IETF Logo Mail Archive

RE: 9.2.2 Cipher fallback and FF<->Jetty interop problem

Andrei Popov <Andrei.Popov@microsoft.com> Sat, 20 September 2014 18:14 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A5C0F1A01D6 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sat, 20 Sep 2014 11:14:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.554
X-Spam-Level:
X-Spam-Status: No, score=-7.554 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_BACKHAIR_25=1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-1.652, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rtAHusIEEUOR for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sat, 20 Sep 2014 11:14:39 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AB41C1A01D5 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Sat, 20 Sep 2014 11:14:39 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1XVP88-0003vK-5F for ietf-http-wg-dist@listhub.w3.org; Sat, 20 Sep 2014 18:11:32 +0000
Resent-Date: Sat, 20 Sep 2014 18:11:32 +0000
Resent-Message-Id: <E1XVP88-0003vK-5F@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <Andrei.Popov@microsoft.com>) id 1XVP7f-0003u5-PM for ietf-http-wg@listhub.w3.org; Sat, 20 Sep 2014 18:11:03 +0000
Received: from mail-by2on0116.outbound.protection.outlook.com ([207.46.100.116] helo=na01-by2-obe.outbound.protection.outlook.com) by lisa.w3.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.72) (envelope-from <Andrei.Popov@microsoft.com>) id 1XVP7e-0001Z2-DW for ietf-http-wg@w3.org; Sat, 20 Sep 2014 18:11:03 +0000
Received: from BY2PR03MB427.namprd03.prod.outlook.com (10.141.141.146) by BY2PR03MB425.namprd03.prod.outlook.com (10.141.141.139) with Microsoft SMTP Server (TLS) id 15.0.1024.12; Sat, 20 Sep 2014 18:10:32 +0000
Received: from BY2PR03MB427.namprd03.prod.outlook.com ([10.141.141.146]) by BY2PR03MB427.namprd03.prod.outlook.com ([10.141.141.146]) with mapi id 15.00.1024.012; Sat, 20 Sep 2014 18:10:32 +0000
From: Andrei Popov <Andrei.Popov@microsoft.com>
To: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
CC: Roland Zink <roland@zinks.de>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Thread-Topic: 9.2.2 Cipher fallback and FF<->Jetty interop problem
Thread-Index: AQHPyKX8SPpXav0xaEGAJiM6THvDjpvyo60AgAB0BACAABtLgIAAU4sAgAAH/4CAABn7AIAROzMAgAAybwCABB/t0IABG+4AgAAPUsA=
Date: Sat, 20 Sep 2014 18:10:32 +0000
Message-ID: <c5d0c3ccb93d497f80326a18784a0af7@BY2PR03MB427.namprd03.prod.outlook.com>
References: <CAH_y2NF+sP9BmYuD4QbeHpwC_uj67itzaAFCnRVC6f--KDYOgg@mail.gmail.com> <CAOdDvNopynmwvwWLXvuC0q7skunFXcfRoVHe9s7BKcoCwaBgWQ@mail.gmail.com> <CAH_y2NGXz7e3ejqy_rD=39=yYp3+cS1Dm6c3yFEYZg6tsUp5VQ@mail.gmail.com> <CABkgnnWAdm1TLP2XCKNU-6RPACLfooQV73R7Gpoemv+9PNULCA@mail.gmail.com> <CAH_y2NFLjok-NRJtOw1vmSy68sf393iSOgA4K599q0BSBqbNgA@mail.gmail.com> <CABkgnnU-CMtv8KvYU9n+QoPBOBshtQv3RfLy2qw=qVNb2O-qGg@mail.gmail.com> <CAH_y2NHrbH5Objwhq9E89QexhQtND4uOdy8q7OEckTCU17WqKg@mail.gmail.com> <CAH_y2NErRd4rxinSzEH3-uTjdWVkZu9o6sSKSf47LxfPFTRONw@mail.gmail.com> <54194A22.5010000@zinks.de> <37b1aa9484a945cab5e979744deb659a@BL2PR03MB419.namprd03.prod.outlook.com> <20140920164054.GA24246@LK-Perkele-VII>
In-Reply-To: <20140920164054.GA24246@LK-Perkele-VII>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [2001:4898:80e8:ed31::3]
x-microsoft-antispam: BCL:0;PCL:0;RULEID:;UriScan:;
x-forefront-prvs: 0340850FCD
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(13464003)(189002)(377454003)(24454002)(199003)(81342003)(86362001)(93886004)(86612001)(108616004)(106356001)(83072002)(81542003)(77982003)(95666004)(33646002)(46102003)(76482002)(90102001)(97736003)(99396002)(85852003)(80022003)(79102003)(19580405001)(76176999)(21056001)(74502003)(106116001)(31966008)(64706001)(92566001)(105586002)(50986999)(4396001)(83322001)(54356999)(74316001)(99286002)(2656002)(85306004)(19580395003)(74662003)(20776003)(87936001)(76576001)(110136001)(101416001)(107046002)(24736002)(3826002); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR03MB425; H:BY2PR03MB427.namprd03.prod.outlook.com; FPR:; MLV:sfv; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: microsoft.onmicrosoft.com
Received-SPF: pass client-ip=207.46.100.116; envelope-from=Andrei.Popov@microsoft.com; helo=na01-by2-obe.outbound.protection.outlook.com
X-W3C-Hub-Spam-Status: No, score=-3.4
X-W3C-Hub-Spam-Report: AWL=-3.408, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001
X-W3C-Scan-Sig: lisa.w3.org 1XVP7e-0001Z2-DW afcbee79adbbb483abecfed80bacd4f8
X-Original-To: ietf-http-wg@w3.org
Subject: RE: 9.2.2 Cipher fallback and FF<->Jetty interop problem
Archived-At: <http://www.w3.org/mid/c5d0c3ccb93d497f80326a18784a0af7@BY2PR03MB427.namprd03.prod.outlook.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/27142
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

