Re: [TLS] I-D Action:draft-ietf-tls-rfc4366-bis-09.txt
Juho Vähä-Herttua <juhovh@iki.fi> Sat, 12 June 2010 21:07 UTC
Return-Path: <juhovh@iki.fi>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0628B3A67DA; Sat, 12 Jun 2010 14:07:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.301
X-Spam-Level:
X-Spam-Status: No, score=0.301 tagged_above=-999 required=5 tests=[BAYES_50=0.001, MIME_8BIT_HEADER=0.3]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0+hI44IuW+rO; Sat, 12 Jun 2010 14:07:58 -0700 (PDT)
Received: from smtp-3.tky.hut.fi (smtp03.tky.fi [82.130.63.73]) by core3.amsl.com (Postfix) with SMTP id 8882D3A67F2; Sat, 12 Jun 2010 14:07:57 -0700 (PDT)
Received: from smtp.vaha-herttua.fi ([82.130.46.36]) by smtp-3.tky.hut.fi (SMSSMTP 4.1.9.35) with SMTP id M2010061300074214405 ; Sun, 13 Jun 2010 00:07:42 +0300
Received: from vagabond.lan (qer2.kyla.fi [82.130.46.10]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by smtp.vaha-herttua.fi (Postfix) with ESMTPSA id 936E7180EE; Sun, 13 Jun 2010 00:07:43 +0300 (EEST)
Mime-Version: 1.0 (Apple Message framework v1078)
Content-Type: text/plain; charset="us-ascii"
From: Juho Vähä-Herttua <juhovh@iki.fi>
In-Reply-To: <4C13953A.8040107@gnutls.org>
Date: Sun, 13 Jun 2010 00:07:43 +0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <D094D406-40A5-4DA0-8EB7-A18FFA91BC15@iki.fi>
References: <20100612034512.CB07A3A687D@core3.amsl.com> <4C13953A.8040107@gnutls.org>
To: Nikos Mavrogiannopoulos <nmav@gnutls.org>
X-Mailer: Apple Mail (2.1078)
Cc: Internet-Drafts@ietf.org, tls@ietf.org, i-d-announce@ietf.org
Subject: Re: [TLS] I-D Action:draft-ietf-tls-rfc4366-bis-09.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 12 Jun 2010 21:07:59 -0000
On 12.6.2010, at 17.10, Nikos Mavrogiannopoulos wrote:
>> This document provides specifications for existing TLS extensions. It
>> is a companion document for the TLS 1.2 specification [RFC5246]. The
>> extensions specified are server_name, max_fragment_length,
>> client_certificate_url, trusted_ca_keys, truncated_hmac, and
>> status_request.
>
> It has been mentioned before, but I think its worthwhile to bring it up
> again. The "Maximum Fragment Length" extension only allows setting a
> fragment length that is lower than 2^14... Why not allow larger sizes
> than that?
I haven't seen any earlier discussion related to this, so consider me as an outsider. However, the document is a companion document for the TLS 1.2 specification and the TLS 1.2 specification says:
The length (in bytes) of the following TLSPlaintext.fragment. The
length MUST NOT exceed 2^14.
I think overriding the specification with this extension would be a really bad idea, and even then the hard limit of 2^16 would apply, since fragment length is an uint16.
I have no exact information about where 2^14 the limit itself is coming from (it dates all the way back to SSL 3.0), but I can imagine it has something to do with values 2^15 and up being negative if signed 16-bit integers are used. Therefore bad implementations might break, in case fragment length is 2^15 or larger and they are using signed integer instead of unsigned. Specifying it as lower than 2^14 is a safe bet, since even with all the headers and extra payload it can't really go over the 2^15 limit.
Juho
- [TLS] I-D Action:draft-ietf-tls-rfc4366-bis-09.txt Internet-Drafts
- Re: [TLS] I-D Action:draft-ietf-tls-rfc4366-bis-0… Nikos Mavrogiannopoulos
- Re: [TLS] I-D Action:draft-ietf-tls-rfc4366-bis-0… Juho Vähä-Herttua
- Re: [TLS] I-D Action:draft-ietf-tls-rfc4366-bis-0… Peter Gutmann
- Re: [TLS] I-D Action:draft-ietf-tls-rfc4366-bis-0… Nikos Mavrogiannopoulos
- Re: [TLS] I-D Action:draft-ietf-tls-rfc4366-bis-0… Juho Vähä-Herttua
- Re: [TLS] I-D Action:draft-ietf-tls-rfc4366-bis-0… Juho Vähä-Herttua
- Re: [TLS] I-D Action:draft-ietf-tls-rfc4366-bis-0… Joseph Salowey (jsalowey)
- Re: [TLS] I-D Action:draft-ietf-tls-rfc4366-bis-0… Nikos Mavrogiannopoulos
- Re: [TLS] I-D Action:draft-ietf-tls-rfc4366-bis-0… Juho Vähä-Herttua
- Re: [TLS] I-D Action:draft-ietf-tls-rfc4366-bis-0… Martin Rex
- Re: [TLS] I-D Action:draft-ietf-tls-rfc4366-bis-0… Blumenthal, Uri - 0668 - MITLL
- Re: [TLS] I-D Action:draft-ietf-tls-rfc4366-bis-0… Juho Vähä-Herttua
- [TLS] max_fragment_length values (was: RE: I-D Ac… Pasi.Eronen
- Re: [TLS] I-D Action:draft-ietf-tls-rfc4366-bis-0… Donald Eastlake
- Re: [TLS] I-D Action:draft-ietf-tls-rfc4366-bis-0… Martin Rex
- Re: [TLS] I-D Action:draft-ietf-tls-rfc4366-bis-0… Peter Gutmann
- Re: [TLS] I-D Action:draft-ietf-tls-rfc4366-bis-0… Juho Vähä-Herttua
- Re: [TLS] I-D Action:draft-ietf-tls-rfc4366-bis-0… Nikos Mavrogiannopoulos
- [TLS] DTLS and large messages t.petch
- Re: [TLS] DTLS and large messages Juho Vähä-Herttua
- Re: [TLS] DTLS and large messages Michael Tüxen
- Re: [TLS] I-D Action:draft-ietf-tls-rfc4366-bis-0… Blumenthal, Uri - 0668 - MITLL
- Re: [TLS] DTLS and large messages t.petch
- Re: [TLS] DTLS and large messages Michael Tüxen
- Re: [TLS] DTLS and large messages Pasi.Eronen
- Re: [TLS] DTLS and large messages Michael Tüxen
- Re: [TLS] I-D Action:draft-ietf-tls-rfc4366-bis-0… Peter Gutmann