MITM Attacks on Client Authentication after Resumption
bug description
There is a new TLS Triple Handshakes attack.
https://www.imperialviolet.org/2014/03/03/triplehandshake.html https://www.ietf.org/mail-archive/web/tls/current/msg11337.html
This could affect client certificate authentication and the channel binding used in SCRAM-SHA-1-PLUS.
bug analysis
This attack exploits weaknesses in TLS session resumption. Details of the attack are described in: https://secure-resumption.com/tlsauth.pdf by Karthikeyan Bhargavan, Antoine Delignat-Lavaud, Cedric Fournet, Alfredo Pironti and Pierre-Yves Strub.
fix recommendation
Disable TLS session resumption. Resumption is used only as performance optimization, but XMPP protocol is using long duration TCP connections and does TLS key exchange only infrequently, so the performance impact should be very, very small. (HTTPS protocol is using many short duration TCP connections, especially if HTTP pipelining is not used).
This also improves forward secrecy, because full handshake resulting in a new session key would have to be calculated on each login. (If the XMPP server supports ciphers with forward secrecy).