Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

proposal: crypto/tls: expose a session identifier #46718

Open
drakkan opened this issue Jun 12, 2021 · 3 comments
Open

proposal: crypto/tls: expose a session identifier #46718

drakkan opened this issue Jun 12, 2021 · 3 comments
Assignees
Labels
Proposal Proposal-Crypto
Projects
Milestone

Comments

@drakkan
Copy link

@drakkan drakkan commented Jun 12, 2021

What version of Go are you using (go version)?

$ go version
go version go1.16.5 linux/amd64

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/home/nicola/.cache/go-build"
GOENV="/home/nicola/.config/go/env"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/home/nicola/go/pkg/mod"
GONOPROXY="gl.syncplify.me/devteam/*"
GONOSUMDB="gl.syncplify.me/devteam/*"
GOOS="linux"
GOPATH="/home/nicola/go"
GOPRIVATE="gl.syncplify.me/devteam/*"
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/lib/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/lib/go/pkg/tool/linux_amd64"
GOVCS=""
GOVERSION="go1.16.5"
GCCGO="gccgo"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/dev/null"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build2054184453=/tmp/go-build -gno-record-gcc-switches"

crypto/tls has no API to verify which TLS session was resumed. This is an issue for FTPS: to avoid data connection stealing vulnerability we need to require TLS session resumption and to enforce that the TLS session on the data connection was resumed from the one on the control connection.

Please take a look here for more details.

I propose to add two new API to the ConnectionState struct:

// GetID returns a unique identifier for a TLS connection
GetID() []byte
// ResumedFrom returns the session identifier from which this session was resumed.
// It returns nil if the session was not resumed
ResumedFrom() []byte

this way we can store/get the session ID for the FTP control connection and check that ResumedFrom matches the expected ID.

I'm aware that a unique TLS identifier is not easy to expose and that it is difficult to match TLS sessions (but at least possible) also with OpenSSL

@gopherbot gopherbot added this to the Proposal milestone Jun 12, 2021
@seankhliao seankhliao added the Proposal-Crypto label Jun 12, 2021
@seankhliao
Copy link
Contributor

@seankhliao seankhliao commented Jun 12, 2021

Duplicate of #25228 , related #18346

@drakkan
Copy link
Author

@drakkan drakkan commented Jun 12, 2021

@seankhliao I saw the linked tickets, I think this is not a duplicate of #25228: the session resumption already supported in Go works fine for my use case, but it is not possible to check which session was resumed. So this proposal isn't about implementing session id resumption, session tickets are ok.

Regarding #18346 this is a different use case and TLSUnique is now deprecated and it is nil for resumed sessions, so it is not useful for the exposed use case.

I'm unable to find any existing ticket/proposal about a API to verify which TLS session was resumed, this is the reason I opened a new proposal, thank you

@seankhliao
Copy link
Contributor

@seankhliao seankhliao commented Jun 12, 2021

@seankhliao seankhliao reopened this Jun 12, 2021
@ianlancetaylor ianlancetaylor added this to Incoming in Proposals Jun 12, 2021
@FiloSottile FiloSottile self-assigned this Mar 2, 2022
@FiloSottile FiloSottile removed this from the Proposal milestone Mar 2, 2022
@FiloSottile FiloSottile added this to the Go1.19 milestone Mar 2, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Proposal Proposal-Crypto
Projects
Proposals
Incoming
Development

No branches or pull requests

4 participants