IETF Logo Mail Archive

Re: [TLS] draft-ietf-tls-tls13-24 supported_versions complexity

Yuhong Bao <yuhongbao_386@hotmail.com> Thu, 01 March 2018 18:59 UTC

Return-Path: <yuhongbao_386@hotmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F1ED312ECA2 for <tls@ietfa.amsl.com>; Thu, 1 Mar 2018 10:59:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.875
X-Spam-Level:
X-Spam-Status: No, score=-0.875 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FORGED_HOTMAIL_RCVD2=0.874, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=hotmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2Sek5eARUhCH for <tls@ietfa.amsl.com>; Thu, 1 Mar 2018 10:59:50 -0800 (PST)
Received: from NAM03-DM3-obe.outbound.protection.outlook.com (mail-oln040092008106.outbound.protection.outlook.com [40.92.8.106]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1DC4C1201F2 for <tls@ietf.org>; Thu, 1 Mar 2018 10:59:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hotmail.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=egD/QtnPQvULf59e4rbOm84II/0xzVnK+3pzBmxGbk8=; b=M71shTp4XCeF0B4CI9OMEBUnLfBuPPW/IVfG/cWbTxdTFNlR2SjpeyojX1dgRrcploZncNvNfDAs1RFXweOOQp1d2ldlFVv1nVrTTFbw+t3Cyy8CKHQj/cAK65N7hCcvqeQXIxRqy9A6fCJDHFB7zY34BgM2JS21LE+ffk2x559pGUtr2lZrg9JoOREuoetiU3eia+0iKO1r7OVPeQ1Q2VymJpAorhhSSeHyUTRHcaC+imcZtR+Sa+soRs3l6VFAWZOc6ec3OsPm5aY1ALB0pnAZYyGQ4Pdb+rm6pRKsFT7GNeaoR90XflVyoF5f8f8lboZllQPKrxpxRDU1dk73Xg==
Received: from DM3NAM03FT033.eop-NAM03.prod.protection.outlook.com (10.152.82.57) by DM3NAM03HT037.eop-NAM03.prod.protection.outlook.com (10.152.82.246) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.485.12; Thu, 1 Mar 2018 18:59:49 +0000
Received: from MWHPR1801MB2061.namprd18.prod.outlook.com (10.152.82.57) by DM3NAM03FT033.mail.protection.outlook.com (10.152.82.204) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.20.527.18 via Frontend Transport; Thu, 1 Mar 2018 18:59:48 +0000
Received: from MWHPR1801MB2061.namprd18.prod.outlook.com ([fe80::3c09:2073:250b:d1aa]) by MWHPR1801MB2061.namprd18.prod.outlook.com ([fe80::3c09:2073:250b:d1aa%13]) with mapi id 15.20.0527.022; Thu, 1 Mar 2018 18:59:48 +0000
From: Yuhong Bao <yuhongbao_386@hotmail.com>
To: David Benjamin <davidben@chromium.org>, "David A. Cooper" <david.cooper@nist.gov>
CC: "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] draft-ietf-tls-tls13-24 supported_versions complexity
Thread-Index: AQHTsXTmrsd1oIECqkaRq/8Ha6DD7KO7t0+AgAAEnRY=
Date: Thu, 01 Mar 2018 18:59:48 +0000
Message-ID: <MWHPR1801MB2061438BBA3FE41ED5FF9BBCC3C60@MWHPR1801MB2061.namprd18.prod.outlook.com>
References: <9233569e-fc21-e6dd-b84c-6a98e29a4f02@nist.gov>, <CAF8qwaCz1L=S9WWUVx0T41RtEscw2H7kGfLvqUq3FJcvTAc_Pw@mail.gmail.com>
