Re: [TLS] Version negotiation, take two

Andrei Popov <Andrei.Popov@microsoft.com> Wed, 14 September 2016 17:40 UTC

Return-Path: <Andrei.Popov@microsoft.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DDB8012B3D5 for <tls@ietfa.amsl.com>; Wed, 14 Sep 2016 10:40:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.022
X-Spam-Level:
X-Spam-Status: No, score=-2.022 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LUyeMIV772QE for <tls@ietfa.amsl.com>; Wed, 14 Sep 2016 10:40:03 -0700 (PDT)
Received: from NAM01-BY2-obe.outbound.protection.outlook.com (mail-by2nam01on0092.outbound.protection.outlook.com [104.47.34.92]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EBB7812B3D2 for <tls@ietf.org>; Wed, 14 Sep 2016 10:40:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=rAq/aRKRStxBUftx/0vaApGsvULvdTJris3u+O/mKNY=; b=fAVD8QJBenUyWiqXv47VnABvM+zcIesYBMZqKmdiuSF0JIIiR29bBzlTpGTXeFSAB8n2kHLgRERAKiuAYaRgLRh2ewSguB5uawNKMVIsGM2Jk+uNEZSHyz8ynqwXRjV/NFKvcZpsuzHtB4OQQRMhi74uZdu1KoYSMKi209EU7lA=
Received: from CY1PR0301MB0842.namprd03.prod.outlook.com (10.160.163.148) by CY1PR0301MB0841.namprd03.prod.outlook.com (10.160.163.147) with Microsoft SMTP Server (version=TLS1_0, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384) id 15.1.609.9; Wed, 14 Sep 2016 17:40:00 +0000
Received: from CY1PR0301MB0842.namprd03.prod.outlook.com ([10.160.163.148]) by CY1PR0301MB0842.namprd03.prod.outlook.com ([10.160.163.148]) with mapi id 15.01.0609.018; Wed, 14 Sep 2016 17:40:00 +0000
From: Andrei Popov <Andrei.Popov@microsoft.com>
To: Hubert Kario <hkario@redhat.com>, David Benjamin <davidben@chromium.org>
Thread-Topic: [TLS] Version negotiation, take two
Thread-Index: AQHSCetW/sPy3BxGaUaHJS64N8unOaB3sd8AgAEW1wCAAFrPgIAAD7cAgAAGHYCAABAagA==
Date: Wed, 14 Sep 2016 17:39:59 +0000
Message-ID: <CY1PR0301MB0842F99D7A32DFDCD18B3EAB8CF10@CY1PR0301MB0842.namprd03.prod.outlook.com>
References: <CAF8qwaA86yytg29QOD_N7ARimh9QcNGU_nnr_OrxqCrvrk2MBg@mail.gmail.com> <75066f8f-4576-31d4-bd3c-a2a0a52fb312@akamai.com> <CAF8qwaCG8vU1773Md2ZTyWxT+BfjHVP8X7Ac2cmXdEmpkQuP=A@mail.gmail.com> <4707488.xUP5jY4WDA@pintsize.usersys.redhat.com>
In-Reply-To: <4707488.xUP5jY4WDA@pintsize.usersys.redhat.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Andrei.Popov@microsoft.com;
x-originating-ip: [2001:4898:80e8:8::1d2]
x-ms-office365-filtering-correlation-id: cd9372c5-3e53-43bc-1b15-08d3dcc626cc
x-microsoft-exchange-diagnostics: 1; CY1PR0301MB0841; 6:uxK0a3mbwCDbjOeo/UPpooVk67U1woWWZTfGjE/HPVVnGqZe2TkrXDe5eKS1pwGKFdYcwhkn7HZUq0pM79juFihnxK9vaLoaoGRMOuPb8i95dFcAJ353e51v5eQ0Df58TOSzlKUBtZkkcCtsYTZBON3Y878/csTRMTzL31kp7IyI4rT6eVvic4rHlnkFQo3soa2S2lFD7afQntd3t7V23BLioPzHoPRACVlYiz5RY4SJCmJo4dsZAEcDyGW5Y69o0eZv8SiSZ0BmouBEBfEhSAiFBniV4bC6oTaw7SNtSfDk432KKivOxRIHzVMYnozDMq513JNtmJctdGvveyl5Qg==; 5:Naf+GFe7Yx5hbOLx+T5bEP05/J7h3LjG+oetYUs9CVNmND6HiRkmgJTIjdzPMr8F/j5UkX8Xp97WROtAo4q4l+lVgLStIJChpUrxHtugjwdJnZPutPaMepFyzuaZO2w/98LhAsLpk79padAXrVaIYg==; 24:w4wKIVOx3lAtcsc1y7s/WyAONPTyFdHYaUNWW5Ffo+5R7ntIao0WoTpj6mbDN+m8P6BIp5XAHbF1bKVI7FkxhVpHc3s2TBxurbbpzs1x/1A=; 7:9iyJj90o0d4OQj2VU4EfMlz8vJIvUO3ItCPnXdEUxfQrTNkQmdeouam+TDfaveAqiISmCMuND0NnIx6Exgf5JIdW7xjorzvsTdJ9pj6zRpN/95oZpYQB++Ciz15wfD5k4rUG0bR317Rw5EF739arizQuywFjhKbAZOVvX0SYQGBTO3Sx0AhigDuh0TV44Bzn86XOaZDSZuWzlgBDpTZYuK7h2xUASxS/fjgdvWvKU++Dl7qNE2up9WguAUi80cfR
