Re: [TLS] Last Call: <draft-ietf-tls-ssl2-must-not-03.txt> (Prohibiting SSL Version 2.0) to Proposed Standard

Joe Salowey <jsalowey@cisco.com> Thu, 02 December 2010 18:23 UTC

Return-Path: <jsalowey@cisco.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7EE0C28C0EE; Thu, 2 Dec 2010 10:23:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.578
X-Spam-Level:
X-Spam-Status: No, score=-110.578 tagged_above=-999 required=5 tests=[AWL=0.021, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 92JpOdqWyAFQ; Thu, 2 Dec 2010 10:23:35 -0800 (PST)
Received: from sj-iport-6.cisco.com (sj-iport-6.cisco.com [171.71.176.117]) by core3.amsl.com (Postfix) with ESMTP id 4DB7628C0FB; Thu, 2 Dec 2010 10:23:35 -0800 (PST)
Authentication-Results: sj-iport-6.cisco.com; dkim=neutral (message not signed) header.i=none
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AvsEAA5z90yrR7H+/2dsb2JhbACjJXGnbpsghUcEhF6GCIMR
X-IronPort-AV: E=Sophos;i="4.59,289,1288569600"; d="scan'208";a="629659475"
Received: from sj-core-2.cisco.com ([171.71.177.254]) by sj-iport-6.cisco.com with ESMTP; 02 Dec 2010 18:24:51 +0000
Received: from [10.33.251.139] ([10.33.251.139]) by sj-core-2.cisco.com (8.13.8/8.14.3) with ESMTP id oB2IOnp5014382; Thu, 2 Dec 2010 18:24:50 GMT
Mime-Version: 1.0 (Apple Message framework v1082)
Content-Type: text/plain; charset=us-ascii
From: Joe Salowey <jsalowey@cisco.com>
In-Reply-To: <002a01cb91c8$ff8f4fe0$feadefa0$@net>
Date: Thu, 2 Dec 2010 10:25:07 -0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <B8963639-9DA2-491A-BFE6-71DA11D05331@cisco.com>
References: <20101201135503.20212.98672.idtracker@localhost> <002a01cb91c8$ff8f4fe0$feadefa0$@net>
To: Glen Zorn <gwz@net-zen.net>
X-Mailer: Apple Mail (2.1082)
Cc: ietf@ietf.org, tls@ietf.org
Subject: Re: [TLS] Last Call: <draft-ietf-tls-ssl2-must-not-03.txt> (Prohibiting SSL Version 2.0) to Proposed Standard
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Dec 2010 18:23:36 -0000

Hi Glen,

In reading the text and I'm not exactly sure where the confusion or contradiction comes in.  I think your suggested text is fine, but I'm not sure how it improves things.  If I understand your point correctly accepting an SSL 2.0 hello as the first message in the TLS handshake is an example of using at least part of SSL 2.0, so we should indicate that this is an exception to the MUST NOT use SSL 2.0 directive.  Is this your concern?

Thanks,

Joe

On Dec 1, 2010, at 6:31 PM, Glen Zorn wrote:

> Section 3 says "TLS clients MUST NOT send SSL 2.0 CLIENT-HELLO messages."
> and "TLS servers MUST NOT negotiate or use SSL 2.0" and later "TLS servers
> that do not support SSL 2.0 MAY accept version 2.0 CLIENT-HELLO messages as
> the first message of a TLS handshake for interoperability with old clients."
> Taken together, I find these statements quite confusing, if not outright
> self-contradictory.  Maybe, a "However" might fix the problem, though: 
> 
> 	TLS servers MUST NOT negotiate or use SSL 2.0; however, TLS servers 
> 	MAY accept SSL 2.0 CLIENT-HELLO messages as the first message of a 
> 	TLS handshake in order to maintain interoperability with legacy 
> 	clients.
> 
> 
> _______________________________________________
> Ietf mailing list
> Ietf@ietf.org
> https://www.ietf.org/mailman/listinfo/ietf