handled by DecryptMessage ???? ]

But isn't the API supposed to take care of that kind of stuff.....?

Any further insight would be much appreciated. .......(a bit long I know -
but then again what do you expect with such an unwieldy API.....)

Thanks a lot folks

Regards......................Mark.

Vishal Mishra [MS]

2003-08-28 20:22:24 UTC

Permalink

Server (non-anonymous) can ask for renegotiation in 3 cases:

1- Upfront the server can ask a client to authenticate and send the client
certificate. This is during the initial handshake and the server sends a
"certificate_request" message (pass the flag bewlo to ASC and Schannel does
this)
Server initiated renegotiation requires:
dwSSPIFlags |= ASC_REQ_MUTUAL_AUTH;

2- After the initial handshake, the client requests an access protected
resource, then the server can initiate a renegotiation to ask for client
authentication. This is the case where the server sends the hello_request. I
have pasted the relevant portion from the RFC and how Schannel generates
this message via the code below. When the client reveices a hello_request it
then kicks off a new handshake by sending a client_hello.

RFC TLS1.0: http://www.ietf.org/rfc/rfc2246.txt
7.4.1.1. Hello request
When this message will be sent:
The hello request message may be sent by the server at any time.
Meaning of this message:
Hello request is a simple notification that the client should
begin the negotiation process anew by sending a client hello
message when convenient. This message will be ignored by the
client if the client is currently negotiating a session. This
message may be ignored by the client if it does not wish to
renegotiate a session, or the client may, if it wishes, respond
with a no_renegotiation alert. Since handshake messages are
intended to have transmission precedence over application data,
it is expected that the negotiation will begin before no more
than a few records are received from the client. If the server
sends a hello request but does not receive a client hello in
response, it may close the connection with a fatal alert.

After sending a hello request, servers should not repeat the request
until the subsequent handshake negotiation is complete.

Structure of this message:
struct { } HelloRequest;

Note: This message should never be included in the message hashes which
are maintained throughout the handshake and used in the finished
messages and the certificate verify message.

HOW Schannel generates hello_request:
//
// Build encrypted hello_request message.
//

dwSSPIFlags = ASC_REQ_SEQUENCE_DETECT |
ASC_REQ_REPLAY_DETECT |
ASC_REQ_CONFIDENTIALITY |
ASC_REQ_EXTENDED_ERROR |
ASC_REQ_ALLOCATE_MEMORY |
ASC_REQ_STREAM;

InBuffers[0].BufferType = SECBUFFER_EMPTY;
InBuffers[0].pvBuffer = NULL;
InBuffers[0].cbBuffer = 0;

InBuffer.ulVersion = SECBUFFER_VERSION;
InBuffer.cBuffers = 1;
InBuffer.pBuffers = InBuffers;

OutBuffers[0].BufferType = SECBUFFER_TOKEN;
OutBuffers[0].pvBuffer = NULL;
OutBuffers[0].cbBuffer = 0;

OutBuffer.ulVersion = SECBUFFER_VERSION;
OutBuffer.cBuffers = 1;
OutBuffer.pBuffers = OutBuffers;

Status = g_SecurityFunc.AcceptSecurityContext
(
hCred,
hContext,
&InBuffer,
dwSSPIFlags,
SECURITY_NATIVE_DREP,
NULL,
&OutBuffer,
&dwSSPIOutFlags,
NULL);

3- To refresh keys.
This is application dependent. The RFC states above that the server may
close the connection if it does not receive a client_hello, this is the case
where the server may not close the connection as its only wanting to refresh
keys and the client doesn't want to. The implementation is the same way as
above for case2.

Also, some comments inline.....

Hope this helps. If I have missed something then please ask again as this
mail was a bit comprehensive to catch all queries..:)
--
Vishal Mishra [MSFT]
This posting is provided "AS IS" with no warranties and confers no rights.
Use of any included samples is subject to the terms specified at
http://www.microsoft.com/info/copyright.htm"
-------------------------------------------------------------------------

Post by Mark M.
Hi Folks - (in particular Vishal Mishra & John Banes from MS...)
A question regarding SSL session key renegotiation in SChannel.
(FYI - Vishal has previously pointed out that in fact CLIENT-side initiated
Session Renegotiation is NOT supported by SChannel on W2K(before SP5) or WXP
(before SP2). The first time thats been mentioned anywhere by MS AFAIK)
Anyway - here goes for SERVER-side initiated Renegotation (the usual
scenario...)
Question: How are Encrypted Application Layer Records from the server
handled by an Schannel client
during a Session renegotiation?
1. A server requests a renegotiation by sending a HELLO_REQUEST, that the
clients DecrpytMessage() recognises by returning SEC_I_RENEGOTIATE.
2. The client can then kick off a new handshake loop at its leisure (the
server MAY enforce the renegotiation, or it may not). The client could in
fact ignore the request...lets say it'd like to comply.....

[vishal mishra] The server SHOULD close the connection if the client does
not send a client_hello as the resource requested requires authentication.
The case where it may continue is when it wants to refresh keys and the
client disagrees. This is application dependent.

Post by Mark M.
3. The client makes repeated calls to InitializeSecurityContext() during the
handshake loop, the first one passing in empty buffers & building a
CLIENT_HELLO, which it sends back to the server begin the renegotiation
proper.
4. The client read() 's data returned by the server & passes it into
InitializeSecurityContext() until complete....
BUT: PROBLEM: When a client is in a "handshake loop" in it is entirely
possible to read() application layer records (not "handshake" records)

"from-the-wire" -

Post by Mark M.
sent by the server before IT received the
initial CLIENT_HELLO.

[vishal mishra] The server does not (should not?, app dependent I beleive)
send app data after requesting a renegotiation. It waits for the client to
send a client_hello and then depending on application, it can either close
the connection with a fatal error or continue servicing client requests. TCP
guarantees that client gets all app data before the hello_request.
This seems like an application dependent issue. If your server does not
require client_hello after requesting for it then it should start sending
the data out and the client should handle that like other app data. The
client did not send a client_hello so its not in the ISC/ASC handshake dance
but is in the loop where it accepts and decrypts data with the existing
session keys.

Post by Mark M.
If the SDK samples are followed, these records will all be handled by
InitializeSecurityContext().
This works fine if the records are indeed all handshake records, but
what is InitializeSecurityContext()'s behaviour if passed in data that
contains an application layer record encrypted
with the "old" session keys?
There is no reason for the server NOT to continue sending encrypted data
having requested a renegotiation, as it is allowed for the client to ignore
the renegotiate request!
Of course once the server receives the CLIENT_HELLO - it should stop sending
further encrypted data.
One _could_ have a look at the records as they come in (during the handshake
loop) & explicitly check for handshake type messages
[first byte in the record - 0x17 for application layer data, 0x16 for
Handshake messages]
Then pass any App records to DecryptMessage, until we get a Handshake
message, at which point we continue
with our InitializeSecurityContext loop as normal.
[ Even then - whats to stop the Handshake message being another
HELLO_REQUEST, which is properly handled by DecryptMessage ???? ]
But isn't the API supposed to take care of that kind of stuff.....?
Any further insight would be much appreciated. .......(a bit long I know -
but then again what do you expect with such an unwieldy API.....)
Thanks a lot folks
Regards......................Mark.

Falcon

2003-09-02 17:41:08 UTC

Permalink

Hi Vishal,

I also have an issue with Session Renegotiation that maybe you can
shed some light on. I am implementing an Schannel Client to
communicate with BIGIP (OpenSSL) host.

I can invoke Session Key renegotiation from the client end using
USE_SESSION_KEY in the InitializeSecurityContext, with the current
credentials and context information. But I also want to renegotiate a
new session completely as well, I have attempted this in two ways,
both of which are refused by the BIGIP host:

Method 1 - Create a new security context via ISC and send the new
ClientHello to the host. This is refused by the host, apparently the
host does not recognise it as a valid request as the context has now
changed.

