[TLS] explicitly specify ClientHello record version
Dave Garrett <davemgarrett@gmail.com> Wed, 24 December 2014 08:24 UTC
Return-Path: <davemgarrett@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 223A41ACD71 for <tls@ietfa.amsl.com>; Wed, 24 Dec 2014 00:24:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 96Op1aJ4K0j3 for <tls@ietfa.amsl.com>; Wed, 24 Dec 2014 00:24:38 -0800 (PST)
Received: from mail-qg0-x22b.google.com (mail-qg0-x22b.google.com [IPv6:2607:f8b0:400d:c04::22b]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7938C1ACD97 for <tls@ietf.org>; Wed, 24 Dec 2014 00:24:38 -0800 (PST)
Received: by mail-qg0-f43.google.com with SMTP id z107so5495685qgd.2 for <tls@ietf.org>; Wed, 24 Dec 2014 00:24:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:subject:date:user-agent:cc:references:in-reply-to :mime-version:content-type:content-transfer-encoding:message-id; bh=UNY7HPMtvjT5PBC4lcnS27P8iHSTZBEnwkQCTXQjt5o=; b=v1B9ksTrjXv1MakaX0IuzDAL9/qhm5Y9J3co0PAb4vKQ0FMWdvHwtGFfXxKQOzTa67 lgTIK36JA7YjuWunJe4f5PKqia949jTYa694yry3r7QdUctKKOh6Wy3962tRZTu7zjTl NDh+TIO2xoGfhNb6sFpAAJAAsfE9ihdEhXbwH09NhzkxrLU08OHi5TprMDe4sWfD3YxG HkMbQjaA+tUJAFrKNYS6GxanSHH0kvpLQHFWwRkl4PqyaBCmmUrOy3pPKySEeoP8nImq ao88OAtArVOhIPZASWZslvVAFqIXrqKoltp9Y6yTGK3yctKNry61rN+j9eFdSzSXyVBA JNGw==
X-Received: by 10.140.17.70 with SMTP id 64mr38007588qgc.53.1419409477789; Wed, 24 Dec 2014 00:24:37 -0800 (PST)
Received: from dave-laptop.localnet (pool-72-78-212-218.phlapa.fios.verizon.net. [72.78.212.218]) by mx.google.com with ESMTPSA id a3sm20930205qag.22.2014.12.24.00.24.37 (version=TLSv1 cipher=RC4-SHA bits=128/128); Wed, 24 Dec 2014 00:24:37 -0800 (PST)
From: Dave Garrett <davemgarrett@gmail.com>
To: Brian Smith <brian@briansmith.org>
Date: Wed, 24 Dec 2014 03:24:35 -0500
User-Agent: KMail/1.13.5 (Linux/2.6.32-66-generic-pae; KDE/4.4.5; i686; ; )
References: <201412221945.35644.davemgarrett@gmail.com> <CAFewVt4OUkh5KhemR19dok0-dJ2eH3O71xQQ96QZTeLaE1dicg@mail.gmail.com>
In-Reply-To: <CAFewVt4OUkh5KhemR19dok0-dJ2eH3O71xQQ96QZTeLaE1dicg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: Text/Plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Message-Id: <201412240324.36125.davemgarrett@gmail.com>
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/8bRQirobS3r6-3OrDpSnkv3Zh0c
X-Mailman-Approved-At: Fri, 26 Dec 2014 08:23:03 -0800
Cc: "TLS@ietf.org (tls@ietf.org)" <tls@ietf.org>
Subject: [TLS] explicitly specify ClientHello record version
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Dec 2014 08:24:40 -0000
On Tuesday, December 23, 2014 04:51:40 pm Brian Smith wrote: > I think further changes can be made to tighten up the text regarding > allowed record versions, but those changes are more open for debate. > For example, we might say that the ClientHello's record version MUST > be { 3, 1 } and that the version field in all other records MUST equal > the negotiated version. But, again, this can be done on top of your > changes. Making the revisions for that was straightforward enough. I've also made some small editorial changes to the backwards compatibility section to update things as well as make it a little easier to follow. https://github.com/tlswg/tls13-spec/pull/107 That plus the other PR for dealing with SSL should probably be enough to resolve issue #54, "Rewrite backward compatibility section to deal with TLS 1.3". I'm no expert on the implementation details of working with buggy severs, so it might be warranted to add more information here. I know some implementations already specify the ClientHello in this fashion, yet I don't know if there's a consensus on this topic. I would expect to wait until next year for those who wish to debate this, due to the holiday season. Dave
- [TLS] drop obsolete SSL 2 backwards compatibility… Dave Garrett
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Brian Smith
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Yoav Nir
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Yuhong Bao
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Yoav Nir
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Dave Garrett
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Dave Garrett
- [TLS] explicitly specify ClientHello record versi… Dave Garrett
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Kurt Roeckx
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Jeffrey Walton
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Kurt Roeckx
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Hauke Mehrtens
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Yoav Nir
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Fabrice
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Brian Smith
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Brian Smith
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Brian Smith
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Kurt Roeckx
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Hauke Mehrtens
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Kurt Roeckx
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Salz, Rich
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Watson Ladd
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Martin Rex
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Dave Garrett
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Dave Garrett
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Dave Garrett
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Dave Garrett
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Dave Garrett
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Dave Garrett
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Dave Garrett
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Dave Garrett
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Martin Thomson
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Martin Rex
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Dave Garrett
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Dave Garrett
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Peter Gutmann
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Brian Smith
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Dave Garrett
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Dave Garrett
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Martin Rex
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Salz, Rich
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Yuhong Bao
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Florian Weimer
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Florian Weimer
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Daniel Kahn Gillmor
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Yuhong Bao
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Andrei Popov
- [TLS] Downgrade Dance steps (Re: drop obsolete SS… Martin Rex
- Re: [TLS] Downgrade Dance steps (Re: drop obsolet… Dave Garrett
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Yuhong Bao
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Martin Rex
- Re: [TLS] drop obsolete SSL 2 backwards compatibi… Yuhong Bao