Re: [TLS] Cipher suite values to indicate TLS capability

Adam Langley <agl@google.com> Tue, 05 June 2012 23:35 UTC

Return-Path: <agl@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3C92E11E8086 for <tls@ietfa.amsl.com>; Tue, 5 Jun 2012 16:35:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.977
X-Spam-Level:
X-Spam-Status: No, score=-102.977 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V4mjDgoomfeL for <tls@ietfa.amsl.com>; Tue, 5 Jun 2012 16:35:37 -0700 (PDT)
Received: from mail-yx0-f172.google.com (mail-yx0-f172.google.com [209.85.213.172]) by ietfa.amsl.com (Postfix) with ESMTP id A0D3921F86F9 for <tls@ietf.org>; Tue, 5 Jun 2012 16:35:37 -0700 (PDT)
Received: by yenq13 with SMTP id q13so5001999yen.31 for <tls@ietf.org>; Tue, 05 Jun 2012 16:35:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding:x-system-of-record; bh=5gpANkNupz5i2Rd+/SU1CJQEUf6s7f3C1//DHctwcMI=; b=PwamFLA3PxmeNnPDSRlipypKLuFrxQfL6fgvnzrGCAJVMMX5p/5iaz58rgrPINwJhP YDK0GpCQnuH8dyZ98UwFooEyPIRwSndRDeizS//PQt15G2e0HqRGDn5mHBLfAhVXS/BP vxkPtlcb2wCgTstGUw0wMwKJAxprq510XoYuFxD96xeVucgoFKQjl9ZFEGy25IxcIrux nl09h70eKI/3kv/4LSMVeKrJuBeLOJULZeoEkd/d+XMdztW3smIMJfEXDtnSfKTULfKL 3vfVB0gpcIJpoBx4jjSXuC06IXAEnsK360shwrKuyrpRHuUZgtPaNr+jF8RTrwfLdMhl /hgw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding:x-system-of-record :x-gm-message-state; bh=5gpANkNupz5i2Rd+/SU1CJQEUf6s7f3C1//DHctwcMI=; b=Gccv3xkjuaPMwdA5cOJ43HXuGaC93SxUMqIzqxQajZwPO83mJYQgquqfTTFNoUTl9v ccLmewKAUMtOvt57En/QAXRoH6aAE8ljuOhX982tDy3rNSwmJ6w1cyqcuwpVY5rZWQ6k IfvrsMEPO+t12WeiSmgIZnbeBGMOdO52SyreMohjQzuSv8K07i1vUxjT/njd4KEEbBL6 hSZjDd6TFHfxWhC4Lm0Rw0olBwMcdmI8mbgUGEUmNWdXZLKSFH0AkqT86QMqmF+RoVoO c2/Lgsb4gcnHCOQx+53Cu/UZ9S4KC/OJCf70hQtbwF418ntXSsZ+dpNRCRmX0YDvLZY3 CpHA==
Received: by 10.50.185.163 with SMTP id fd3mr4949122igc.22.1338939331568; Tue, 05 Jun 2012 16:35:31 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.50.185.163 with SMTP id fd3mr4949116igc.22.1338939331395; Tue, 05 Jun 2012 16:35:31 -0700 (PDT)
Received: by 10.231.5.201 with HTTP; Tue, 5 Jun 2012 16:35:31 -0700 (PDT)
In-Reply-To: <m2sje9xsc0.fsf@localhost.localdomain>
References: <CAL9PXLwdQctUub5oPx0tepsfveDo0bNKGBUaUBBFeq4u4D0BbA@mail.gmail.com> <m2sje9xsc0.fsf@localhost.localdomain>
Date: Tue, 05 Jun 2012 19:35:31 -0400
Message-ID: <CAL9PXLy_Lr+-ehOKSddtooVBpgUzxCyLKhWghC7UtOAt3HH2Rw@mail.gmail.com>
From: Adam Langley <agl@google.com>
To: Geoffrey Keating <geoffk@geoffk.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-System-Of-Record: true
X-Gm-Message-State: ALoCoQlV0+GegE0M8UiL2aGz7ddZflRm6+e+GJthPrxhsj3xWorpfK0kmdxhMVL/4Yft1rE2H3iB2vhEomGu65bltIzPHZED6Qmp7qFlMsPBq3GHGE2Mm62XtkVP2AIBajdpo0OGsJdQ
Cc: tls@ietf.org
Subject: Re: [TLS] Cipher suite values to indicate TLS capability
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Jun 2012 23:35:38 -0000

On Tue, Jun 5, 2012 at 7:16 PM, Geoffrey Keating <geoffk@geoffk.org> wrote:
> Could you simply send the ECDHE values anyway?  If the remote end
> accepts them, you can reasonably be sure you're under a downgrade
> attack (but see below).

We would need to send both the ECDHE ciphersuites and the extensions
outlining the acceptable curves and point formats. Adding all that
would reasonably cause SSLv3-only servers to reject the ClientHello.

> One problem with this proposal is that in practice it isn't really
> indicating 'TLS 1.0 capable'.  A system might actually support TLS
> 1.0, but not extensions, or it might have trouble parsing the
> particular EC extensions you sent, or some other extension, or it
> might not like the negotiated cipher suite, or the total number of
> proposed cipher suites, or the compression algorithm.  Or it could
> have mysteriously failed (once) for reasons unconnected to the TLS
> negotiation.

Well, all of those save the last are failures to implement TLS
correctly, so then it's not TLS capable :)

(As for transient network errors: these happen but fallback isn't
intended to work around them. Whatever reconnection logic we might
have is orthogonal to this and would be common between HTTP and HTTPS
connections. We don't actually do fallback from TLS to SSLv3 for TCP
level errors in Chrome.)

Obviously this is a sacrifice of elegance on the alter of practical
need. What the SCSV effectively says is that the server implements TLS
to a level that was common at the time that servers started to be
patched with SCSV support. That isn't perfect, or even good, but it is
still very useful.


Cheers

AGL