Re: [TLS] Keeping TLS extension points working

Hubert Kario <hkario@redhat.com> Thu, 28 July 2016 15:07 UTC

Return-Path: <hkario@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0B59712D7FF for <tls@ietfa.amsl.com>; Thu, 28 Jul 2016 08:07:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.209
X-Spam-Level:
X-Spam-Status: No, score=-8.209 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-1.287, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y396SlLr5pf1 for <tls@ietfa.amsl.com>; Thu, 28 Jul 2016 08:07:57 -0700 (PDT)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 69EEE12D647 for <tls@ietf.org>; Thu, 28 Jul 2016 08:07:57 -0700 (PDT)
Received: from int-mx10.intmail.prod.int.phx2.redhat.com (int-mx10.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 5EC2685A06; Thu, 28 Jul 2016 14:59:53 +0000 (UTC)
Received: from pintsize.usersys.redhat.com (dhcp-0-107.brq.redhat.com [10.34.0.107]) by int-mx10.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id u6SExpHN016446 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 28 Jul 2016 10:59:53 -0400
From: Hubert Kario <hkario@redhat.com>
To: Watson Ladd <watsonbladd@gmail.com>
Date: Thu, 28 Jul 2016 16:59:41 +0200
Message-ID: <7502983.MiB8z2zUIC@pintsize.usersys.redhat.com>
User-Agent: KMail/5.2.3 (Linux/4.6.4-301.fc24.x86_64; KDE/5.24.0; x86_64; ; )
In-Reply-To: <CACsn0cm+-XxAJ7Oz0RBgwUWJD3zcUZMwSrzS66igdkfTJ1YUFw@mail.gmail.com>
References: <CAF8qwaCaW2Q+z_JoDqzQZaGCWJ2aqUiyK8_J8_CO4Ck_cqtaSA@mail.gmail.com> <1484484.N0J803EhZs@pintsize.usersys.redhat.com> <CACsn0cm+-XxAJ7Oz0RBgwUWJD3zcUZMwSrzS66igdkfTJ1YUFw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="nextPart3478932.FigcROExuq"; micalg="pgp-sha512"; protocol="application/pgp-signature"
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.23
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.26]); Thu, 28 Jul 2016 14:59:53 +0000 (UTC)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/1ynJgqKeXrOV_mqrMAICGZ40p8o>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Keeping TLS extension points working
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Jul 2016 15:07:59 -0000

On Thursday, 28 July 2016 06:12:48 CEST Watson Ladd wrote:
> On Thu, Jul 28, 2016 at 3:28 AM, Hubert Kario <hkario@redhat.com> wrote:
> > On Wednesday, 27 July 2016 09:50:18 CEST Wan-Teh Chang wrote:
> >> On Mon, Jul 25, 2016 at 3:32 PM, David Benjamin <davidben@chromium.org>
> > 
> > wrote:
> >> > Hi folks,
> >> > 
> >> > I'm not sure how this process usually works, but I would like to
> >> > reserve a
> >> > bunch of values in the TLS registries to as part of an idea to keep our
> >> > extension points working. Here's an I-D:
> >> > https://tools.ietf.org/html/draft-davidben-tls-grease-00
> >> > 
> >> > (The name GREASE is in honor of AGL's rusted vs. well-oiled joints
> >> > analogy
> >> > from https://www.imperialviolet.org/2016/05/16/agility.html )
> >> > 
> >> > One problem we repeatedly run into is servers failing to implement
> >> > TLS's
> >> > various extension points correctly. The most obvious being version
> >> > intolerance. When we deployed X25519 in Chrome, we discovered an
> >> > intolerant
> >> > implementation. (Thankfully it was rare enough to not warrant a
> >> > fallback
> >> > or
> >> > revert!) It appears that signature algorithms maybe also be gathering
> >> > rust.
> >> > Ciphers and extensions seem to have held up, but I would like to ensure
> >> > they stay that way.
> >> > 
> >> > The root problem here is these broken servers interoperate fine with
> >> > clients at the time they are deployed. It is only after new values get
> >> > defined do we notice, by which time it is too late.
> >> > 
> >> > I would like to fix this by reserving a few values in our registries so
> >> > that clients may advertise random ones and regularly exercise these
> >> > codepaths in servers. If enough of the client base does this, we can
> >> > turn
> >> > a large class of tomorrow's interop failures into today's interop
> >> > failures. This is important because an bug will not thrive in the
> >> > ecosystem if it does not work against the current deployment.
> >> 
> >> Hi David,
> >> 
> >> In general I like your idea. Thank you for writing up a proposal.
> >> 
> >> Another source of interop failures is the firewall devices that do
> >> anomaly detection. Some of them will abort TLS handshakes if they see
> >> unknown TLS protocol versions or extensions in ClientHello. (They all
> >> seem to allow unknown cipher suite values.) I suspect they will treat
> >> the GREASE cipher suite, extension, and named group values as "normal"
> >> and continue to abort the handshake if they see truly new values. I
> >> can only hope that these network security devices are updated
> >> regularly.
> > 
> > how about adding a section that explicitly says what they are allowed to
> > do, and what they should not do?
> > 
> > i.e. it is acceptable for them to reject messages that are malformed (data
> > in client hello past extensions field, odd sizes for arrays that contain
> > just double-byte values, etc.) but not "undefined" extensions or
> > "undefined" values in them
> 
> This is what parsing is for.

yes, and bugs in parsing may very well be exploitable
 
> > in other words, how they can still provide added value without breaking
> > TLS in the future
> 
> Maybe they can't, and you shouldn't buy those products.

pragmatist would say that double checking is defence in depth

and whatever we think, doesn't change the fact that people do make them 
because people do buy them, so at least we can tell them how they can play 
nice

-- 
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purky┼łova 99/71, 612 45, Brno, Czech Republic