IETF Logo Mail Archive

Re: 9.2.2 Cipher fallback and FF<->Jetty interop problem

Jim Manico <jim@manico.net> Mon, 22 September 2014 16:33 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 07DBC1A1B01 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 22 Sep 2014 09:33:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.686
X-Spam-Level:
X-Spam-Status: No, score=-7.686 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.786, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uonj7C5WDweY for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 22 Sep 2014 09:33:43 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 321B11A0203 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Mon, 22 Sep 2014 09:33:43 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1XW6WF-0005kA-Fr for ietf-http-wg-dist@listhub.w3.org; Mon, 22 Sep 2014 16:31:19 +0000
Resent-Date: Mon, 22 Sep 2014 16:31:19 +0000
Resent-Message-Id: <E1XW6WF-0005kA-Fr@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <jim@manico.net>) id 1XW6Vr-0005dv-Kv for ietf-http-wg@listhub.w3.org; Mon, 22 Sep 2014 16:30:55 +0000
Received: from mail-qa0-f49.google.com ([209.85.216.49]) by maggie.w3.org with esmtps (TLS1.0:RSA_ARCFOUR_SHA1:16) (Exim 4.72) (envelope-from <jim@manico.net>) id 1XW6Vn-0004Wv-1b for ietf-http-wg@w3.org; Mon, 22 Sep 2014 16:30:55 +0000
Received: by mail-qa0-f49.google.com with SMTP id n8so355378qaq.22 for <ietf-http-wg@w3.org>; Mon, 22 Sep 2014 09:30:25 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=RRHmargmMM62IfxlgBLcJs0Deoa4s1jCVC0fqWvc+54=; b=hCPmCIaxih/4O1hzsDvdWYNMmLn6nx5Bmzf6yUahirGrBX/5C/U46EmT46YoRHX0Za U+88sroDq3siCq+LIcP/kPLN7M5SmYFT5mTkOxa76Ew1Vps1H7FXFR+XOK1nF6JTHB2J //AfD/uRCOMC+QdOmkHImynPCZcnTEOWsOck7t24qiMPq/JvRl01kIHvLXa9MwjLT5mh HtEcfpNSEjZIrY9hfyg87bpAyTRR8thXpcRMBdMS8BFyI5ZZQuR1G2ho+sqvFwDP47JA stssH8b55JzIQFNuQ3CeECsZywVQnDMirXV4y0md7k/YEtbdP1gBuFEvyfbUkMMqo3+T t96w==
X-Gm-Message-State: ALoCoQnC2q7IBp3bYnb0YTzevYR8Zf2zvvlEgKfI5esomSPiRy56dG5ueVJI4fOYQNxf46Zn33Z4
X-Received: by 10.140.107.164 with SMTP id h33mr16077326qgf.42.1411403425025; Mon, 22 Sep 2014 09:30:25 -0700 (PDT)
Received: from [10.0.0.30] (sub-190-88-238ip63.rev.onenet.an. [190.88.238.63]) by mx.google.com with ESMTPSA id 89sm8096738qgj.49.2014.09.22.09.30.23 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 22 Sep 2014 09:30:24 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail-B50E869C-A074-4494-B801-C2DDC30B1B87"
Mime-Version: 1.0 (1.0)
From: Jim Manico <jim@manico.net>
X-Mailer: iPhone Mail (11D257)
In-Reply-To: <CABcZeBPvQfkqnPkfzY53RVAHNw0govmp8p8obvp99w8zs4=RKw@mail.gmail.com>
Date: Mon, 22 Sep 2014 12:30:23 -0400
Cc: Greg Wilkins <gregw@intalio.com>, Patrick McManus <pmcmanus@mozilla.com>, HTTP Working Group <ietf-http-wg@w3.org>
Content-Transfer-Encoding: 7bit
Message-Id: <50A057B6-328C-4F9C-827D-EEACA41ADB35@manico.net>
References: <CAH_y2NF+sP9BmYuD4QbeHpwC_uj67itzaAFCnRVC6f--KDYOgg@mail.gmail.com> <CAOdDvNopynmwvwWLXvuC0q7skunFXcfRoVHe9s7BKcoCwaBgWQ@mail.gmail.com> <CAH_y2NGXz7e3ejqy_rD=39=yYp3+cS1Dm6c3yFEYZg6tsUp5VQ@mail.gmail.com> <CABkgnnWAdm1TLP2XCKNU-6RPACLfooQV73R7Gpoemv+9PNULCA@mail.gmail.com> <CAH_y2NFLjok-NRJtOw1vmSy68sf393iSOgA4K599q0BSBqbNgA@mail.gmail.com> <CABkgnnU-CMtv8KvYU9n+QoPBOBshtQv3RfLy2qw=qVNb2O-qGg@mail.gmail.com> <CAH_y2NHrbH5Objwhq9E89QexhQtND4uOdy8q7OEckTCU17WqKg@mail.gmail.com> <CAH_y2NErRd4rxinSzEH3-uTjdWVkZu9o6sSKSf47LxfPFTRONw@mail.gmail.com> <20140917073241.GA7665@LK-Perkele-VII> <CAFewVt4pxE+9NpzYuzMKGmEdrDXzk50mC99ZbrM6M-uEoKXrHA@mail.gmail.com> <CAH_y2NGYcDvPcxDvaTRBP3p4Pnb7gw39WUDY3bNVnOGQjBgciQ@mail.gmail.com> <CAFewVt7+UAJYfKAR6DRZi_mqdzSaYw6L-pT1qg=UyOaP1ojhTw@mail.gmail.com> <CAH_y2NEhAEaPiUgi_vX6Oimw+Y-k3WrnL0gJZKPxQ8KZVuFVfw@mail.gmail.com> <CABkgnnU6C+TzJzdeQZhwXucuPUrPh1yyp1cpRd9jSePMjAnONQ@mail.gmail.com> <CAH_y2NEHZbWLof=ZWEa2UdjBw1Bf+kQCHzPkrhcSU80WaDibeA@mail.gmail.com> <CAOdDvNrdrBNi0kZDorR+8K-5-sPFipVr=U0kx5r56oPX_LhJSA@mail.gmail.com> <CAH_y2NH=skUXk0QwCs4uVqWE=iOLhi5K+kvARDUQ7uMeogrw9A@mail.gmail.com> <CABcZeBPvQfkqnPkfzY53RVAHNw0govmp8p8obvp99w8zs4=RKw@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Received-SPF: none client-ip=209.85.216.49; envelope-from=jim@manico.net; helo=mail-qa0-f49.google.com
X-W3C-Hub-Spam-Status: No, score=-0.7
X-W3C-Hub-Spam-Report: HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_LOW=-0.7
X-W3C-Scan-Sig: maggie.w3.org 1XW6Vn-0004Wv-1b 2c32fa31166c456300895f8df2c995fd
X-Original-To: ietf-http-wg@w3.org
Subject: Re: 9.2.2 Cipher fallback and FF<->Jetty interop problem
Archived-At: <http://www.w3.org/mid/50A057B6-328C-4F9C-827D-EEACA41ADB35@manico.net>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/27145
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

