Re: [TLS] MUST <x> or what?
Viktor Dukhovni <ietf-dane@dukhovni.org> Thu, 27 August 2015 20:02 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6C8F11A802E for <tls@ietfa.amsl.com>; Thu, 27 Aug 2015 13:02:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0bigAx9O9g1p for <tls@ietfa.amsl.com>; Thu, 27 Aug 2015 13:02:19 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 860201A6EE8 for <tls@ietf.org>; Thu, 27 Aug 2015 13:02:15 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 8B589284D23; Thu, 27 Aug 2015 20:02:08 +0000 (UTC)
Date: Thu, 27 Aug 2015 20:02:08 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: tls@ietf.org
Message-ID: <20150827200208.GV9021@mournblade.imrryr.org>
References: <CABkgnnXFyuf_3pPs8ByJpbOGgPDb2XMfVOZAUA42bmJEB_Vynw@mail.gmail.com> <201508271519.49848.davemgarrett@gmail.com> <CABcZeBM5SiO1dh2YxkLcmgspYm-Ug3p_mWs_OypKiHcK-iqD_w@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CABcZeBM5SiO1dh2YxkLcmgspYm-Ug3p_mWs_OypKiHcK-iqD_w@mail.gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/4Z8WaU9XE3X93r8AX4oy1QRB2lc>
Subject: Re: [TLS] MUST <x> or what?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tls@ietf.org
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Aug 2015 20:02:20 -0000
On Thu, Aug 27, 2015 at 12:26:03PM -0700, Eric Rescorla wrote: > My problem is precisely the conflation of offering with negotiating. The > way that many stacks work (for instance NSS) is that they negotiate the > cipher suite *first* and then they check for the presence or absence of > the relevant extensions. > > It's not clear to me that it's an improvement to require them to check > for error conditions that are not otherwise relevant. One issue related to "layered" negotiation, in which one first chooses X, then with X already chosen, chooses Y, ... is that some choices of X are not compatible with any available Y, while other choices of X might work. A specific example may help: Many libraries will first choose the highest mutually supported protocol version, and only then select a mutually supported cipher suite. However, not all ciphersuites are compatible with all protocols versions. So we can have situations in which TLS 1.2 and TLS 1.3 are offered by the client and TLS 1.3 is selected by the server, but none of the ciphers offered by the client are AEAD. Should the server have chosen TLS 1.2, or MUST the client figure out that it can't do TLS 1.3 and not offer it. There will undoubtedly be clients that naively give the server "impossible" options along with other options that work. Should servers try to handle this gracefully? Note that in the above scenario the client might offer *some* TLS 1.3 compatible ciphers, but it may happen that none are shared by the server, while they both share common TLS 1.2 ciphers. One way to avoid such problems is to suggest that clients that don't offer the MTI ciphers for a particular protocol version (and thus can't generically expect interoperability with servers that implement that protocol) SHOULD NOT offer the protocol version. Libraries might then have an option that is on by default, and suppresses protocols for which the MTI ciphers are not enabled. Clients that really want to offer only non-MTI ciphers would have to clear the option explicitly. Half-baked ideas aside, some discussion of the problem may be relevant so that servers or clients avoid negotiating impossible partial choices. -- Viktor.
- [TLS] MUST <x> or what? Martin Thomson
- Re: [TLS] MUST <x> or what? Eric Rescorla
- Re: [TLS] MUST <x> or what? Dave Garrett
- Re: [TLS] MUST <x> or what? Eric Rescorla
- Re: [TLS] MUST <x> or what? Dave Garrett
- Re: [TLS] MUST <x> or what? Martin Thomson
- Re: [TLS] MUST <x> or what? Viktor Dukhovni
- Re: [TLS] MUST <x> or what? Martin Thomson
- Re: [TLS] MUST <x> or what? Eric Rescorla
- Re: [TLS] MUST <x> or what? Eric Rescorla
- Re: [TLS] MUST <x> or what? Salz, Rich
- Re: [TLS] MUST <x> or what? Dave Garrett
- Re: [TLS] MUST <x> or what? Peter Gutmann
- Re: [TLS] MUST <x> or what? Peter Gutmann