Proposal 169: Eliminate TLS renegotiation for the Tor connection handshake

Jacob Appelbaum jacob at
Thu Jan 28 15:21:30 UTC 2010

Nick Mathewson wrote:
> Filename: 169-eliminating-renegotiation.txt
> Title: Eliminate TLS renegotiation for the Tor connection handshake
> Author: Nick Mathewson
> Created: 27-Jan-2010
> Status: Draft
> Target: 0.2.2


>    The new initiator behavior now looks like this:


>              * If the CERT cell is a good cert signing the public
>                key in the x.509 certificate we got during the TLS
>                handshake, we connected to the server with that
>                identity key.  Otherwise close the connection.

I think this needs to be re-written to be clearer.

>              * Once the NETINFO cell arrives, continue as before.


> 6. Open questions:
>   - Should we use X.509 certificates instead of the certificate-ish
>     things we describe here?  They are more standard, but more ugly.

Do we get anything out of custom-ish things? It seems kludgy to make
stuff up on the fly but perhaps it's somehow simpler for our use?

>   - May we cache which certificates we've already verified?  It
>     might leak in timing whether we've connected with a given server
>     before, and how recently.

It seems like timing information would be leaked. We should avoid that
if possible.

>   - Is there a better secret than the master secret to use in the
>     AUTHENTICATE cell?  Say, a portable one?  Can we get at it for
>     other libraries besides OpenSSL?

I'm not sure. It seems OK. What worries you about it?

>   - Can we give some way for clients to signal "I want to use the
>     V3 protocol if possible, but I can't renegotiate, so don't give
>     me the V2"?  Clients currently have a fair idea of server
>     versions, so they could potentially do the V3+ handshake with
>     servers that support it, and fall back to V1 otherwise.

Does this open us up to downgrade attacks? Downgrade attacks here seem
like they might range in seriousness from simply potentially detecting
Tor users or perhaps doing something actually nasty...

>   - What should servers that don't have TLS renegotiation do?  For
>     now, I think they should just get it.  Eventually we can
>     deprecate the V2 handshake as we did with the V1 handshake.

Seems reasonable.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 155 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the tor-dev mailing list