Re: [TLS] Non-browser clients.
Nelson B Bolyard <nelson@bolyard.me> Sun, 22 November 2009 21:42 UTC
Return-Path: <nelson@bolyard.me>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9F7343A6920 for <tls@core3.amsl.com>; Sun, 22 Nov 2009 13:42:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.31
X-Spam-Level:
X-Spam-Status: No, score=-2.31 tagged_above=-999 required=5 tests=[AWL=0.289, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ic+vjKuLHQRY for <tls@core3.amsl.com>; Sun, 22 Nov 2009 13:42:22 -0800 (PST)
Received: from p3plsmtpa01-06.prod.phx3.secureserver.net (p3plsmtpa01-06.prod.phx3.secureserver.net [72.167.82.86]) by core3.amsl.com (Postfix) with SMTP id 8FDF63A67DD for <tls@ietf.org>; Sun, 22 Nov 2009 13:42:22 -0800 (PST)
Received: (qmail 23069 invoked from network); 22 Nov 2009 21:42:13 -0000
Received: from unknown (24.5.142.42) by p3plsmtpa01-06.prod.phx3.secureserver.net (72.167.82.86) with ESMTP; 22 Nov 2009 21:42:13 -0000
Message-ID: <4B09AFC0.3030009@bolyard.me>
Date: Sun, 22 Nov 2009 13:40:16 -0800
From: Nelson B Bolyard <nelson@bolyard.me>
Organization: Network Security Services
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; rv:1.9.1b1pre) Gecko/20081004 NOT Firefox/2.0 SeaMonkey/2.0a2pre
MIME-Version: 1.0
To: "tls@ietf.org" <tls@ietf.org>
References: <C72AB6FD.670D%stefan@aaa-sec.com> <4B04F92A.8050903@extendedsubset.com> <4B053CF5.7000105@drh-consultancy.demon.co.uk> <4B059658.2010200@extendedsubset.com> <4B07EA2B.5040809@drh-consultancy.demon.co.uk> <4B08CCA3.3050104@bolyard.me> <4B09339D.7080108@drh-consultancy.demon.co.uk>
In-Reply-To: <4B09339D.7080108@drh-consultancy.demon.co.uk>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Subject: Re: [TLS] Non-browser clients.
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 22 Nov 2009 21:42:23 -0000
On 2009-11-22 04:50 PST, Dr Stephen Henson wrote: > Nelson B Bolyard wrote: >> On 2009-11-21 05:24 PST, Dr Stephen Henson wrote: >> >>> Just to add a point to this which hasn't really been mentioned. >>> >>> The discussion of connection logic has largely been browser centric, >>> non-browser clients often work in a different way and the current >>> proposal (draft-ietf-tls-renegotiation-01.txt) can cause them >>> significant problems. >> >> Where is this draft? It's not on rfc-editor.org nor on ietf.org. Are >> you referring to draft-RESCORLA-tls-renegotiation-01.txt? >> > > Yes I meant the 01 version at: > https://svn.resiprocate.org/rep/ietf-drafts/ekr/draft-rescorla-tls-renegotiate.txt That draft has been superseded. There has been a succession of 3 drafts: draft-RESCORLA-tls-renegotiation-00.txt draft-RESCORLA-tls-renegotiation-01.txt draft-IETF-tls-renegotiation-00.txt each of which superseded the previous. > Fallbacks aren't explicitly mentioned in the 00 draft. The whole issue of > how one can support secure renegotiation (if the server supports it) but > still connect to an unpatched SSLv3 or unpatched extension intolerant TLS > server isn't covered. Isn't it outside of scope? The draft named IETF (which I support with some minor clarifications) seems to address this quite directly. It says that secure renegotiation cannot be done with SSLv3. It talks about clients who want to take the risk may do it anyway. But clearly, doing so is outside of the scope and intent of this draft, which intent is to do things securely. > The 01 draft resolves this issue but requires fallbacks. > > It has been mentioned elsewhere that the obvious fallback techniques > using the 00 draft are vulnerable to downgrade attacks. If anyone has a > reference to a fallback technique that isn't vulnerable and complies to > the 00 draft I'd be interested to hear it. I believe that it is the intent of EKR's succession of drafts to NOT attempt to create an invulnerable form of SSLv3. Others in this list want to try to do that with alternative proposals. > Steve.
