IETF Logo Mail Archive

Re: [TLS] Version (in)tolerance

Martin Rex <mrex@sap.com> Thu, 17 June 2010 14:21 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9092D3A6855 for <tls@core3.amsl.com>; Thu, 17 Jun 2010 07:21:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.715
X-Spam-Level:
X-Spam-Status: No, score=-7.715 tagged_above=-999 required=5 tests=[AWL=-0.066, BAYES_50=0.001, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HEMuOPQTL4fS for <tls@core3.amsl.com>; Thu, 17 Jun 2010 07:21:06 -0700 (PDT)
Received: from smtpde02.sap-ag.de (smtpde02.sap-ag.de [155.56.68.140]) by core3.amsl.com (Postfix) with ESMTP id 339713A67D3 for <tls@ietf.org>; Thu, 17 Jun 2010 07:21:06 -0700 (PDT)
Received: from mail.sap.corp by smtpde02.sap-ag.de (26) with ESMTP id o5HEL0nV007112 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 17 Jun 2010 16:21:00 +0200 (MEST)
From: Martin Rex <mrex@sap.com>
Message-Id: <201006171420.o5HEKxq9002213@fs4113.wdf.sap.corp>
To: marsh@extendedsubset.com
Date: Thu, 17 Jun 2010 16:20:59 +0200
In-Reply-To: <4C1A0D75.1050309@extendedsubset.com> from "Marsh Ray" at Jun 17, 10 06:56:37 am
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal08
X-SAP: out
Cc: tls@ietf.org
Subject: Re: [TLS] Version (in)tolerance
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Jun 2010 14:21:07 -0000

Marsh Ray wrote:
> 
> On 6/17/2010 1:48 AM, Peter Gutmann wrote:
> > "Brian Smith" <brian@briansmith.org> writes:
> > 
> >> NSS has an explicit check that the first byte of every version 
> >> number is 0x03. I imagine other implementations have a similar 
> >> check.
> > 
> > I do that too, and it's quite deliberate, we've been using 3.x for 
> > 15-odd years and there's no sign, even with major incompatible 
> > protocol revisions, that we're going to 4.x at any point.
> 
> But this is the part of the handshake where the protocol version hasn't
> actually been agreed on yet. Some future TLS may, in fact, be a big
> protocol change but a server is still wrong to refuse to interoperate on
> the basis that the client merely proposed a higher protocol version.
> 
> For testing purposes, a client which specified a client_version of
> 0xFFFF should be able to successfully handshake using the highest
> version the server supports. This works with some implementations today.


Maybe you want to turn your attention to the DTLS spec
and reconsider your recommendation:

http://tools.ietf.org/html/rfc-4347#section-4


      version
       The version of the protocol being employed.  This document
       describes DTLS Version 1.0, which uses the version { 254, 255
       }.  The version value of 254.255 is the 1's complement of DTLS
       Version 1.0. This maximal spacing between TLS and DTLS version
       numbers ensures that records from the two protocols can be
       easily distinguished.  It should be noted that future on-the-wire
       version numbers of DTLS are decreasing in value (while the true
       version number is increasing in value.)


> 
> > Any change to 4.x is therefore going to either never happen or will 
> > be something so major, probably a complete break of the entire 
> > protocol, that I want to force users to upgrade to a completely new 
> > release.
> 
> A. We don't know anything about future protocols yet, other than that
> the client hello message will probably try to maintain compatibility
> back to 1.0 and IANA-assigned identifiers won't collide. If, after all,
> TLS version 1.2 is 0x0303 then who can say what 0x0404 will mean?


TLS protocol_version numbers work differently.  The version negotiation
is not capable of dealing with "holes".  So the next version of TLS
should be using the protocol_version of { 0x03, 0x04 }, no matter how
much it differs from TLSv1.2 (protocol_version { 0x03, 0x03 }) and
even if we give it the "marketing name" TLSv2.0, it should use the
protocol_version { 0x03, 0x04 } on the wire.

But there is really a design problem in the "common version" negotiation
of TLS because of the implication that the client supports lower
protocol version than the one it proposes.

If we were to define a substantially different TLSv2.0, and a problem
would be found that needed fixing, the current versioning precludes
that a TLSv1.3 is defined _after_ a TLSv2.0.  -- which is why I
strongly prefer fancy new features to be added through TLS extensions
rather than a bump of the protocol version -- because it can be
more easily adopted by implementations and the installed base.


-Martin

v2.23.0 | Report a Bug | By Email