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:CY1PR0301MB0841;
x-microsoft-antispam-prvs: <CY1PR0301MB084151375722F2E3BAE2A1CA8CF10@CY1PR0301MB0841.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863)(192374486261705);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040176)(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001)(6055026)(61426038)(61427038); SRVR:CY1PR0301MB0841; BCL:0; PCL:0; RULEID:; SRVR:CY1PR0301MB0841;
x-forefront-prvs: 006546F32A
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(7916002)(377454003)(199003)(189002)(24454002)(13464003)(5002640100001)(5660300001)(81156014)(2906002)(3280700002)(9686002)(15974865002)(586003)(10400500002)(8676002)(122556002)(4326007)(68736007)(99286002)(10090500001)(19580405001)(81166006)(86612001)(8990500004)(305945005)(7696004)(76576001)(19580395003)(8936002)(7736002)(10290500002)(74316002)(7846002)(5005710100001)(2900100001)(76176999)(50986999)(54356999)(97736004)(106356001)(189998001)(87936001)(105586002)(101416001)(11100500001)(5001770100001)(92566002)(77096005)(86362001)(561944003)(93886004)(3660700001)(106116001)(6116002)(33656002)(102836003)(2950100001)(3826002); DIR:OUT; SFP:1102; SCL:1; SRVR:CY1PR0301MB0841; H:CY1PR0301MB0842.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Sep 2016 17:39:59.9746 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1PR0301MB0841
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/91eulg29jglhQyM5fmxDgt-uAHs>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Version negotiation, take two
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Sep 2016 17:40:05 -0000

Do you mean a TLS extension code point per TLS version?
One argument against this was that this makes it difficult to express the client's prioritization of TLS versions, but IMHO arguably the server should not care.

Cheers,

Andrei

-----Original Message-----
From: TLS [mailto:tls-bounces@ietf.org] On Behalf Of Hubert Kario
Sent: Wednesday, September 14, 2016 9:40 AM
To: David Benjamin <davidben@chromium.org>
Cc: tls@ietf.org
Subject: Re: [TLS] Version negotiation, take two

On Wednesday, 14 September 2016 16:17:50 CEST David Benjamin wrote:
> Yes, we find list intolerance too---servers which only look at the 
> second byte in a cipher suite, servers which forgot a default in their 
> NamedGroup switch-case, servers which get confused on unknown 
> HashAlgorithms, servers which require the final extension 
> non-empty---but this is dramatically less than version intolerance. 
> It's usually within tolerable levels that we needn't resort to fallbacks.
> 
> The proposal switches from something which we know does not work to 
> something new. Perhaps this new one will break too, but it is very 
> similar to things that have worked before, and I am hopeful that GREASE will help.

Was the option to do "one extension point = specific TLS version supported" 
discussed too? What arguments are there against it?

--
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic