Re: [TLS] Unfortunate current practices for HTTP over TLS
Martin Rex <mrex@sap.com> Tue, 18 January 2011 23:31 UTC
Return-Path: <mrex@sap.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5ACDB28C15C for <tls@core3.amsl.com>; Tue, 18 Jan 2011 15:31:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.157
X-Spam-Level:
X-Spam-Status: No, score=-10.157 tagged_above=-999 required=5 tests=[AWL=0.092, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L+ug3z-dNmaP for <tls@core3.amsl.com>; Tue, 18 Jan 2011 15:31:33 -0800 (PST)
Received: from smtpde01.sap-ag.de (smtpde01.sap-ag.de [155.56.68.170]) by core3.amsl.com (Postfix) with ESMTP id 1580A28C13C for <tls@ietf.org>; Tue, 18 Jan 2011 15:31:32 -0800 (PST)
Received: from mail.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id p0INY6ua007338 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 19 Jan 2011 00:34:07 +0100 (MET)
From: Martin Rex <mrex@sap.com>
Message-Id: <201101182334.p0INY6oQ013138@fs4113.wdf.sap.corp>
To: agl@google.com
Date: Wed, 19 Jan 2011 00:34:06 +0100
In-Reply-To: <AANLkTikX_9F9z0n1wfeAGX0W5ZcSupeK9v2UGO9D9KPp@mail.gmail.com> from "Adam Langley" at Jan 18, 11 05:21:11 pm
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-SAP: out
Cc: tls@ietf.org
Subject: Re: [TLS] Unfortunate current practices for HTTP over TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Jan 2011 23:31:34 -0000
Nice collection -- thank you for the effort!.
Do we need a new document category "WCP" (worst current practice)? :)
Adam Langley wrote:
>
> 2. Handshake message fragmentation
>
> Many servers will fail to process a handshake message that spans more
> than one record. These servers will close the connection when they
> encounter such a handshake message. HTTPS clients will commonly
> ensure against that by either packing all handshake messages in a
> flow into a single record, or by creating a single record for each
> handshake message.
>From the SSLv3 draft302 document ("Work in progress" according to rfc5746):
5.2 Record layer
The SSL Record Layer receives uninterpreted data from higher layers
in non-empty blocks of arbitrary size.
5.2.1 Fragmentation
The record layer fragments information blocks into SSLPlaintext
records of 2^14 bytes or less. Client message boundaries are not
preserved in the record layer (i.e., multiple client messages of
the same ContentType may be coalesced into a single SSLPlaintext
record).
For experimentation I put together a few lines of code for a
simple TCP communication relaying that shreds TLS records containing
handshake messages into pathological fragments (1byte,2byte,3byte,...)
And I'm actually having difficulties find TLS implementations
that can cope with this.
Some (record layer) TLS code I've looked at makes a number of flawed
assumptions about fragmentation, and fixing that code to align with
the _real_ specifiction requires a non-trivial change of the code
modularization of the record layer...
>
> 3. Protocol Fallback
>
> Intolerance to the following has been observed:
>
> Advertising a version greater than 0x03ff (around 65% of servers)
Keep in mind that this is about the first few bytes sent on a
new network connection. The purpose of the check is a heuristic
to distinguish a real TLS connection attempt (initial ClientHello)
from arbitrary other protocols instead of letting the protocol
parser engine produce a potentially confusing error message about
data that obviously isn't meant to be TLS in the first place.
Servers that tolerate >=4 versions ahead of what is currently
defined SSLv3{0x03,0x00} -> TLSv1.2{0x03,0x03} provide sufficient
slack that they are no problem for the evolution of the TLS protocol.
TLS implementations that are completely agnostic to the version
will AFAIK confuse DTLS and TLS.
>
> In all these cases, HTTPS clients will often enter a fallback mode.
> The connection is retried using only SSLv3 and without advertising
> any compression algorithms. (This is obviously an easy downgrade
> attack.)
Fallback mode is mostrly restricted to a few Web Browser that are
curiously exploring bleeding-edge TLS extensions. Most programmatic
clients don't have a fallback mode, because the fallback has to
be performed at the application level over a new network connection,
potentially including proxy traversals. Programmatic clients are
more likely to send very feature-conservative ClientHellos from
the beginning (no TLS extensions and either TLSv1.0 or SSLv3).
>
> Also, the fallback can be triggered by transient network
> problems, which often manifest as an abruptly closed connection.
> Since SSLv3 does not provide any means of Server Name Indication
> [RFC3546], the fallback connection can use the wrong certificate
> chain, resulting in a very surprising certificate error.
Since a significant fraction of the installed base browsers and
most of the programmatic clients do not send a server name indication
in the first place, the effect is more of a common annoying
certificate error pointing to an inconsiderate/misconfigured server.
The majority where I've encountered such errors, it was with
servers and hostnames belonging to the same organization, so
the problem could be entirely avoided by a sensible admin through
the simple use of adequate TLS server certs, listing all of the servers
alternative hostnames.
-Martin
- [TLS] Unfortunate current practices for HTTP over… Adam Langley
- Re: [TLS] Unfortunate current practices for HTTP … Martin Rex
- Re: [TLS] Unfortunate current practices for HTTP … Michael D'Errico
- Re: [TLS] Unfortunate current practices for HTTP … Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [TLS] Unfortunate current practices for HTTP … Yngve N. Pettersen (Developer Opera Software ASA)
- [TLS] AES and SSLv3 (was Re: Unfortunate current … Michael D'Errico
- Re: [TLS] AES and SSLv3 (was Re: Unfortunate curr… Martin Rex
- Re: [TLS] AES and SSLv3 (was Re: Unfortunate curr… Wan-Teh Chang
- Re: [TLS] AES and SSLv3 (was Re: Unfortunate curr… Tim Dierks
- Re: [TLS] AES and SSLv3 (was Re: Unfortunate curr… Martin Rex
- Re: [TLS] AES and SSLv3 (was Re: Unfortunate curr… Tim Dierks
- Re: [TLS] AES and SSLv3 (was Re: Unfortunate curr… Marsh Ray
- Re: [TLS] AES and SSLv3 (was Re: Unfortunate curr… Wan-Teh Chang
- Re: [TLS] AES and SSLv3 (was Re: Unfortunate curr… Martin Rex
- Re: [TLS] AES and SSLv3 (was Re: Unfortunate curr… Martin Rex
- Re: [TLS] AES and SSLv3 (was Re: Unfortunate curr… Martin Rex