Re: [TLS] History of extensions

Eric Rescorla <ekr@networkresonance.com> Fri, 13 November 2009 08:21 UTC

Return-Path: <ekr@networkresonance.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2528D3A68D1 for <tls@core3.amsl.com>; Fri, 13 Nov 2009 00:21:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.495
X-Spam-Level:
X-Spam-Status: No, score=-0.495 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7Z7AGSVZ4jka for <tls@core3.amsl.com>; Fri, 13 Nov 2009 00:21:05 -0800 (PST)
Received: from kilo.networkresonance.com (unknown [194.126.108.9]) by core3.amsl.com (Postfix) with ESMTP id 249FF3A682A for <tls@ietf.org>; Fri, 13 Nov 2009 00:21:05 -0800 (PST)
Received: from kilo.local (localhost [127.0.0.1]) by kilo.networkresonance.com (Postfix) with ESMTP id C55F469F381; Fri, 13 Nov 2009 10:22:35 +0200 (EET)
Date: Fri, 13 Nov 2009 10:22:35 +0200
From: Eric Rescorla <ekr@networkresonance.com>
To: Nicolas Williams <Nicolas.Williams@sun.com>
In-Reply-To: <20091112203847.GL1105@Sun.COM>
References: <20091112181844.GE1105@Sun.COM> <200911122036.nACKa96m016227@fs4113.wdf.sap.corp> <20091112203847.GL1105@Sun.COM>
User-Agent: Wanderlust/2.15.5 (Almost Unreal) Emacs/22.3 Mule/5.0 (SAKAKI)
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20091113082235.C55F469F381@kilo.networkresonance.com>
Cc: tls@ietf.org
Subject: Re: [TLS] History of extensions
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Nov 2009 08:21:06 -0000

At Thu, 12 Nov 2009 14:38:47 -0600,
Nicolas Williams wrote:
> 
> On Thu, Nov 12, 2009 at 09:36:09PM +0100, Martin Rex wrote:
> > Backwards signaling server->client that the server is updated is
> > a little more difficult because one would have to repurpose an element
> > of the ServerHello.  If there really are SSL implemenations that fill
> > the unix_gmt_time with all random data (instead of just fuzzing the
> > lower bits of it), then that part requires a less "pure" approach.
> > 
> > Maybe by confiscating a currently unused bit of the more tightly
> > controlled value ranges of other members of the ServerHello handshake
> > message (server_version.major, cipher_suite or compression_method).
> 
> The whole point of my post was to point out that there is a way to do
> the server->client signaling without changing a single bit on the wire
> -- just the Finished message computations.
> 
> Interestingly, that approach could even be used on initial connections
> to detect if the server will support secure re-negotiation _before_ the
> client ever tries it.

I don't see that. AFAICT both your options involve the client generating a 
hello extension, so this does affect the bits on the wire. Obviously
there are approaches which don't require that, but they don't provide
detection of server capabilities on initial negotiation. By contrast
your message of 1854 doesn't allow the client to probe the server 
AFAICT.

-Ekr