Re: [TLS] consensus on backwards compatibility changes
mrex@sap.com (Martin Rex) Tue, 27 January 2015 18:49 UTC
Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EB9FD1A86DE for <tls@ietfa.amsl.com>; Tue, 27 Jan 2015 10:49:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.551
X-Spam-Level:
X-Spam-Status: No, score=-6.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u3-ZlIgWYOBC for <tls@ietfa.amsl.com>; Tue, 27 Jan 2015 10:49:08 -0800 (PST)
Received: from smtpde01.smtp.sap-ag.de (smtpde01.smtp.sap-ag.de [155.56.68.170]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9FB581A891E for <tls@ietf.org>; Tue, 27 Jan 2015 10:49:06 -0800 (PST)
Received: from mail05.wdf.sap.corp (mail05.sap.corp [194.39.131.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtpde01.smtp.sap-ag.de (Postfix) with ESMTPS id 87B1D3A29B; Tue, 27 Jan 2015 19:49:04 +0100 (CET)
Received: from ld9781.wdf.sap.corp (ld9781.wdf.sap.corp [10.21.82.193]) by mail05.wdf.sap.corp (Postfix) with ESMTP id 7D00042647; Tue, 27 Jan 2015 19:49:04 +0100 (CET)
Received: by ld9781.wdf.sap.corp (Postfix, from userid 10159) id 72D211B12B; Tue, 27 Jan 2015 19:49:04 +0100 (CET)
In-Reply-To: <CAOgPGoDvPm4GxbhBYbuhDOc1D5iYf0VvCLs+ZORu8n82sfrQKg@mail.gmail.com>
To: Joseph Salowey <joe@salowey.net>
Date: Tue, 27 Jan 2015 19:49:04 +0100
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20150127184904.72D211B12B@ld9781.wdf.sap.corp>
From: mrex@sap.com
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/ARwupTAdiR6Wugck4LYAd8gUPdM>
Cc: "TLS@ietf.org (tls@ietf.org)" <tls@ietf.org>
Subject: Re: [TLS] consensus on backwards compatibility changes
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Jan 2015 18:49:16 -0000
Joseph Salowey wrote: > Dave Garrett <davemgarrett@gmail.com> wrote: > > > On Sunday, January 25, 2015 02:36:14 pm Eric Rescorla wrote: > > > Based on reading the mailing list, it seems to me that there is rough > > > consensus on PR#105, but not (yet?) on PR#107. > > > > I don't recall any objections to #107, but not much discussion either. > > > > To sum it up here, in addition to some editorial changes: > > > > 1) Fixes initial ClientHello record layer version to { 3, 1 } (TLS 1.0) & > > mandates > > all other record layer versions to match negotiated version. > > (Brian's suggestion) > > > > > [Joe] I think this makes sense. I added to comments to the PR. I propose > to move the bit about the server accepting versions {3,x} to the same place > and change the wording of the existing test to say: > > "The client MUST set the version to {3, 1} for the initial ClientHello." The primary reason why several implementors goofed the TLS version negotiation in TLSv1.0 is that lack of clarity in the language. If your above statement refers to the client_version member of the ClientHello handshake message, please say so. The record layer version number is entirely independent from ClientHello.client_version, and for additional safety, it should be explicitly mentioned what requirements, if any, exist for the record layer protocol version of a record that carries the initial ClientHello of a connection. The original idea behind the TLS protocol version negotiation was that the TLS handshake hash protects the entire handshake, and dirty hacks like the downgrade dance that contemporary browsers are doing, would be entirely unnecessary. It would be a pretty stupid idea for the TLSv1.3 protocol specification to withdraw TLS protocol negotiation protection from TLS clients, that for whatever reason, see a need to offer pre-TLSv1.0 protocols to servers. Defining an _implied_ set of features, that a TLS client sending/using a backwards-compatible ClientHello offering TLSv1.3 in ClientHello.client_version (or whatever alternative negotiation scheme the TLS WG chooses to use), would be *MUCH* more reasonable. -Martin
- [TLS] consensus on backwards compatibility changes Dave Garrett
- Re: [TLS] consensus on backwards compatibility ch… Eric Rescorla
- Re: [TLS] consensus on backwards compatibility ch… Kurt Roeckx
- Re: [TLS] consensus on backwards compatibility ch… Dave Garrett
- Re: [TLS] consensus on backwards compatibility ch… Dave Garrett
- Re: [TLS] consensus on backwards compatibility ch… Kurt Roeckx
- Re: [TLS] consensus on backwards compatibility ch… Dave Garrett
- Re: [TLS] consensus on backwards compatibility ch… Kurt Roeckx
- Re: [TLS] consensus on backwards compatibility ch… Joseph Salowey
- Re: [TLS] consensus on backwards compatibility ch… Sean Turner
- Re: [TLS] consensus on backwards compatibility ch… Ira McDonald
- Re: [TLS] consensus on backwards compatibility ch… Martin Rex
- Re: [TLS] consensus on backwards compatibility ch… Martin Rex
- Re: [TLS] consensus on backwards compatibility ch… Joseph Salowey
- Re: [TLS] consensus on backwards compatibility ch… Dave Garrett
- Re: [TLS] consensus on backwards compatibility ch… Florian Weimer
- Re: [TLS] consensus on backwards compatibility ch… Martin Rex
- Re: [TLS] consensus on backwards compatibility ch… Florian Weimer
- Re: [TLS] consensus on backwards compatibility ch… Eric Rescorla
- Re: [TLS] consensus on backwards compatibility ch… Dave Garrett
- Re: [TLS] consensus on backwards compatibility ch… Michael Clark
- Re: [TLS] consensus on backwards compatibility ch… Dave Garrett
- Re: [TLS] consensus on backwards compatibility ch… Nikos Mavrogiannopoulos
- Re: [TLS] consensus on backwards compatibility ch… Dave Garrett
- Re: [TLS] consensus on backwards compatibility ch… Ilari Liusvaara