Method 2 - Using the current context and credential information, call
ISC with empty input buffers, again send the output to the host. The
host recognises this as a resumption request of the previous session.

After discussing this with the BIGIP expert, the host is expecting a
resumption request with no Session ID field.

I see no way of being able to produce what the host expects, is there
another way to perform Session Renegotiation from the client end.

Thanks in advance,
Falcon

Post by Vishal Mishra [MS]
1- Upfront the server can ask a client to authenticate and send the client
certificate. This is during the initial handshake and the server sends a
"certificate_request" message (pass the flag bewlo to ASC and Schannel does
this)
dwSSPIFlags |= ASC_REQ_MUTUAL_AUTH;
2- After the initial handshake, the client requests an access protected
resource, then the server can initiate a renegotiation to ask for client
authentication. This is the case where the server sends the hello_request. I
have pasted the relevant portion from the RFC and how Schannel generates
this message via the code below. When the client reveices a hello_request it
then kicks off a new handshake by sending a client_hello.
RFC TLS1.0: http://www.ietf.org/rfc/rfc2246.txt
7.4.1.1. Hello request
The hello request message may be sent by the server at any time.
Hello request is a simple notification that the client should
begin the negotiation process anew by sending a client hello
message when convenient. This message will be ignored by the
client if the client is currently negotiating a session. This
message may be ignored by the client if it does not wish to
renegotiate a session, or the client may, if it wishes, respond
with a no_renegotiation alert. Since handshake messages are
intended to have transmission precedence over application data,
it is expected that the negotiation will begin before no more
than a few records are received from the client. If the server
sends a hello request but does not receive a client hello in
response, it may close the connection with a fatal alert.
After sending a hello request, servers should not repeat the request
until the subsequent handshake negotiation is complete.
struct { } HelloRequest;
Note: This message should never be included in the message hashes which
are maintained throughout the handshake and used in the finished
messages and the certificate verify message.
//
// Build encrypted hello_request message.
//
dwSSPIFlags = ASC_REQ_SEQUENCE_DETECT |
ASC_REQ_REPLAY_DETECT |
ASC_REQ_CONFIDENTIALITY |
ASC_REQ_EXTENDED_ERROR |
ASC_REQ_ALLOCATE_MEMORY |
ASC_REQ_STREAM;
InBuffers[0].BufferType = SECBUFFER_EMPTY;
InBuffers[0].pvBuffer = NULL;
InBuffers[0].cbBuffer = 0;
InBuffer.ulVersion = SECBUFFER_VERSION;
InBuffer.cBuffers = 1;
InBuffer.pBuffers = InBuffers;
OutBuffers[0].BufferType = SECBUFFER_TOKEN;
OutBuffers[0].pvBuffer = NULL;
OutBuffers[0].cbBuffer = 0;
OutBuffer.ulVersion = SECBUFFER_VERSION;
OutBuffer.cBuffers = 1;
OutBuffer.pBuffers = OutBuffers;
Status = g_SecurityFunc.AcceptSecurityContext
(
hCred,
hContext,
&InBuffer,
dwSSPIFlags,
SECURITY_NATIVE_DREP,
NULL,
&OutBuffer,
&dwSSPIOutFlags,
NULL);
3- To refresh keys.
This is application dependent. The RFC states above that the server may
close the connection if it does not receive a client_hello, this is the case
where the server may not close the connection as its only wanting to refresh
keys and the client doesn't want to. The implementation is the same way as
above for case2.
Also, some comments inline.....
Hope this helps. If I have missed something then please ask again as this
mail was a bit comprehensive to catch all queries..:)
--
Vishal Mishra [MSFT]
This posting is provided "AS IS" with no warranties and confers no rights.
Use of any included samples is subject to the terms specified at
http://www.microsoft.com/info/copyright.htm"
-------------------------------------------------------------------------

initiated

Post by Mark M.
Session Renegotiation is NOT supported by SChannel on W2K(before SP5) or

WXP

Post by Mark M.
(before SP2). The first time thats been mentioned anywhere by MS AFAIK)
Anyway - here goes for SERVER-side initiated Renegotation (the usual
scenario...)
Question: How are Encrypted Application Layer Records from the server
handled by an Schannel client
during a Session renegotiation?
1. A server requests a renegotiation by sending a HELLO_REQUEST, that the
clients DecrpytMessage() recognises by returning SEC_I_RENEGOTIATE.
2. The client can then kick off a new handshake loop at its leisure (the
server MAY enforce the renegotiation, or it may not). The client could in
fact ignore the request...lets say it'd like to comply.....

