Re: [TLS] Thoughts on Version Intolerance

David Benjamin <davidben@chromium.org> Mon, 18 July 2016 13:55 UTC

Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0503212DFE0 for <tls@ietfa.amsl.com>; Mon, 18 Jul 2016 06:55:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.986
X-Spam-Level:
X-Spam-Status: No, score=-3.986 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-1.287, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9ba0TZyNi1Dt for <tls@ietfa.amsl.com>; Mon, 18 Jul 2016 06:55:26 -0700 (PDT)
Received: from mail-io0-x22d.google.com (mail-io0-x22d.google.com [IPv6:2607:f8b0:4001:c06::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 727B812DAE9 for <tls@ietf.org>; Mon, 18 Jul 2016 06:30:14 -0700 (PDT)
Received: by mail-io0-x22d.google.com with SMTP id 38so159347473iol.0 for <tls@ietf.org>; Mon, 18 Jul 2016 06:30:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=uvIXO5NwIpmVRzjK/2a4+BMY7ZmGc7xsfHnAAQxqEnE=; b=JqtPL5l0lNuyd4KX7UHQ/B6rGLiH/UPoP8p5ue7OkEbNh30W+IAIe+ZC0W74gyeOIF zkrteiKj73Z9ey0ewaC7ErWv/GmH80V00UKtjWQczwIHQvDCScefiw3jauitMuscgdOv jIDW0rGVHwtYqN5g5tbtNSP1g+ReHxAzoiGZE=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=uvIXO5NwIpmVRzjK/2a4+BMY7ZmGc7xsfHnAAQxqEnE=; b=TvFJJkRWBgY+vJr5KUuu4nljd64CCyQaN5YtnE6bl215Iuv4nPgA3oN8W9CVFhgU5P eHeFruVvAwhuQ6TU6EGhMwIjS3ibWoSbr+IdUNnjEmdKqyV48n08Js/yEozQPLxWjfnr 7V5WLcs+nS+Ky43WD3FwHTrAinG2yq4aCKyjCe3FpZj6m+ErJCHkDB8ve6s4m4u2Hkxy 0JPT0A3HReO8Rh63qhAsVrhyCEPS1KDkfk+VtcfiigTee0mPFRXoOjl89uTp+ZfT9KmB LgLpi75UcolDoUasytYaKgUtIfdIEgc5vmbFHkxE1n0gOWgMo3MxRI/z+HJDVMoCJlbd iOBQ==
X-Gm-Message-State: ALyK8tLLPMduyaRuYci3lpHBOq6fnkuPdAkOjTNrPHtO6c7FvMWDJqv6YDpVpQ7xFim9ONYo57IZxvsiiZfdlW0T
X-Received: by 10.107.128.25 with SMTP id b25mr36849220iod.110.1468848613571; Mon, 18 Jul 2016 06:30:13 -0700 (PDT)
MIME-Version: 1.0
References: <20160718130843.0320d43f@pc1>
In-Reply-To: <20160718130843.0320d43f@pc1>
From: David Benjamin <davidben@chromium.org>
Date: Mon, 18 Jul 2016 13:30:04 +0000
Message-ID: <CAF8qwaA3oO+ncEdJHszCYbhyt57j6wPa+hVeYSBvfb-hTkGiyA@mail.gmail.com>
To: =?UTF-8?Q?Hanno_B=C3=B6ck?= <hanno@hboeck.de>, "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary=001a113fb596d79df70537e8f75b
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/5vbfpxL8o2AtO0grVpn5fJkScTM>
Subject: Re: [TLS] Thoughts on Version Intolerance
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Jul 2016 13:55:31 -0000

If we keep trying to salvage the ClientHello version number, we will be
chasing down intolerance forever. (And I'm honestly bored of doing that.)
I'd prefer we move it to an extension. Either an empty indicator extension
for each version or a single version extension with a list of versions. Or
maybe fake cipher suites if people want it nearer the front.

The important thing is lists can be actively defended. We simply burn a
bunch of u16s and have clients advertise a few random fake ones in every
ClientHello. (I'll be writing something up soon to request that range for
extensions, cipher suites, and curves.) I expect this will make it much
less likely anyone will accidentally ship a server that rejects unknown
versions (or whatever else).

