搜索
NetworkWorkingGroupS.Blake-WilsonRequestforComments:4366BCIObsoletes:3546M.NystromUpdates:4346RSASecurityCategory:StandardsTrackD.HopwoodIndependentConsultantJ.MikkelsenTransactionwareT.WrightVodafoneApril2006TransportLayerSecurity(TLS)ExtensionsStatusofThisMemoThisdocumentspecifiesanInternetstandardstrackprotocolfortheInternetcommunity,andrequestsdiscussionandsuggestionsforimprovements.PleaserefertothecurrenteditionoftheInternetOfficialProtocolStandards(STD1)forthestandardizationstateandstatusofthisprotocol.Distributionofthismemoisunlimited.CopyrightNoticeCopyright(C)TheInternetSociety(2006).AbstractThisdocumentdescribesextensionsthatmaybeusedtoaddfunctionalitytoTransportLayerSecurity(TLS).ItprovidesbothgenericextensionmechanismsfortheTLShandshakeclientandserverhellos,andspecificextensionsusingthesegenericmechanisms.TheextensionsmaybeusedbyTLSclientsandservers.Theextensionsarebackwardscompatible:communicationispossiblebetweenTLSclientsthatsupporttheextensionsandTLSserversthatdonotsupporttheextensions,andviceversa.Blake-Wilson,etal.StandardsTrack[Page1]RFC4366TLSExtensionsApril2006TableofContents1.Introduction....................................................31.1.ConventionsUsedinThisDocument..........................52.GeneralExtensionMechanisms....................................52.1.ExtendedClientHello......................................52.2.ExtendedServerHello......................................62.3.HelloExtensions...........................................62.4.ExtensionstotheHandshakeProtocol.......................83.SpecificExtensions.............................................83.1.ServerNameIndication....................................93.2.MaximumFragmentLengthNegotiation......................113.3.ClientCertificateURLs..................................123.4.TrustedCAIndication....................................153.5.TruncatedHMAC............................................163.6.CertificateStatusRequest................................174.ErrorAlerts...................................................195.ProcedureforDefiningNewExtensions..........................206.SecurityConsiderations........................................216.1.Securityofserver_name...................................226.2.Securityofmax_fragment_length...........................226.3.Securityofclient_certificate_url........................226.4.Securityoftrusted_ca_keys...............................246.5.Securityoftruncated_hmac................................246.6.Securityofstatus_request................................257.InternationalizationConsiderations............................258.IANAConsiderations............................................259.Acknowledgements...............................................2710.NormativeReferences..........................................2711.InformativeReferences........................................28Blake-Wilson,etal.StandardsTrack[Page2]RFC4366TLSExtensionsApril20061.IntroductionThisdocumentdescribesextensionsthatmaybeusedtoaddfunctionalitytoTransportLayerSecurity(TLS).ItprovidesbothgenericextensionmechanismsfortheTLShandshakeclientandserverhellos,andspecificextensionsusingthesegenericmechanisms.TLSisnowusedinanincreasingvarietyofoperationalenvironments,manyofwhichwerenotenvisionedwhentheoriginaldesigncriteriaforTLSweredetermined.TheextensionsintroducedinthisdocumentaredesignedtoenableTLStooperateaseffectivelyaspossibleinnewenvironmentssuchaswirelessnetworks.Wirelessenvironmentsoftensufferfromanumberofconstraintsnotcommonlypresentinwiredenvironments.Theseconstraintsmayincludebandwidthlimitations,computationalpowerlimitations,memorylimitations,andbatterylifelimitations.TheextensionsdescribedherefocusonextendingthefunctionalityprovidedbytheTLSprotocolmessageformats.Otherissues,suchastheadditionofnewciphersuites,aredeferred.Specifically,theextensionsdescribedinthisdocument:-AllowTLSclientstoprovidetotheTLSserverthenameoftheservertheyarecontacting.Thisfunctionalityisdesirableinordertofacilitatesecureconnectionstoserversthathostmultiple’virtual’serversatasingleunderlyingnetworkaddress.-AllowTLSclientsandserverstonegotiatethemaximumfragmentlengthtobesent.Thisfunctionalityisdesirableasaresultofmemoryconstraintsamongsomeclients,andbandwidthconstraintsamongsomeaccessnetworks.-AllowTLSclientsandserverstonegotiatetheuseofclientcertificateURLs.Thisfunctionalityisdesirableinordertoconservememoryonconstrainedclients.-AllowTLSclientstoindicatetoTLSserverswhichCArootkeystheypossess.ThisfunctionalityisdesirableinordertopreventmultiplehandshakefailuresinvolvingTLSclientsthatareonlyabletostoreasmallnumberofCArootkeysduetomemorylimitations.-AllowTLSclientsandserverstonegotiatetheuseoftruncatedMACs.Thisfunctionalityisdesirableinordertoconservebandwidthinconstrainedaccessnetworks.Blake-Wilson,etal.StandardsTrack[Page3]RFC4366TLSExtensionsApril2006-AllowTLSclientsandserverstonegotiatethattheserversendstheclientcertificatestatusinformation(e.g.,anOnlineCertificateStatusProtocol(OCSP)[OCSP]response