In-Reply-To: <CAF8qwaCz1L=S9WWUVx0T41RtEscw2H7kGfLvqUq3FJcvTAc_Pw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-incomingtopheadermarker: OriginalChecksum:2B329119146E1F077BD92EC0739B7DD1AEF0BBD0F8AF87262CDAD71BF2E638C6; UpperCasedChecksum:8E63027DDCCB8B7A1B51627B85F4D262C8F76D54153F2EB7F5B2410346FCE69F; SizeAsReceived:7350; Count:47
x-ms-exchange-messagesentrepresentingtype: 1
x-tmn: [oAlel9TnBgaC+BRKNzp34N6OpYOcLGF8gTK6vq23lmHNhh/66V3EBRF7gfboS7+p]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DM3NAM03HT037; 6:83KXbnlqWYpByFFEc3nCvzWvzuBdA5DkaZLzGQCXILPuyXh+QFNKM4IVTM9uLTHv4gdt3pvrRfoehqNk5o0C4BV1nXNlJnysDbjzIV7Zh1R9UXBzDALjVxH62SSQAc24i18cR0sgohhWbpM4YAi5gbrkjPhKGclJB5a4IUCrh8o8DYzudH6MkHVLyE+wH0n+Ws1sBxHFHqu2m+xebem5CKMCACwFKS0f6GjzCbEHrG5AaZFpnoRySfZqCrP7d6Sdu2xDu5JpvHbin8ZAGQmcWN0p5pHSmFEK/gpK2fQ8GYprJcZaYLcIsV46ymuGGacfJNzpyAJw6gt7a6gmmKHAWNfVxha+ooMY5tdzaENFI+I=; 5:C8jjfSPh2aFkrZV3I0qYxXTZaQqejopeBRPyWI2J+g3rBZISH7v4TDiSjFuYM+80w1PVlFUe2Xgzlawza2y0L1Zqi+BaLvKxIGIzTUXKLp0S+gmL9ZNppaJH/o5ZaYVkMlx6ZtrPYOxDCINqnCYBVhvagH4VS6vv6VHKDqjveGo=; 24:AxY3NXOgiOt1pPOUxXLHfZjVIlWFYz6oZP95qAKEuARRj9P6zya9KUhHhVps+mObP0oBz7KzL3N37p4LlKsCCvEV94uIdTjj8FS6l0+ESV4=; 7:i5dnIe25fHYlDLVktW48o4uqS0OXHxWkiYLih//qE7+yMDuYe0Vh4IECuU9Eb49EWIVAgq1SiTUXO9aSSe6UB3rZPTF7SNbpPnL9k+2IeO1pb034x2Iw5vaDZPAkogDwfJX+XXto1QwYJoHDUhuCoNdr+Dk2Ne2oNGN44MpfgSVt6BAm80wIR2EMrT1ztmtzJcPvJy2fXQfVmPWxQsNvFzLg55e9CScZ2XLaIXda9uJAgbFHPJQR14WrgN69Qk5m
x-incomingheadercount: 47
x-eopattributedmessage: 0
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(201702061078)(5061506573)(5061507331)(1603103135)(2017031320274)(2017031324274)(2017031323274)(2017031322404)(1603101448)(1601125374)(1701031045); SRVR:DM3NAM03HT037;
x-ms-traffictypediagnostic: DM3NAM03HT037:
x-ms-office365-filtering-correlation-id: 742855b7-a1d5-4de9-1545-08d57fa69b39
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(444000031); SRVR:DM3NAM03HT037; BCL:0; PCL:0; RULEID:; SRVR:DM3NAM03HT037;
x-forefront-prvs: 05986C03E0
x-forefront-antispam-report: SFV:NSPM; SFS:(7070007)(98901004); DIR:OUT; SFP:1901; SCL:1; SRVR:DM3NAM03HT037; H:MWHPR1801MB2061.namprd18.prod.outlook.com; FPR:; SPF:None; LANG:;
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: hotmail.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 742855b7-a1d5-4de9-1545-08d57fa69b39
X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Mar 2018 18:59:48.8145 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Internet
X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM3NAM03HT037
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/5tlJdoKcvY9VLvJ7Cu-_cxQm2oY>
Subject: Re: [TLS] draft-ietf-tls-tls13-24 supported_versions complexity
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Mar 2018 18:59:52 -0000

