IETF Logo Mail Archive

Re: [TLS] AD review of draft-ietf-tls-negotiated-ff-dhe-08

Stephen Farrell <stephen.farrell@cs.tcd.ie> Thu, 02 April 2015 10:38 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 818D41B2C4A for <tls@ietfa.amsl.com>; Thu, 2 Apr 2015 03:38:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Level:
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IW4Re1in1kwI for <tls@ietfa.amsl.com>; Thu, 2 Apr 2015 03:38:45 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0995B1B2C3F for <tls@ietf.org>; Thu, 2 Apr 2015 03:38:45 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 01CEFBF08; Thu, 2 Apr 2015 11:38:43 +0100 (IST)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hO6eQMLY0e3L; Thu, 2 Apr 2015 11:38:39 +0100 (IST)
Received: from [10.87.48.73] (unknown [86.46.18.59]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id CF941BEFE; Thu, 2 Apr 2015 11:38:39 +0100 (IST)
Message-ID: <551D1C2F.2070104@cs.tcd.ie>
Date: Thu, 02 Apr 2015 11:38:39 +0100
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0
MIME-Version: 1.0
To: mrex@sap.com
References: <20150402020517.DBBDF1B25A@ld9781.wdf.sap.corp>
In-Reply-To: <20150402020517.DBBDF1B25A@ld9781.wdf.sap.corp>
OpenPGP: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/AwbKY-RK2Plz2HABddCaV2pRC2E>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] AD review of draft-ietf-tls-negotiated-ff-dhe-08
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Apr 2015 10:38:47 -0000


On 02/04/15 03:05, Martin Rex wrote:
> Stephen Farrell wrote:
>> Martin Rex wrote:
>>>
>>> I think Stephen might have meant something else.
>>>
>>> RFC4492 contains the following explicit prohibition (Section 4, 4th paragr.):
>>>
>>>    https://tools.ietf.org/html/rfc4492#section-4
>>>
>>>
>>>    The client MUST NOT include these extensions in the ClientHello
>>>    message if it does not propose any ECC cipher suites. 
>>
>> Ooh - good catch, I hadn't spotted that. This draft is updating 4492
>> though so we can validly change that, but if we're doing so (and I
>> guess we are) then it'd be better to be very explicit about it, e.g.
>> by adding a sentence saying that we're changing that specific MUST NOT.
> 
> I believe that this is *NOT* an option here (more below).
> 
> 
>>
>>> and the above requirement seems to prohibit a non-ECC client from
>>> using the named FFDHE parameters through the ECC named curve extension
>>> _without_ accompanying ECC cipher suites.
>>
>> Right. That's the kind of thing I was wondering about.
>>
>> I'll happily accept the wg's word on this, but to what extent have
>> we checked that we're not breaking something with this change in
>> semantics. (It's a small, but real, change.)
> 
> 
> The problem with the quoted requirement in rfc4492 is (similar to several
> highly bogus and/or overbroad requirements in other TLS-related RFCs),
> that it does not distinguish PDU content from communication peer behaviour,
> and does not declare whether that requirement applies only to sender
> or also to recipient.
> 
> 
> The result is, that there may easily exist server implementation of rfc4492
> which abort the TLS handshake when they receive a TLS ClientHello with
> the TLS ECC named_curve extension (and only ffdhe named curves in it)
> but no accompanying ECC cipher suites in the ClientHello cipher_suites_list,
> and that interoperability failure OUGHT to be avoided.  REALLY.

Right, it is a possible interop break. It seems the browser folks
are confident it won't bite them (did they test yet without any ECC
ciphersuites?) but that (so far) we've not heard from others. I'd like
to hear more myself, but this is something the WG could choose to do
and, if done carefully, that can be fine. OTOH, it could also be a
mistake, if not done sufficiently carefully, which is why I'm asking
about it. (Right now, I think I need more input still, but it could
also be that that's already in the list archive, I'm not sure.)

Cheers,
S.


> 
> 
> -Martin
>

v2.37.1 | Report a Bug | By Email | System Status