Re: [TLS] A la carte handshake negotiation

Ilari Liusvaara <> Fri, 12 June 2015 08:31 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id CD41C1A88C7 for <>; Fri, 12 Jun 2015 01:31:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.301
X-Spam-Status: No, score=-1.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_35=0.6, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id og4qhBflpZSx for <>; Fri, 12 Jun 2015 01:31:57 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 7A1AA1A88A0 for <>; Fri, 12 Jun 2015 01:31:56 -0700 (PDT)
Received: from LK-Perkele-VII ( []) by (Postfix) with ESMTP id F09779023B; Fri, 12 Jun 2015 11:31:53 +0300 (EEST)
Date: Fri, 12 Jun 2015 11:31:53 +0300
From: Ilari Liusvaara <>
To: Dave Garrett <>
Message-ID: <20150612083153.GA24990@LK-Perkele-VII>
References: <>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: Ilari Liusvaara <>
Archived-At: <>
Cc: "<>" <>
Subject: Re: [TLS] A la carte handshake negotiation
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 12 Jun 2015 08:32:00 -0000

On Thu, Jun 11, 2015 at 03:58:21PM -0400, Dave Garrett wrote:
> Here is a branch with a rough draft of an a la carte handshake algorithm negotiation scheme for TLS 1.3, based on discussions on this list.

> TL:DR:
> * Deprecate all suites with any of: DH, DHE, ECDH, RSA, DSS
> * Deployments may continue to offer deprecated suites for TLS 1.0-1.2 negotiation.
> * TLS 1.3 would only negotiate suites prefixed with ECDHE_ECDSA or ECDHE_PSK.
> * TLS 1.3 implementations negotiate ECDHE/DHE & RSA/DSS/ECDSA solely via the "supported_groups" & "signature_algorithms" extensions.
> * No change to bulk cipher negotiation.
> To be clear, this would mean a connection could negotiate usage of a ECDHE_ECDSA suite and negotiate ECDHE+RSA. It doesn't say anything about DHE+ECDSA yet, but I think that combination is fine if negotiated.
AFAICT, In TLS 1.2, DHE+ECDSA is legal, if client signals support for
both DHE (via ciphersuites) and ECDSA (via (possibly implicit default)

(In TLS 1.1 and earlier, there is seemingly no way to use DHE+ECDSA)

The main pitfall I see for unifying DH is that ECDHE nested length
byte (which is insufficient for DHE). One would have to either expand
that to 2 bytes, or better yet, dump it entierely (as it is seemingly

> Benefits:
> 1) Old DH(E) suites are replaced by a system which only negotiates strong FFDHE groups.
> 2) The combinatorial explosion of suites that need to be offered in a ClientHello is reduced.
> 3) Accidental interop failure due to a missing combination is avoided.
> 4) All TLS 1.3 implementations are expected to be able to handle ECC, but are not required to offer or negotiate it. (at least, here)
> 5) EdDSA can easily be added to the list as a variation of ECDSA without new suites.
> 6) No more confusing double negotiation of signature algorithms. Just extensions, instead of many suites and extensions.
> 7) The default usage of SHA1 for the "signature_algorithms" extension can be removed, as all TLS 1.3 clients would be required to send it.

Also, there is no "double negotiation" in TLS 1.2 either. TLS 1.2 is
quite clear about interaction of signature algorithms in ciphersuites
and explicit signature negotiation (explicit negotiation always takes

Of course, I wouldn't be surprised if there was fair bit of software
that got those rules wrong...