IETF Logo Mail Archive

Re: [TLS] Fwd: New Version Notification for draft-pettersen-tls-version-rollback-removal-00.txt

"Yngve N. Pettersen (Developer Opera Software ASA)" <yngve@opera.com> Wed, 04 July 2012 08:07 UTC

Return-Path: <yngve@opera.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 392B021F870A for <tls@ietfa.amsl.com>; Wed, 4 Jul 2012 01:07:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.337
X-Spam-Level:
X-Spam-Status: No, score=-6.337 tagged_above=-999 required=5 tests=[AWL=0.263, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7RQz1NYd8Wf6 for <tls@ietfa.amsl.com>; Wed, 4 Jul 2012 01:07:26 -0700 (PDT)
Received: from smtp.opera.com (smtp.opera.com [213.236.208.81]) by ietfa.amsl.com (Postfix) with ESMTP id 9D45721F8808 for <tls@ietf.org>; Wed, 4 Jul 2012 01:07:25 -0700 (PDT)
Received: from acorna.invalid.invalid (pat-tdc.opera.com [213.236.208.22]) (authenticated bits=0) by smtp.opera.com (8.14.3/8.14.3/Debian-5+lenny1) with ESMTP id q6487VuX027495 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 4 Jul 2012 08:07:32 GMT
Content-Type: text/plain; charset="iso-8859-15"; format="flowed"; delsp="yes"
To: Martin Rex <mrex@sap.com>
References: <20120704013013.154FD1A13A@ld9781.wdf.sap.corp>
Date: Wed, 04 Jul 2012 10:07:37 +0200
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: "Yngve N. Pettersen (Developer Opera Software ASA)" <yngve@opera.com>
Organization: Opera Software AS
Message-ID: <op.wgwwuz1pqrq7tp@acorna.invalid.invalid>
In-Reply-To: <20120704013013.154FD1A13A@ld9781.wdf.sap.corp>
User-Agent: Opera Mail/11.64 (Win32)
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Fwd: New Version Notification for draft-pettersen-tls-version-rollback-removal-00.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Jul 2012 08:07:27 -0000

On Wed, 04 Jul 2012 03:30:13 +0200, Martin Rex <mrex@sap.com> wrote:

> If there is anything worth considering that it would be an
> approach which has
>
>    (a) the highest possible likelyhood to succees the TLS handshake
>       -- which pretty much means extension-less ClientHello with
>       ClientHello.ClientVersion either {3,0} or {3,1}
>
>    (b) and simultaneously succeding that very same initial handshake
>        with the highest common protocol version supported by both peers
>        -- which pretty much means that the client must convey his highest
>        supported version through a cipher suite value and that the
>        updated server will ignore/override ClientHello.client_version
>        when it detects the SCSV-based version negotiation.
>
> This will on the very first handshake even when the client does not
> cache information about the server's capabilities, and it will work
> without incuring failed TLS handshakes--an approach that for some
> software stacks would require each and every application to implement
> a reconnect fallback.

An extension-less Client Hello would not be able to provide some of the  
information we will need to send to the server, even if the content in the  
extensions was frozen by a specification. Two examples: Server Name  
Indication and any new extensions that are added. A frozen extension set  
would require new SCSVs every time it was updated, or for every  
combination that one might want to use., which is rather impractical IMO.

This means that a Client Hello with extension are needed for any new  
functionality we want to add, which means one have to deal with extension  
intolerant servers.

According to my research, my approach will currently work on the first  
connection (Max version, TLS 1.2, plus extensions) for 98.5% of servers  
out there. That number is steadily increasing, 6 months ago it was 98.35%.

Most of the rest are extension intolerant for some, or all TLS 1.0 - 1.2  
versions, some (1.5% of the group) are just version intolerant, and will  
require one or more extra connections to complete a handshake, and would  
also require this for an SCSV scenario with extensions. 94% of them are  
not Renego patched.

I doubt that using an SCSV to indicate highest version will remove the  
need to do version rollbacks for servers that does not support the SCSV,  
or in case of a downgrade attack being attempted. Also, using the SCSV  
method would not result in the version rollback method ever being retired.

I also suspect that any server that is not being updated to fix the Renego  
issue will not be updated to support the SCSV method.


My proposal have the benefit of leveraging an existing protocol feature,  
adapts an already existing negotiating sequence in web browser clients,  
works on first connection for most servers, even when the client signals  
TLS 1.2 and extensions, and does not require updating servers with a new  
feature once they are patched for Renego, and it automatically becomes  
redundant and can be removed when all servers support Renego and clients  
require it.



-- 
Sincerely,
Yngve N. Pettersen
********************************************************************
Senior Developer		     Email: yngve@opera.com
Opera Software ASA                   http://www.opera.com/
Phone:  +47 23 69 32 60              Fax:    +47 23 69 24 01
********************************************************************

v2.23.0 | Report a Bug | By Email