Re: [TLS] no fallbacks please [was: Downgrade protection, fallbacks, and server time]

Dave Garrett <davemgarrett@gmail.com> Fri, 03 June 2016 04:17 UTC

Return-Path: <davemgarrett@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0135C12B05F for <tls@ietfa.amsl.com>; Thu, 2 Jun 2016 21:17:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Gi1ZYI9OZGM5 for <tls@ietfa.amsl.com>; Thu, 2 Jun 2016 21:17:23 -0700 (PDT)
Received: from mail-yw0-x232.google.com (mail-yw0-x232.google.com [IPv6:2607:f8b0:4002:c05::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0A7BD12D15C for <tls@ietf.org>; Thu, 2 Jun 2016 21:17:23 -0700 (PDT)
Received: by mail-yw0-x232.google.com with SMTP id o16so69979425ywd.2 for <tls@ietf.org>; Thu, 02 Jun 2016 21:17:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:subject:date:user-agent:cc:references:in-reply-to :mime-version:content-transfer-encoding:message-id; bh=xFWBz/RD1GISFK6jf0/6QJO88elheyefu2Jge5rN5RE=; b=mFrLgrULop9lXf0esggz8flaUt+0DW1RcLJL8/qNILl3wx+0Y0whTI6jXtQ2flT9/x tdFJfoN1JMHLseLebVJ2ToGcQf3TdP0rQ+MJQj6b0egRadlJBL/vicjHLeCGYpD4iTHt gmRMnydaCSPXVeKovLEqq0fNWAhhSWXHLCeIaSlAgpUlJULDXUL7VNJj5Dn6TeiW3ZCN 9VIqC7c6C/VPj5tDf0CX+jqH6gcL2Im1ZrrAcYOyR83q+K7YiQJ8DEGTsEukpVvT04f/ KdBxjttFb/c5/fJBFZEEQ+wQaXyopJShl+6GdErcIsRzUZ4mmEbKphm43iUgnEcBSYTu +AnQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:subject:date:user-agent:cc:references :in-reply-to:mime-version:content-transfer-encoding:message-id; bh=xFWBz/RD1GISFK6jf0/6QJO88elheyefu2Jge5rN5RE=; b=EZN0r0APouZauOKfwMtMaqIzvYozRhmIbSFgAMA2YlA18kuMhuhwNNsqd7ePU81+LV n0xkfp1aJ9KxN0L8FhY7BdrH0hYw1+uBpGJfLrcQDKAvpJVIHzd4jDMj7xUOj6UlriC6 tzlttXKqCIP2+pNCXrZMfYM76NkUOjrMphA0M8kLCZ7AG0uWlvJi7GSe+8Cnm+I71Q0O /xgjL4BI8weMvNQmZVyJEih2WFO8RAvgCG6BkQRZ38gEdbAp6CLPK4PasNwHaBjWKByK EEQbdgH3pxIS4KMc/GMRKodHMex0HIDZhQeI9wu5jz3oXrRD51W5UUjfziwY/lF8Ql4R Ld+w==
X-Gm-Message-State: ALyK8tIhjKv1Q42ZZ7nT8XVMcmuYvknY2qZvXcrJBzjNVDTybxcmVcruuw7CVJG4K8uLxQ==
X-Received: by 10.13.247.4 with SMTP id h4mr1152070ywf.118.1464927442341; Thu, 02 Jun 2016 21:17:22 -0700 (PDT)
Received: from dave-laptop.localnet (pool-71-185-27-22.phlapa.fios.verizon.net. [71.185.27.22]) by smtp.gmail.com with ESMTPSA id w192sm2267741ywd.34.2016.06.02.21.17.21 (version=TLS1 cipher=AES128-SHA bits=128/128); Thu, 02 Jun 2016 21:17:21 -0700 (PDT)
From: Dave Garrett <davemgarrett@gmail.com>
To: tls@ietf.org
Date: Fri, 03 Jun 2016 00:17:20 -0400
User-Agent: KMail/1.13.5 (Linux/2.6.32-74-generic-pae; KDE/4.4.5; i686; ; )
References: <CAF8qwaDuGyHOu_4kpWN+c+vJKXyERPJu-2xR+nu=sPzG5vZ+ag@mail.gmail.com> <CAF8qwaASpH3Fapo61TDBuF35++GyMbZa4c-9Uy-JZ8CKywpAFw@mail.gmail.com> <CABkgnnXs5UBPZRzPoyiVs1R7arBcPV7WuEY692SHkj=doW6bwQ@mail.gmail.com>
In-Reply-To: <CABkgnnXs5UBPZRzPoyiVs1R7arBcPV7WuEY692SHkj=doW6bwQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: Text/Plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <201606030017.20760.davemgarrett@gmail.com>
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/78Ar0ExZdgkIyPGk_tzH2hOM6rk>
Subject: Re: [TLS] no fallbacks please [was: Downgrade protection, fallbacks, and server time]
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Jun 2016 04:17:25 -0000

Allrighty then; time to dust off and rebase an old changeset I was fiddling with last year on this topic:
https://github.com/davegarrett/tls13-spec/commit/058ff1518508b094b8c9f1bd4096be9393f20076
(I cleaned up a bit when rebasing, but it probably needs some work; was just a WIP branch, never a PR)

This was the result of prior discussions on-list about TLS version intolerance. The gist of the proposal:
1) Freeze all the various version number fields.
2) Send a list of all supported versions in an extension. (version IDs converted to 16-bit ints instead of 8-bit pairs)
3) Use short (1 or 2 value, based on hello version) predefined lists for hellos from old clients not sending the extension.
4) Compare lists to find highest overlap, avoiding guesswork or problems with noncontinuous lists.
5) Forget the old mess of version intolerance existed.

Do we want to consider scrapping the old version negotiation method again?


Dave