Post by Mark M.
3. The client makes repeated calls to InitializeSecurityContext() during

the

Post by Mark M.
handshake loop, the first one passing in empty buffers & building a
CLIENT_HELLO, which it sends back to the server begin the renegotiation
proper.
4. The client read() 's data returned by the server & passes it into
InitializeSecurityContext() until complete....
BUT: PROBLEM: When a client is in a "handshake loop" in it is entirely
possible to read() application layer records (not "handshake" records)

"from-the-wire" -

Post by Mark M.
sent by the server before IT received the
initial CLIENT_HELLO.

ignore

Post by Mark M.
the renegotiate request!
Of course once the server receives the CLIENT_HELLO - it should stop

sending

Post by Mark M.
further encrypted data.
One _could_ have a look at the records as they come in (during the

handshake

Post by Mark M.
loop) & explicitly check for handshake type messages
[first byte in the record - 0x17 for application layer data, 0x16 for
Handshake messages]
Then pass any App records to DecryptMessage, until we get a Handshake
message, at which point we continue
with our InitializeSecurityContext loop as normal.
[ Even then - whats to stop the Handshake message being another
HELLO_REQUEST, which is properly handled by DecryptMessage ???? ]
But isn't the API supposed to take care of that kind of stuff.....?
Any further insight would be much appreciated. .......(a bit long I know -
but then again what do you expect with such an unwieldy API.....)
Thanks a lot folks
Regards......................Mark.

Vishal Mishra [MS]

2003-09-02 19:03:51 UTC

Permalink

I replied to Mark a few days back that Schannel does not support client
initiated renegotiation on W2K and XP as yet though fixes have been made for
W2K SP5 and XP SP2.

it is supported on Windows Server 2003 and NT. I have pasted the code below
to perform it on those platforms.

//
// Initiate a client_hello message and generate a token.
//

OutBuffers[0].pvBuffer = NULL;
OutBuffers[0].BufferType = SECBUFFER_TOKEN;
OutBuffers[0].cbBuffer = 0;

OutBuffer.cBuffers = 1;
OutBuffer.pBuffers = OutBuffers;
OutBuffer.ulVersion = SECBUFFER_VERSION;

scRet = g_pSSPI->InitializeSecurityContextA(
phCreds,
phContext,
pszServerName,
dwSSPIFlags,
0,
SECURITY_NATIVE_DREP,
NULL,
0,
NULL,
&OutBuffer,
&dwSSPIOutFlags,
&tsExpiry);

if(scRet != SEC_I_CONTINUE_NEEDED) {
printf(__FUNCTION__": **** Error 0x%x returned by
InitializeSecurityContext\n", scRet);
return scRet;
}

// Send response to server if there is one.
if(OutBuffers[0].cbBuffer != 0 && OutBuffers[0].pvBuffer != NULL)
{
cbData = send(Socket,
OutBuffers[0].pvBuffer,
OutBuffers[0].cbBuffer,
0);

// Free output buffer.
g_pSSPI->FreeContextBuffer(OutBuffers[0].pvBuffer);
OutBuffers[0].pvBuffer = NULL;
}
--
Vishal Mishra [MSFT]
This posting is provided "AS IS" with no warranties and confers no rights.
Use of any included samples is subject to the terms specified at
http://www.microsoft.com/info/copyright.htm"
-------------------------------------------------------------------------