Of course, the arms race with middleboxes was what added the complexity in the first place.

________________________________________
From: TLS <tls-bounces@ietf.org> on behalf of David Benjamin <davidben@chromium.org>
Sent: Thursday, March 1, 2018 10:42:55 AM
To: David A. Cooper
Cc: tls@ietf.org
Subject: Re: [TLS] draft-ietf-tls-tls13-24 supported_versions complexity

FWIW, this was BoringSSL's interpretation as well. We don't consider supported_versions an acceptable TLS 1.2 (or earlier) ServerHello extension. I generally agree that we shouldn't add new unnecessary combinations.

(TBH, I don't even consider the ability to advertise TLS 1.3 and TLS 1.1 on the client side to be an especially valuable feature, but I suppose that falls out naturally enough.)

David

On Thu, Mar 1, 2018 at 10:49 AM David A. Cooper <david.cooper@nist.gov<mailto:david.cooper@nist.gov>> wrote:


I believe you are misinterpreting the text, but agree that it could be
made more clear.

Suppose that the ClientHello includes a supported_versions extensions
that contains two values, TLS 1.4 and TLS 1.0, and the server supports
TLS 1.3 and below. My interpretation of the current draft is that the
server MUST use the supported_versions extension to determine the
client's preference, but then once deciding to use TLS 1.0 for the
connection sends a normal TLS 1.0 ServerHello, with version field set to
0x0300 and no supported_versions extension. Note that Section 4.2.1 says
that

      A server which negotiates TLS 1.3 MUST respond by sending a
      "supported_versions" extension containing the selected version
      value (0x0304).

It says nothing about a server that negotiates an earlier version.

If my understanding is correct, then I believe the text in Section 4.1.3
could be made more clear. Draft -21 said that the version field of
ServerHello "contains the version of TLS negotiated for this
connection." (this is similar to what RFC 5246 said). The current draft
says:

       In TLS 1.3, the TLS server indicates its version using the
       "supported_versions" extension (Section 4.2.1), and the
       legacy_version field MUST be set to 0x0303, which is the
       version number for TLS 1.2.

To be consistent with RFC 5246 and earlier, it seems like the text
should say something like:

       For a TLS 1.3 ServerHello the TLS server indicates its version
       using the "supported_versions" extension (Section 4.2.1), and
       the legacy_version field MUST be set to 0x0303, which is the
       version number for TLS 1.2. For a TLS 1.2 and earlier ServerHello
       the legacy_version field contains the version of TLS negotiated
       for this connection.

On Thu, Mar 1, 2018 at 5:24 AM, Nikos Mavrogiannopoulos
<nmav@redhat.com<mailto:nmav@redhat.com>> wrote:

> The TLS draft after version -21 requires TLS1.3 servers to negotiate
> pre-TLS1.3 versions with a new, mechanism. The document states:
>
>    "If this extension is present, servers MUST ignore the
>    ClientHello.legacy_version value and MUST use only the
>    "supported_versions" extension to determine client preferences."
>
> ...
>
>    "Note that this mechanism makes it possible to negotiate a
>    version prior to TLS 1.2 if one side supports a sparse range."
>
>
> At this point, a server receiving a supported_versions extension which
> contains the single value 'TLS 1.0' has to follow the draft's
> recommendations and do:
>
>   1. It MUST set the ServerHello.legacy_version field to 0x0303
>      (TLS 1.2).
>   2. On the serverHello extensions include a supported_versions
>      extension and advertise TLS1.0
>
> That modifies the way TLS 1.1  or TLS 1.0 are negotiated, possibly
> introducing new issues with middle-boxes which see TLS1.2 in the
> ServerHello but TLS1.0 anywhere else. That is also a quite impossible
> code path (why would an implementation negotiate TLS1.0 using a TLS1.3
> mechanism?). It is however anticipated to be used for that purpose as
> this draft mentions:
>
>    "Servers should be prepared to receive ClientHellos that include
>     this extension but do not include 0x0304 in the list of versions."
>
> Irrespective to any middle-box issues, I believe impossible code paths
> allowed by the protocol are more likely to cause problems than solve
> any, because they are often not tested, and provide attackers with
> additional tools to manipulate implementations.
>
> My recommendation to address that would to either ignore that extension
> if pre-TLS1.2 is negotiated, or revert to -21 draft behavior for pre-
> TLS1.3 protocol negotiation. That is, the server MUST not send the
> supported_versions extension if a pre-TLS1.3 protocol is to be
> negotiated. The first case ensures that there is a single way to
> negotiate TLS1.x, where x<3, and the second that the clientHello
> extension is only used informatively.
>
> regards,
> Nikos

_______________________________________________
TLS mailing list
TLS@ietf.org<mailto:TLS@ietf.org>
https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email