> The TLS protocol versions is not a problem, at least in no-MITM
> environment: The application knows if it is trying TLS 1.2+ or not. And I really hope that there is no TLS stack retarded enough to fallback behind app's back.

If a client offers TLS1.0 with h2 and http/1.1 ALPN IDs, a compliant server must not negotiate h2. So either the HTTP stack has to disable TLS<1.2 when h2 is enabled, or the TLS stack has to know to ignore h2 ALPN ID when the client offers TLS<1.2. Am I missing something?

> It is feasible to just disable all non-compliant ciphersuites globally (for server).

Yes, it is technically feasible to disable the TLS versions and cipher suites prohibited by h2 when h2 is enabled. This may also be the right way to improve security: http/1.1 is not any more secure than h2 when used with old TLS versions and weak cipher suites. But doing so will cut off the customers who were previously able to connect with TLS 1.0 and RSA-CBC, so I doubt that most Web servers are ready to do this.

> The HTTP/2 spec itself only needs update if AES falls, whole ECC falls, RSA falls, or some new TLS version makes the specified MTI unusable.

Yes, any of these conditions and a variety of other conditions will require an HTTP/2 spec revision. E.g. once our perception of the security of certain ephemeral key lengths, AEAD mode, specific cipher suite (TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256), or P256 curve will change, HTTP/2 spec will need an update. Previously these types of considerations were handled (admittedly, less than perfectly) by TLS specs. Now the HTTP/2 spec will also have to track this, which seems like a step in the wrong direction.

Cheers,

Andrei

-----Original Message-----
From: Ilari Liusvaara [mailto:ilari.liusvaara@elisanet.fi] 
Sent: Saturday, September 20, 2014 9:41 AM
To: Andrei Popov
Cc: Roland Zink; ietf-http-wg@w3.org
Subject: Re: 9.2.2 Cipher fallback and FF<->Jetty interop problem

On Sat, Sep 20, 2014 at 12:08:07AM +0000, Andrei Popov wrote:
> The HTTP/2 spec’s restrictions on the TLS versions and cipher suites 
> creates a number of issues:
> a) TLS code needs to filter ALPN IDs based on the negotiated TLS 
> protocol version and cipher suite, or the HTTP stack needs to filter 
> cipher suites and TLS protocol versions based on the enabled HTTP 
> versions.

The TLS protocol versions is not a problem, at least in no-MITM
environment: The application knows if it is trying TLS 1.2+ or not. And I really hope that there is no TLS stack retarded enough to fallback behind app's back.

Also, the server knows if it supports TLS 1.2+ or not. And if client and server is TLS 1.2 capable, the negotiated version will be TLS 1.2.

However, things can go badly if there is some TLS MITM (some "security"
products apparently MITM TLS connections) in the middle (but still passes ALPN). Then the client and server assumptions turn badly wrong.

The cipher requirements do have the shortcomings you note.

The PFS requirement is in the middle. It is feasible to just disable all non-compliant ciphersuites globally (for server). And version skew is unlikely, because new general-purpose PFS key exchanges are extremely rare.

> c) HTTP/2 spec needs to be updated when new secure cipher suites/ TLS 
> protocol versions are added, or currently available ones become 
> compromised (and special-purpose ones must be specifically enabled).

The HTTP/2 spec itself only needs update if AES falls, whole ECC falls, RSA falls, or some new TLS version makes the specified MTI unusable.

New ciphers (even "XYZ" ones) or TLS 1.3 do not require update (but TLS 1.3 introduces a new failure mode: If client is TLS 1.2- capable, and server is TLS 1.3-only, things are going to fail.
But that failure would happen with any protocol).

However, there is significant risk of version skew between the application and TLS stack. This can lead to app making incorrect decisions regarding cipher acceptability, with nasty consequences.


-Ilari

v2.39.1 | Report a Bug | By Email | System Status