On Mon, Jul 18, 2016 at 1:08 PM Hanno Böck <hanno@hboeck.de>; wrote:

> Hi,
>
> Recently both Adam Langley [1] and David Benjamin [2] indicated that
> they expect with TLS 1.3 Browsers will have to bring back the infamous
> version falbacks that caused so much trouble in the past (POODLE etc.)
> to work around broken implementations of the TLS handshake.
>
> I don't blame browser vendors for this, I can understand their
> reasoning why they think they have to do this, although I don't share
> their opinion. But I think this sheds a light on the sorry state of TLS
> implementations and I want to ask if there's a better way out of this.
>
> Let me quickly summarize how I see the situation:
> * The issue has been known for a long time. I found a document from
>   Mozilla [3] from 2003 that describes the core issue.
> * While there is a lot of scattered discussion about the issue, the
>   pure documentation status of this problem is far from ideal. I am not
>   aware of any good documentation that even describes how exactly
>   version intolerance happens. The "classic" variant seems to be
>   implementations that just close the connection if they are contacted
>   with a version number higher than what they support. But there are
>   also weirder variants where a connection attempt with TLS 1.2 will be
>   downgraded to SSLv3, but a connection attempt with TLS 1.0 will lead
>   to an answer with TLS 1.0.


(I have only seen this once. I'm guessing someone tried to write a filter
which dispatched between two different backends and got it wrong.)


> Questions I couldn't easily answer is how
>   connections are terminated (TCP disconnect? TLS alert? Timeouts?)
>

Connections can get shut off in all kinds of ways. It's buggy servers
getting confused, so the space is pretty open-ended. Various flavors of TCP
disconnects happen, as do alerts. (Not timeouts. Those we can't even
address with a fallback.)


>   Also I'm not fully aware what the different version numbers
>   (ClientHelo + record version number) mean in context of a handshake
>   and how this influences version intolerance issues.
>

The record version number is meaningless in the protocol. It's frozen at
TLS 1.0 for the ClientHello (and, in 1.3, for all records) and not relevant
for version negotiation or fallbacks.

(Note: at least a while ago SSL Labs' intolerance check incorrectly used
the record-layer number. I don't know if this has been fixed. But apart
from that bug, there is no relation between the two.)


> * There don't seem to be any straightforward tools that test for
>   version intolerance. The SSL Labs test does detect version
>   intolerance, but it's limited to public facing https servers and it
>   doesn't seem to detect some of the weirder variations (as described
>   above). There's also a test in Hubert Kario's tlsfuzzer, but I've
>   been unable to get it to work. I tried to create a test myself, but
>   the results were highly erratic and I'm not sure why.
> * We don't have good data on the issue. The latest numbers I could find
>   came from Ivan Ristic in 2013 [4], and from David Benjamin we know he
>   considers the problem to be large enough that version fallbacks are
>   inevitable. That's far from good data. We also don't seem to have any
>   public list of affected vendors, devices and webpages.
>

I have quite conclusive data. TLS 1.3 version intolerance is real. The
version negotiation mechanism in draft-ietf-tls-tls13-14 will not be
deployable on the web without a fallback. 2% is a very large number.

I don't want to play the "davidben publicly shames such-and-such site or
vendor" game, which is why I haven't been naming names and reaching out to
people privately. If you prefer a more noisy approach, I didn't do anything
complicated. Just send a 1.2 ClientHello and then swap the number for 1.3
to see if it stopped working.


> I want to try to work on some of those issues in the near future.
> Roughly I'd like to see that we work on a plan to reduce TLS brokenness
> in general and in particular - right now as this is an issue affecting
> the deployment of TLS 1.3 - Version intolerance.
>
> Things that I think we could and should do:
> * Talk to developers of test tools (sslyze, testssl, openvas, but also
>   commercial tools etc.) that they include appropriate tests in their
>   tools and warn about these issues. Also it'd be great if e.g. things
>   like the google webmaster tools or any other public test tools for
>   webservers/websites could test for this.
>

Test suites are great, but I don't think we can rely on people to know to
run them in every corner of the ecosystem.

* Raise this issue with pentesters and tell them they should include
>   this when they're testing devices / products. (Of course this
>   requires to have test tools in the first place.)
> * Get some data from internet wide scans and make it public. Maybe have
>   a public shame list of the top X pages breaking TLS.
> * In general, more and better detailed documentation of this and
>   similar issues, also raise this as a potential research topic.
>
> My hope would be that we can avoid the reintroduction of version
> fallbacks or at the very least reduce the amount of time they have to
> be used. And hopefully at least avoid them altogether for TLS 1.4 or
> whatever comes after 1.3.
>

The only way we're going to do that is by ditching the ClientHello.version
field.


> I'm in Berlin at IETF96 in case people want to discuss this. As this is
> terribly late for this I don't know if this can be included in the TLS
> WG discussion as it's probably already packed with other issues (but I'd
> happily introduce the issue if people want to discuss it).
>
>
> [1] https://www.imperialviolet.org/2016/05/16/agility.html
> [2] https://www.ietf.org/mail-archive/web/tls/current/msg20207.html
> [3]
>
> https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Notes_on_TLS_-_SSL_3.0_Intolerant_Servers
> [4] https://www.ietf.org/mail-archive/web/tls/current/msg10657.html
>
> --
> Hanno Böck
> https://hboeck.de/
>
> mail/jabber: hanno@hboeck.de
> GPG: BBB51E42
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>