Post by Falcon
Hi Vishal,
I also have an issue with Session Renegotiation that maybe you can
shed some light on. I am implementing an Schannel Client to
communicate with BIGIP (OpenSSL) host.
I can invoke Session Key renegotiation from the client end using
USE_SESSION_KEY in the InitializeSecurityContext, with the current
credentials and context information. But I also want to renegotiate a
new session completely as well, I have attempted this in two ways,
Method 1 - Create a new security context via ISC and send the new
ClientHello to the host. This is refused by the host, apparently the
host does not recognise it as a valid request as the context has now
changed.
Method 2 - Using the current context and credential information, call
ISC with empty input buffers, again send the output to the host. The
host recognises this as a resumption request of the previous session.
After discussing this with the BIGIP expert, the host is expecting a
resumption request with no Session ID field.
I see no way of being able to produce what the host expects, is there
another way to perform Session Renegotiation from the client end.
Thanks in advance,
Falcon

hello_request. I

Post by Falcon

Post by Vishal Mishra [MS]
have pasted the relevant portion from the RFC and how Schannel generates
this message via the code below. When the client reveices a

hello_request it

Post by Falcon

Post by Vishal Mishra [MS]
then kicks off a new handshake by sending a client_hello.
RFC TLS1.0: http://www.ietf.org/rfc/rfc2246.txt
7.4.1.1. Hello request
The hello request message may be sent by the server at any time.
Hello request is a simple notification that the client should
begin the negotiation process anew by sending a client hello
message when convenient. This message will be ignored by the
client if the client is currently negotiating a session. This
message may be ignored by the client if it does not wish to
renegotiate a session, or the client may, if it wishes, respond
with a no_renegotiation alert. Since handshake messages are
intended to have transmission precedence over application data,
it is expected that the negotiation will begin before no more
than a few records are received from the client. If the server
sends a hello request but does not receive a client hello in
response, it may close the connection with a fatal alert.
After sending a hello request, servers should not repeat the request
until the subsequent handshake negotiation is complete.
struct { } HelloRequest;
Note: This message should never be included in the message hashes which
are maintained throughout the handshake and used in the finished
messages and the certificate verify message.
//
// Build encrypted hello_request message.
//
dwSSPIFlags = ASC_REQ_SEQUENCE_DETECT |
ASC_REQ_REPLAY_DETECT |
ASC_REQ_CONFIDENTIALITY |
ASC_REQ_EXTENDED_ERROR |
ASC_REQ_ALLOCATE_MEMORY |
ASC_REQ_STREAM;
InBuffers[0].BufferType = SECBUFFER_EMPTY;
InBuffers[0].pvBuffer = NULL;
InBuffers[0].cbBuffer = 0;
InBuffer.ulVersion = SECBUFFER_VERSION;
InBuffer.cBuffers = 1;
InBuffer.pBuffers = InBuffers;
OutBuffers[0].BufferType = SECBUFFER_TOKEN;
OutBuffers[0].pvBuffer = NULL;
OutBuffers[0].cbBuffer = 0;
OutBuffer.ulVersion = SECBUFFER_VERSION;
OutBuffer.cBuffers = 1;
OutBuffer.pBuffers = OutBuffers;
Status = g_SecurityFunc.AcceptSecurityContext
(
hCred,
hContext,
&InBuffer,
dwSSPIFlags,
SECURITY_NATIVE_DREP,
NULL,
&OutBuffer,
&dwSSPIOutFlags,
NULL);
3- To refresh keys.
This is application dependent. The RFC states above that the server may
close the connection if it does not receive a client_hello, this is the case
where the server may not close the connection as its only wanting to refresh
keys and the client doesn't want to. The implementation is the same way as
above for case2.
Also, some comments inline.....
Hope this helps. If I have missed something then please ask again as this
mail was a bit comprehensive to catch all queries..:)
--
Vishal Mishra [MSFT]
This posting is provided "AS IS" with no warranties and confers no rights.
Use of any included samples is subject to the terms specified at
http://www.microsoft.com/info/copyright.htm"

-------------------------------------------------------------------------