Re: [TLS] Fwd: New Version Notification for draft-pettersen-tls-version-rollback-removal-00.txt
"Yngve N. Pettersen (Developer Opera Software ASA)" <yngve@opera.com> Wed, 04 July 2012 08:07 UTC
Return-Path: <yngve@opera.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 392B021F870A for <tls@ietfa.amsl.com>; Wed, 4 Jul 2012 01:07:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.337
X-Spam-Level:
X-Spam-Status: No, score=-6.337 tagged_above=-999 required=5 tests=[AWL=0.263, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7RQz1NYd8Wf6 for <tls@ietfa.amsl.com>; Wed, 4 Jul 2012 01:07:26 -0700 (PDT)
Received: from smtp.opera.com (smtp.opera.com [213.236.208.81]) by ietfa.amsl.com (Postfix) with ESMTP id 9D45721F8808 for <tls@ietf.org>; Wed, 4 Jul 2012 01:07:25 -0700 (PDT)
Received: from acorna.invalid.invalid (pat-tdc.opera.com [213.236.208.22]) (authenticated bits=0) by smtp.opera.com (8.14.3/8.14.3/Debian-5+lenny1) with ESMTP id q6487VuX027495 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 4 Jul 2012 08:07:32 GMT
Content-Type: text/plain; charset="iso-8859-15"; format="flowed"; delsp="yes"
To: Martin Rex <mrex@sap.com>
References: <20120704013013.154FD1A13A@ld9781.wdf.sap.corp>
Date: Wed, 04 Jul 2012 10:07:37 +0200
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: "Yngve N. Pettersen (Developer Opera Software ASA)" <yngve@opera.com>
Organization: Opera Software AS
Message-ID: <op.wgwwuz1pqrq7tp@acorna.invalid.invalid>
In-Reply-To: <20120704013013.154FD1A13A@ld9781.wdf.sap.corp>
User-Agent: Opera Mail/11.64 (Win32)
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Fwd: New Version Notification for draft-pettersen-tls-version-rollback-removal-00.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Jul 2012 08:07:27 -0000
On Wed, 04 Jul 2012 03:30:13 +0200, Martin Rex <mrex@sap.com> wrote: > If there is anything worth considering that it would be an > approach which has > > (a) the highest possible likelyhood to succees the TLS handshake > -- which pretty much means extension-less ClientHello with > ClientHello.ClientVersion either {3,0} or {3,1} > > (b) and simultaneously succeding that very same initial handshake > with the highest common protocol version supported by both peers > -- which pretty much means that the client must convey his highest > supported version through a cipher suite value and that the > updated server will ignore/override ClientHello.client_version > when it detects the SCSV-based version negotiation. > > This will on the very first handshake even when the client does not > cache information about the server's capabilities, and it will work > without incuring failed TLS handshakes--an approach that for some > software stacks would require each and every application to implement > a reconnect fallback. An extension-less Client Hello would not be able to provide some of the information we will need to send to the server, even if the content in the extensions was frozen by a specification. Two examples: Server Name Indication and any new extensions that are added. A frozen extension set would require new SCSVs every time it was updated, or for every combination that one might want to use., which is rather impractical IMO. This means that a Client Hello with extension are needed for any new functionality we want to add, which means one have to deal with extension intolerant servers. According to my research, my approach will currently work on the first connection (Max version, TLS 1.2, plus extensions) for 98.5% of servers out there. That number is steadily increasing, 6 months ago it was 98.35%. Most of the rest are extension intolerant for some, or all TLS 1.0 - 1.2 versions, some (1.5% of the group) are just version intolerant, and will require one or more extra connections to complete a handshake, and would also require this for an SCSV scenario with extensions. 94% of them are not Renego patched. I doubt that using an SCSV to indicate highest version will remove the need to do version rollbacks for servers that does not support the SCSV, or in case of a downgrade attack being attempted. Also, using the SCSV method would not result in the version rollback method ever being retired. I also suspect that any server that is not being updated to fix the Renego issue will not be updated to support the SCSV method. My proposal have the benefit of leveraging an existing protocol feature, adapts an already existing negotiating sequence in web browser clients, works on first connection for most servers, even when the client signals TLS 1.2 and extensions, and does not require updating servers with a new feature once they are patched for Renego, and it automatically becomes redundant and can be removed when all servers support Renego and clients require it. -- Sincerely, Yngve N. Pettersen ******************************************************************** Senior Developer Email: yngve@opera.com Opera Software ASA http://www.opera.com/ Phone: +47 23 69 32 60 Fax: +47 23 69 24 01 ********************************************************************
- [TLS] Fwd: New Version Notification for draft-pet… Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [TLS] Fwd: New Version Notification for draft… Martin Rex
- Re: [TLS] Fwd: New Version Notification for draft… Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [TLS] Fwd: New Version Notification for draft… Martin Rex