[TLS] explicitly specify ClientHello record version

Dave Garrett <davemgarrett@gmail.com> Wed, 24 December 2014 08:24 UTC

Return-Path: <davemgarrett@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 223A41ACD71 for <tls@ietfa.amsl.com>; Wed, 24 Dec 2014 00:24:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id 96Op1aJ4K0j3 for <tls@ietfa.amsl.com>; Wed, 24 Dec 2014 00:24:38 -0800 (PST)
Received: from mail-qg0-x22b.google.com (mail-qg0-x22b.google.com [IPv6:2607:f8b0:400d:c04::22b]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7938C1ACD97 for <tls@ietf.org>; Wed, 24 Dec 2014 00:24:38 -0800 (PST)
Received: by mail-qg0-f43.google.com with SMTP id z107so5495685qgd.2 for <tls@ietf.org>; Wed, 24 Dec 2014 00:24:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:subject:date:user-agent:cc:references:in-reply-to :mime-version:content-type:content-transfer-encoding:message-id; bh=UNY7HPMtvjT5PBC4lcnS27P8iHSTZBEnwkQCTXQjt5o=; b=v1B9ksTrjXv1MakaX0IuzDAL9/qhm5Y9J3co0PAb4vKQ0FMWdvHwtGFfXxKQOzTa67 lgTIK36JA7YjuWunJe4f5PKqia949jTYa694yry3r7QdUctKKOh6Wy3962tRZTu7zjTl NDh+TIO2xoGfhNb6sFpAAJAAsfE9ihdEhXbwH09NhzkxrLU08OHi5TprMDe4sWfD3YxG HkMbQjaA+tUJAFrKNYS6GxanSHH0kvpLQHFWwRkl4PqyaBCmmUrOy3pPKySEeoP8nImq ao88OAtArVOhIPZASWZslvVAFqIXrqKoltp9Y6yTGK3yctKNry61rN+j9eFdSzSXyVBA JNGw==
X-Received: by with SMTP id 64mr38007588qgc.53.1419409477789; Wed, 24 Dec 2014 00:24:37 -0800 (PST)
Received: from dave-laptop.localnet (pool-72-78-212-218.phlapa.fios.verizon.net. []) by mx.google.com with ESMTPSA id a3sm20930205qag.22.2014. (version=TLSv1 cipher=RC4-SHA bits=128/128); Wed, 24 Dec 2014 00:24:37 -0800 (PST)
From: Dave Garrett <davemgarrett@gmail.com>
To: Brian Smith <brian@briansmith.org>
Date: Wed, 24 Dec 2014 03:24:35 -0500
User-Agent: KMail/1.13.5 (Linux/2.6.32-66-generic-pae; KDE/4.4.5; i686; ; )
References: <201412221945.35644.davemgarrett@gmail.com> <CAFewVt4OUkh5KhemR19dok0-dJ2eH3O71xQQ96QZTeLaE1dicg@mail.gmail.com>
In-Reply-To: <CAFewVt4OUkh5KhemR19dok0-dJ2eH3O71xQQ96QZTeLaE1dicg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: Text/Plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Message-Id: <201412240324.36125.davemgarrett@gmail.com>
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/8bRQirobS3r6-3OrDpSnkv3Zh0c
X-Mailman-Approved-At: Fri, 26 Dec 2014 08:23:03 -0800
Cc: "TLS@ietf.org (tls@ietf.org)" <tls@ietf.org>
Subject: [TLS] explicitly specify ClientHello record version
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Dec 2014 08:24:40 -0000

On Tuesday, December 23, 2014 04:51:40 pm Brian Smith wrote:
> I think further changes can be made to tighten up the text regarding
> allowed record versions, but those changes are more open for debate.
> For example, we might say that the ClientHello's record version MUST
> be { 3, 1 } and that the version field in all other records MUST equal
> the negotiated version. But, again, this can be done on top of your
> changes.

Making the revisions for that was straightforward enough. I've also made some 
small editorial changes to the backwards compatibility section to update things 
as well as make it a little easier to follow.


That plus the other PR for dealing with SSL should probably be enough to resolve 
issue #54, "Rewrite backward compatibility section to deal with TLS 1.3".

I'm no expert on the implementation details of working with buggy severs, so it 
might be warranted to add more information here.

I know some implementations already specify the ClientHello in this fashion, yet 
I don't know if there's a consensus on this topic. I would expect to wait until 
next year for those who wish to debate this, due to the holiday season.