Re: [TLS] consensus on backwards compatibility changes

mrex@sap.com (Martin Rex) Tue, 27 January 2015 18:49 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EB9FD1A86DE for <tls@ietfa.amsl.com>; Tue, 27 Jan 2015 10:49:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.551
X-Spam-Level:
X-Spam-Status: No, score=-6.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u3-ZlIgWYOBC for <tls@ietfa.amsl.com>; Tue, 27 Jan 2015 10:49:08 -0800 (PST)
Received: from smtpde01.smtp.sap-ag.de (smtpde01.smtp.sap-ag.de [155.56.68.170]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9FB581A891E for <tls@ietf.org>; Tue, 27 Jan 2015 10:49:06 -0800 (PST)
Received: from mail05.wdf.sap.corp (mail05.sap.corp [194.39.131.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtpde01.smtp.sap-ag.de (Postfix) with ESMTPS id 87B1D3A29B; Tue, 27 Jan 2015 19:49:04 +0100 (CET)
Received: from ld9781.wdf.sap.corp (ld9781.wdf.sap.corp [10.21.82.193]) by mail05.wdf.sap.corp (Postfix) with ESMTP id 7D00042647; Tue, 27 Jan 2015 19:49:04 +0100 (CET)
Received: by ld9781.wdf.sap.corp (Postfix, from userid 10159) id 72D211B12B; Tue, 27 Jan 2015 19:49:04 +0100 (CET)
In-Reply-To: <CAOgPGoDvPm4GxbhBYbuhDOc1D5iYf0VvCLs+ZORu8n82sfrQKg@mail.gmail.com>
To: Joseph Salowey <joe@salowey.net>
Date: Tue, 27 Jan 2015 19:49:04 +0100 (CET)
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20150127184904.72D211B12B@ld9781.wdf.sap.corp>
From: mrex@sap.com (Martin Rex)
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/ARwupTAdiR6Wugck4LYAd8gUPdM>
Cc: "TLS@ietf.org \(tls@ietf.org\)" <tls@ietf.org>
Subject: Re: [TLS] consensus on backwards compatibility changes
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Jan 2015 18:49:16 -0000

Joseph Salowey wrote:
> Dave Garrett <davemgarrett@gmail.com> wrote:
> 
> > On Sunday, January 25, 2015 02:36:14 pm Eric Rescorla wrote:
> > > Based on reading the mailing list, it seems to me that there is rough
> > > consensus on PR#105, but not (yet?) on PR#107.
> >
> > I don't recall any objections to #107, but not much discussion either.
> >
> > To sum it up here, in addition to some editorial changes:
> >
> > 1) Fixes initial ClientHello record layer version to { 3, 1 } (TLS 1.0) &
> > mandates
> > all other record layer versions to match negotiated version.
> > (Brian's suggestion)
> >
> >
> [Joe] I think this makes sense.  I added to comments to the PR.  I propose
> to move the bit about the server accepting versions {3,x} to the same place
> and change the wording of the existing test to say:
> 
> "The client MUST set the version to {3, 1} for the initial ClientHello."

The primary reason why several implementors goofed the TLS version
negotiation in TLSv1.0 is that lack of clarity in the language.

If your above statement refers to the client_version member of the
ClientHello handshake message, please say so.

The record layer version number is entirely independent from
ClientHello.client_version, and for additional safety, it should be
explicitly mentioned what requirements, if any, exist for the record
layer protocol version of a record that carries the initial ClientHello
of a connection.

The original idea behind the TLS protocol version negotiation was that
the TLS handshake hash protects the entire handshake, and dirty hacks
like the downgrade dance that contemporary browsers are doing, would
be entirely unnecessary.

It would be a pretty stupid idea for the TLSv1.3 protocol specification
to withdraw TLS protocol negotiation protection from TLS clients, that
for whatever reason, see a need to offer pre-TLSv1.0 protocols to servers.

Defining an _implied_ set of features, that a TLS client sending/using a
backwards-compatible ClientHello offering TLSv1.3 in ClientHello.client_version
(or whatever alternative negotiation scheme the TLS WG chooses to use),
would be *MUCH* more reasonable.


-Martin