Re: [TLS] TLS 1.3 - Support for compression to be removed

Eric Rescorla <ekr@rtfm.com> Wed, 07 October 2015 21:15 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4C80F1B3082 for <tls@ietfa.amsl.com>; Wed, 7 Oct 2015 14:15:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J57KrsdqRgtF for <tls@ietfa.amsl.com>; Wed, 7 Oct 2015 14:15:41 -0700 (PDT)
Received: from mail-wi0-f172.google.com (mail-wi0-f172.google.com [209.85.212.172]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1F0E11B3076 for <tls@ietf.org>; Wed, 7 Oct 2015 14:15:41 -0700 (PDT)
Received: by wiclk2 with SMTP id lk2so46596694wic.1 for <tls@ietf.org>; Wed, 07 Oct 2015 14:15:39 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=Xb/t5p6qpcXVfTSH+B0d6SUswFA5tbOKskIgt0ZIrZs=; b=BjpUOVsF9LrAk2/lApMwHUSnDIghmykSG5Lvudf8jirhGTC4d0bCHCEjbR0fCYGTtt PS0bhxQGucUEvD9wgLiuIWIoeTZP1cvPtAQcXZLK+gHZAWLfmg4VZLA2JmuBIZ1oXWaX Jsfr7ycFISM2YsWOugUQqmsspKHwFtwIJMTEP9+Vl2IX6qALCWgY6/4MXnvRoYr2I1ML 1dIWIVNypO5/mIvznOlN3U3R5TTa1haKLAlT4/vpPcSuNHRQySxivn2BitG9qwpejjMA Og3dLmBZwLBV2TyxCJ6EV/LI7Yh72IPPkCH5IrjE6S1sDPlWxdNi2I3QqiUw5jx5aDCu LLFQ==
X-Gm-Message-State: ALoCoQlx1vdfYxLk5wLgtI8550vj0xOuvhzamVIRaLTmvpVL6nMuQ0l5bXW+uZABkK+KH92Y4BTW
X-Received: by 10.180.106.98 with SMTP id gt2mr26543283wib.31.1444252539573; Wed, 07 Oct 2015 14:15:39 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.27.79.200 with HTTP; Wed, 7 Oct 2015 14:15:00 -0700 (PDT)
In-Reply-To: <20151007211155.384AC1A2C5@ld9781.wdf.sap.corp>
References: <CABcZeBNfFHR3eDi1yoifOuZ_ALMPN+xRo1nBx+qk19J+LQjmLw@mail.gmail.com> <20151007211155.384AC1A2C5@ld9781.wdf.sap.corp>
From: Eric Rescorla <ekr@rtfm.com>
Date: Wed, 07 Oct 2015 23:15:00 +0200
Message-ID: <CABcZeBPoF9Qm=ySx+xXkLCegWn1j=06LP+KPcZ=6N7NAbodBew@mail.gmail.com>
To: "mrex@sap.com" <mrex@sap.com>
Content-Type: multipart/alternative; boundary="f46d04428f1c9671bb05218a3fb8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/7p5CnkBZnZwPKfRFfKQwh0Igqvs>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] TLS 1.3 - Support for compression to be removed
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Oct 2015 21:15:43 -0000

On Wed, Oct 7, 2015 at 11:11 PM, Martin Rex <mrex@sap.com> wrote:

> Eric Rescorla wrote:
> > Martin Rex <mrex@sap.com> wrote:
> >> Eric Rescorla wrote:
> >>>
> >>> That is what the document says:
> >>> "Versions of TLS before 1.3 supported compression and the list of
> >>> compression methods was supplied in this field. For any TLS 1.3
> >>> ClientHello, this field MUST contain only the ?null? compression method
> >>> with the code point of 0. If a TLS 1.3 ClientHello is received with any
> >>> other value in this field, the server MUST generate a fatal
> >>> ?illegal_parameter? alert. Note that TLS 1.3 servers may receive TLS
> 1.2
> >>> or prior ClientHellos which contain other compression methods and MUST
> >>> follow the procedures for the appropriate prior version of TLS."
> >>
> >> The quoted wording calls for a fatal handshake failure when ClientHello
> >> offers
> >>
> >>   TLSv1.2+compression  _or_  TLSv1.3
> >>
> >> while at the same time the last requirement asserts that a ClientHello
> with
> >>
> >>   TLSv1.2+compression
> >>
> >> is perfectly OK.  To me, this looks quite odd.
> >
> > That's not how I read this text.
> >
> > Rather, I read it as:
> > If ClientHelloVersion >= TLS 1.3
> >    then the compression field must be empty
> > else:
> >    the compression field is dictated by other versions
> >
> > This doesn't seem inconsistent to me. If you still think that the
> paragraph
> > reads differently, can you help me by diagramming it?
>
> What you describe would be considerable worse that what I understood,
> because it would mean that a TLSv1.3 ClientHello will be unconditionally
> invalid for a TLSv1.2 server.
>
>    https://tools.ietf.org/html/rfc5246#page-42
>
>    compression_methods
>       This is a list of the compression methods supported by the client,
>       sorted by client preference.  If the session_id field is not empty
>       (implying a session resumption request), it MUST include the
>
> Dierks & Rescorla           Standards Track                    [Page 41]
>
> RFC 5246                          TLS                        August 2008
>
> *>    compression_method from that session.  This vector MUST contain,
> *>    and all implementations MUST support, CompressionMethod.null.
>       Thus, a client and server will always be able to agree on a
>       compression method.


Sorry, I spoke carelessly. It must contain solely the null method.

-Ekr