I'm thinking about the safely of users....

Today, TLS can support the null cipher or painfully weak ciphers and the user is none the wiser. 

Some indicator of the strength of the current TLS connection or some standard where TLS connections with painfully weak ciphers are not allowed is critical to a secure future.

Aloha,
--
Jim Manico
@Manicode
(808) 652-3805

> On Sep 22, 2014, at 12:18 PM, Eric Rescorla <ekr@rtfm.com> wrote:
> 
> I don't have a really strong feeling on whether HTTP should mandate specific TLS
> ciphers, but I'd like to address a few technical points below.
> 
> 
>> On Thu, Sep 18, 2014 at 4:32 PM, Greg Wilkins <gregw@intalio.com> wrote:
>> 
>>> On 19 September 2014 00:03, Patrick McManus <pmcmanus@mozilla.com> wrote:
>>> This thread is suffering a bit from wall-of-text syndrome for me. Is this the main point below?
>> 
>> Sorry - my bad.   I understand that verbose repetition is not an adequate response to perceived insufficient consideration of a concern.  Yet my concern remains and it is a very significant one.    I believe that  deployment of 9.2.2  will hurt h2 adoption, hinder future good cipher maintenance and will result in widespread future connection failures.
>> 
>>  
>>> The scenario as I understand it is:...
>>> I would say that's an implementation bug in the client.
>> 
>> I would agree with you if 9.2.2 was written in precise language so that any two implementations could be reasonable expected to arrive at the same result now or into the future.  Currently I can find no definitive list of acceptable AEAD modes. Wikipeadia lists : CCM, GCM, CWC, EAX, IAPM, and OCB, but I don't think wikipeadia is a sutiable reference for such things. 
> 
> I don't think this is a real concern: TLS clearly categorizes every algorithm that is added;
> in fact this is a requirement since AEAD records are processed differently. So the
> relevant CipherSuite specification in fact does document whether a cipher is AEAD
> or not. Moreover, implementations need to know this so they can perform the record
> processing correctly. See, for instance:
> 
> http://dxr.mozilla.org/mozilla-central/source/security/nss/lib/ssl/ssl3con.c#2597
> 
>  
>>    But even if such a list was obtainable and even if we discount the possibility of AEAD being superseded in the life of h2,
> 
> I don't actually think this is that important an issue either. As I understood the discussion
> in Zurich, the new TLS limitations were directed towards pulling users of HTTP2 towards
> modern algorithms. However, algorithms which have serious weaknesses should probably
> be deprecated in all versions of HTTP (as with https://tools.ietf.org/html/draft-ietf-tls-prohibiting-rc4-00)
> 
> Say we decided that in future we preferred Aero (https://tools.ietf.org/html/draft-mcgrew-aero-01)
> to AEAD constructions. That seems like something we could roll out in HTTP3 but wouldn't
> be appropriate to retroactively apply to TLS 1.2 unless there was something seriously wrong
> with AEAD (and then see above).
> 
> 
>>  it is not clear if a h2 implementation is should  enforce this list with some form of name matching, or should it delegate the decision to it's TLS layer via some isAE() API
> 
> IMO it should ask the TLS layer about specific properties, not do name matching.
> That seems like a generally good API-use policy.
>  
> 
>> (and there is no guarantee that such API will exist, specially for offloaded TLS).
> 
> An offloaded TLS stack would presumably have to implement this internally, since
> it has to know whether it's safe to negotiate h2 at all.
> 
> -Ekr
>

v2.39.1 | Report a Bug | By Email | System Status