Re: [TLS] History of extensions

Marsh Ray <marsh@extendedsubset.com> Thu, 12 November 2009 07:49 UTC

Return-Path: <marsh@extendedsubset.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 73ADF3A686D for <tls@core3.amsl.com>; Wed, 11 Nov 2009 23:49:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.531
X-Spam-Level:
X-Spam-Status: No, score=-2.531 tagged_above=-999 required=5 tests=[AWL=0.068, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NEN-1U94KA12 for <tls@core3.amsl.com>; Wed, 11 Nov 2009 23:49:49 -0800 (PST)
Received: from mho-02-ewr.mailhop.org (mho-02-ewr.mailhop.org [204.13.248.72]) by core3.amsl.com (Postfix) with ESMTP id 67CC73A69DA for <tls@ietf.org>; Wed, 11 Nov 2009 23:49:49 -0800 (PST)
Received: from xs01.extendedsubset.com ([69.164.193.58]) by mho-02-ewr.mailhop.org with esmtpa (Exim 4.68) (envelope-from <marsh@extendedsubset.com>) id 1N8URd-000GgI-Pg; Thu, 12 Nov 2009 07:50:17 +0000
Received: from [127.0.0.1] (localhost [127.0.0.1]) by xs01.extendedsubset.com (Postfix) with ESMTP id EBBBF6678; Thu, 12 Nov 2009 07:50:15 +0000 (UTC)
X-Mail-Handler: MailHop Outbound by DynDNS
X-Originating-IP: 69.164.193.58
X-Report-Abuse-To: abuse@dyndns.com (see http://www.dyndns.com/services/mailhop/outbound_abuse.html for abuse reporting information)
X-MHO-User: U2FsdGVkX1+WMYlfsRZ20GUized/Hs5v/hPoWbMfQoU=
Message-ID: <4AFBBE35.4010306@extendedsubset.com>
Date: Thu, 12 Nov 2009 01:50:13 -0600
From: Marsh Ray <marsh@extendedsubset.com>
User-Agent: Thunderbird 2.0.0.23 (Windows/20090812)
MIME-Version: 1.0
To: "tls@ietf.org" <tls@ietf.org>, Martin Rex <mrex@sap.com>
References: <200911120512.nAC5CiIu019763@fs4113.wdf.sap.corp>
In-Reply-To: <200911120512.nAC5CiIu019763@fs4113.wdf.sap.corp>
X-Enigmail-Version: 0.96.0
OpenPGP: id=1E36DBF2
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Subject: Re: [TLS] History of extensions
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Nov 2009 07:49:50 -0000

Martin Rex wrote:
> That is wrong.  The SSLv3 spec has the exact same provisions for
> TLS extensions as the TLSv1.0 and TLSv1.1 specs.
>
> TLS extensions became a standard part of the protocol in TLSv1.2 only.
>
> Compare the specs and you will see.

Very enlightening, it's even more complicated than you said. No wonder
these things don't interoperate quite so well.

Here's what I find:

SSL 3.0 draft-freier-ssl-version3-02.txt

   "In the interests of forward compatibility, it is
   permitted for a client hello message to include
   extra data after the compression methods."

RFC 2246 TLS 1.0 (Jan 1999)

   "In the interests of forward compatibility, it is permitted for a
   client hello message to include extra data after the compression
   methods. This data must be included in the handshake hashes, but
   must otherwise be ignored. This is the only handshake message for
   which this is legal; for all other messages, the amount of data
   in the message must match the description of the message precisely."

RFC 3546 TLS Extensions (June 2003)
   Updates 2246 (TLS 1.0)

   "The extensions described in this document may be used by TLS 1.0
   clients and TLS 1.0 servers.  The extensions are designed to be
   backwards compatible - meaning that TLS 1.0 clients that support the
   extensions can talk to TLS 1.0 servers that do not support the
   extensions, and vice versa."
   "Note that the extended server hello message is only sent in response
   to an extended client hello message.  This prevents the possibility
   that the extended server hello message could "break" existing TLS 1.0
   clients"
   "The extended server hello message format MAY be sent in place of the
   server hello message when the client has requested extended
   functionality via the extended client hello message"

RFC 4346 TLS 1.1 (April 2006)

   "In the interests of forward
   compatibility, it is permitted that a client hello message include
   extra data after the compression methods. This data MUST be included
   in the handshake hashes, but must otherwise be ignored. This is the
   only handshake message for which this is legal; for all other
   messages, the amount of data in the message MUST match the
   description of the message precisely.

RFC 4366 TLS Extensions (April 2006)
   Updates 4346 (TLS 1.1)
   "The document therefore updates TLS 1.0 [TLS] and TLS 1.1"
   "The extended server hello message format MAY be sent in place of the
   server hello message when the client has requested extended
   functionality via the extended client hello message"

RFC 5246 TLS 1.2

   "Clients MAY request extended functionality from servers by sending
   data in the extensions field.  The actual "Extension" format is
   defined in Section 7.4.1.4."
   "[server] A list of extensions.  Note that only extensions offered
   by the client can appear in the server's list."

------
My interpretation:

SSL 3.0  Allows room at the end of Client Hello for extra data.
         Is silent on extra data after Server Hello.
         No standard defines anything to be passed here.

TLS 1.0  Allows room at the end of Client Hello for extra data
         Forbids extra data after Server Hello.
         Possibly went four years with no extensions defined,
         so early implementations were untested in this.

June 2003

RFC 3546 Uses room defined in TLS 1.0 to grow ClientHello into
         ExtendedClientHello.
         Defines a new ExtendedServerHello message without assigning
         it a new HandshakeType. This is probably OK. SSL proxying
         and monitoring may have been confused by this contradiction
         of the spec with no version number bump.

TLS 1.1  Reiterates that only ClientHello can have extra data.
         No provision for ExtendedServerHello.

RFC 4366 Updates TLS 1.0 and 1.1 to re-allow extensions.
         This was simultaneous to 1.1 spec, so just an update.

TLS 1.2  Defines extensions as part of the main TLS spec.

------
Conclusions:

Nothing defines extensions for SSL 3.0, how such servers will react when
sent extra ClientHello data is somewhat unpredictable.

Perfectly-conforming implmentations since spec of Jan 1999 should, in
theory, not be broken.

In practice, TLS server implementations designed before about 2004
probably had no compliant clients with which to test that would send any
data after the traditional ClientHello. Such systems probably shipped
for quite some time afterwards. For example, all pre-Vista Windows OS's
may be in this category based on design date.

There are a large number of TLS implementations that are not currently
extension-aware which will have to retrofit at least primitive support
in order to benefit from this security fix.

- Marsh