- [TLS] Proposal for hybrid solution using most of … Nasko Oskov
- Re: [TLS] Proposal for hybrid solution using most… Michael D'Errico
- Re: [TLS] Proposal for hybrid solution using most… Nasko Oskov
- Re: [TLS] Proposal for hybrid solution using most… Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [TLS] Proposal for hybrid solution using most… Michael D'Errico
- Re: [TLS] Proposal for hybrid solution using most… David-Sarah Hopwood
- Re: [TLS] Proposal for hybrid solution using most… Steve Dispensa
- Re: [TLS] Proposal for hybrid solution using most… Steve Dispensa
- Re: [TLS] Proposal for hybrid solution using most… Stefan Santesson
- Re: [TLS] Proposal for hybrid solution using most… Marsh Ray
- Re: [TLS] Proposal for hybrid solution using most… Stefan Santesson
- Re: [TLS] Proposal for hybrid solution using most… Nelson B Bolyard
- Re: [TLS] Proposal for hybrid solution using most… Yoav Nir
- Re: [TLS] Proposal for hybrid solution using most… Dr Stephen Henson
- Re: [TLS] Proposal for hybrid solution using most… Martin Rex
- Re: [TLS] Proposal for hybrid solution using most… Nasko Oskov
- Re: [TLS] Proposal for hybrid solution using most… Stephen Farrell
- [TLS] Justification for "Ugly Dirty Hack" Michael D'Errico
- Re: [TLS] Proposal for hybrid solution using most… Martin Rex
- Re: [TLS] Proposal for hybrid solution using most… Dr Stephen Henson
- Re: [TLS] Proposal for hybrid solution using most… Martin Rex
- Re: [TLS] Proposal for hybrid solution using most… Nasko Oskov
- Re: [TLS] Proposal for hybrid solution using most… Marsh Ray
- [TLS] The Hardware Angle Michael D'Errico
- Re: [TLS] Proposal for hybrid solution using most… Martin Rex
- Re: [TLS] Proposal for hybrid solution using most… Marsh Ray
- Re: [TLS] Proposal for hybrid solution using most… David-Sarah Hopwood
- Re: [TLS] Justification for "Ugly Dirty Hack" Stefan Santesson
- Re: [TLS] Proposal for hybrid solution using most… Michael D'Errico
- Re: [TLS] Proposal for hybrid solution using most… Martin Rex
- Re: [TLS] Proposal for hybrid solution using most… Nasko Oskov
- Re: [TLS] Proposal for hybrid solution using most… Martin Rex
- [TLS] Protocol version bit to use, was Justificat… Bill Frantz
- Re: [TLS] Protocol version bit to use, Martin Rex
- Re: [TLS] Proposal for hybrid solution using most… David-Sarah Hopwood
- Re: [TLS] Proposal for hybrid solution using most… Martin Rex
- Re: [TLS] Proposal for hybrid solution using most… Nasko Oskov
- Re: [TLS] Proposal for hybrid solution using most… Chris Newman
- Re: [TLS] Proposal for hybrid solution using most… Martin Rex
- [TLS] Non-browser clients. Dr Stephen Henson
- Re: [TLS] Non-browser clients. Michael D'Errico
- Re: [TLS] Proposal for hybrid solution using most… Thamilarasu Kandasamy (thamil)
- Re: [TLS] Proposal for hybrid solution using most… Michael D'Errico
- Re: [TLS] Proposal for hybrid solution using most… David-Sarah Hopwood
- Re: [TLS] Non-browser clients. Nelson B Bolyard
- Re: [TLS] Non-browser clients. Dr Stephen Henson
- Re: [TLS] Non-browser clients. Nelson B Bolyard
- Re: [TLS] Proposal for hybrid solution using most… Nelson B Bolyard
- Re: [TLS] Proposal for hybrid solution using most… Martin Rex
- Re: [TLS] Non-browser clients. Dr Stephen Henson
- Re: [TLS] Non-browser clients. Eric Rescorla
- Re: [TLS] Non-browser clients. Dr Stephen Henson
- Re: [TLS] Proposal for hybrid solution using most… Nelson B Bolyard
- Re: [TLS] Proposal for hybrid solution using most… Michael D'Errico
- Re: [TLS] Proposal for hybrid solution using most… Martin Rex
- Re: [TLS] Proposal for hybrid solution using most… Nelson B Bolyard
- Re: [TLS] Proposal for hybrid solution using most… Michael D'Errico
- Re: [TLS] Proposal for hybrid solution using most… Martin Rex
- Re: [TLS] Non-browser clients. Peter Gutmann
- Re: [TLS] Proposal for hybrid solution using most… David-Sarah Hopwood
- Re: [TLS] Proposal for hybrid solution using most… David-Sarah Hopwood
- Re: [TLS] Proposal for hybrid solution using most… Stefan Santesson
- Re: [TLS] Proposal for hybrid solution using most… Yoav Nir
- Re: [TLS] Proposal for hybrid solution using most… Nelson B Bolyard
- Re: [TLS] Proposal for hybrid solution using most… Pasi.Eronen
- Re: [TLS] The Hardware Angle Pasi.Eronen
- Re: [TLS] Proposal for hybrid solution using most… Pasi.Eronen
- Re: [TLS] Proposal for hybrid solution using most… Martin Rex
- Re: [TLS] Proposal for hybrid solution using most… Martin Rex
- Re: [TLS] Proposal for hybrid solution using most… David-Sarah Hopwood
- Re: [TLS] Proposal for hybrid solution using most… Nelson B Bolyard
- Re: [TLS] Proposal for hybrid solution using most… Martin Rex
- Re: [TLS] Proposal for hybrid solution using most… Stefan Santesson
- Re: [TLS] Proposal for hybrid solution using most… Ben Laurie
- Re: [TLS] Proposal for hybrid solution using most… Nicolas Williams
- Re: [TLS] Proposal for hybrid solution using most… Nelson B Bolyard
- Re: [TLS] Proposal for hybrid solution using most… Nicolas Williams
- Re: [TLS] Proposal for hybrid solution using most… Nelson B Bolyard
- Re: [TLS] Proposal for hybrid solution using most… Marsh Ray
- Re: [TLS] Proposal for hybrid solution using most… Yoav Nir
- Re: [TLS] Proposal for hybrid solution using most… Marsh Ray
- Re: [TLS] Proposal for hybrid solution using most… Martin Rex
- Re: [TLS] Proposal for hybrid solution using most… Martin Rex
- Re: [TLS] Proposal for hybrid solution using most… Martin Rex
- Re: [TLS] Proposal for hybrid solution using most… Michael D'Errico
- Re: [TLS] Proposal for hybrid solution using most… David-Sarah Hopwood
- Re: [TLS] Proposal for hybrid solution using most… Chris Newman
- Re: [TLS] Proposal for hybrid solution using most… Martin Rex
- Re: [TLS] Proposal for hybrid solution using most… Chris Newman
- Re: [TLS] Proposal for hybrid solution using most… Nelson B Bolyard