Re: [TLS] Fwd: New Version Notification for draft-pettersen-tls-version-rollback-removal-00.txt
mrex@sap.com (Martin Rex) Thu, 05 July 2012 07:39 UTC
Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 383D121F8598 for <tls@ietfa.amsl.com>; Thu, 5 Jul 2012 00:39:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.249
X-Spam-Level:
X-Spam-Status: No, score=-10.249 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HRG+-LAtUMxS for <tls@ietfa.amsl.com>; Thu, 5 Jul 2012 00:39:03 -0700 (PDT)
Received: from smtpde02.sap-ag.de (smtpde02.sap-ag.de [155.56.68.140]) by ietfa.amsl.com (Postfix) with ESMTP id BA57121F8594 for <tls@ietf.org>; Thu, 5 Jul 2012 00:39:01 -0700 (PDT)
Received: from mail.sap.corp by smtpde02.sap-ag.de (26) with ESMTP id q657dB3E016852 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Thu, 5 Jul 2012 09:39:11 +0200 (MEST)
In-Reply-To: <op.wgwwuz1pqrq7tp@acorna.invalid.invalid>
To: "Yngve N. Pettersen (Developer Opera Software ASA)" <yngve@opera.com>
Date: Thu, 05 Jul 2012 09:39:11 +0200
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20120705073911.0BC4C1A082@ld9781.wdf.sap.corp>
From: mrex@sap.com
X-SAP: out
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Fwd: New Version Notification for draft-pettersen-tls-version-rollback-removal-00.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Jul 2012 07:39:04 -0000
Personally, I consider going through a handshake failure an no-go for standardization, and would rather like to see a slight (fully optional and fully backwards-compatible) protocol modification to support a succcessul TLS handshake with the most desirable common characteristics, ZERO extra crypto overhead and a further reduction of failed TLS handshakes on the internet. Although retrying a TLS handshake with different characteristics after a TLS handshake failure may be an option for some implementations and some types of clients (in particular with Browsers), there are applications and environments, where this option simply does not exist. One other possibility to avoid waste of crypto cycles and a handshake failure would be to specify&standardize an SCSV that can be used to restart the handshake. Wasn't something like this done for the Server-Gated Crypto hacks in SSL3? So a client could start with a "conservative" extension-less SSLv3 ClientHello and include that SCSV, and a server who supports a higher version number than offered in ClientHello.client_version and/or supporting extensions that would acctually affect the characteristics of the resulting handshake, could return a ServerHello with that SCSV as the "common cihper suite", (and maybe a ServerHelloExtension describing features that can be safely used and may have been avoided by a conservative client (potentially including things like DHE cipher suites because of the small subgroup goof of some servers), an upon receiving a ServerHello with that SCSV, the client would simply restart the handshake with a full-blown ClientHello carrying all the features that the client supports and may want to offer. For proposed session resumes, the client would then already have the info about what the server supports in the TLS session cache, so there would be no overhead for handshakes with proposed TLS session resumes (even when the server perform occasional full handshakes, as long as it returns a TLS session id, so that this feature remains transparent/invisible to client applications. SNI might become a useful feature in a few years. Today there is still a significant number of clients which does not support SNI, and the interop problem that would result from an SNI prerequisite is at least a magnitude larger than TLS version intolerance and TLS extension intolerance problems. -Martin
- [TLS] Fwd: New Version Notification for draft-pet… Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [TLS] Fwd: New Version Notification for draft… Martin Rex
- Re: [TLS] Fwd: New Version Notification for draft… Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [TLS] Fwd: New Version Notification for draft… Martin Rex