Re: [TLS] Minutes from Tuesday

Brian Smith <> Wed, 12 November 2014 02:04 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 3BAFF1A6F27 for <>; Tue, 11 Nov 2014 18:04:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.979
X-Spam-Status: No, score=-1.979 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id IJu-PySYlSy5 for <>; Tue, 11 Nov 2014 18:04:12 -0800 (PST)
Received: from ( []) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id D94631A6F28 for <>; Tue, 11 Nov 2014 18:04:11 -0800 (PST)
Received: by with SMTP id h136so7994342oig.3 for <>; Tue, 11 Nov 2014 18:04:11 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=W0pVNVJCkG0PIV7SkgtfHv6tHcxzCzjhPC/FBbEMuuQ=; b=NnhpRFwC8nYArNnHqzNLEe4ZngYWQu3FyKC+a+Pctap2dtJGOsLWK4pSNI5TTxfA8Q cFrNq90zHmAhZBHoGvT3nqsvNKB1f5ehrf5naIZVJo9YcbDKZ0H/X/IyUn0qexTwu9L4 TzXO7wfQC+7OStiX7xDXAKrulzc7AIEbtY7Lkp+T96m0y8UkKjTv067zbl06jSC8GQf0 CAZdZGyGr3VVlBYMZmBFR+sW3g6MbaJ0d1jKfpuxE7ixFr2OozfkAY90sj37oVnAp6Gc dNeHtix+O4yrFWHvwfm0k6tX2F+56HJeFwNIUVYGs84C4BS/ePqJ27KhVsm7gg3StUne whGw==
X-Gm-Message-State: ALoCoQlYgF7ZUIJO4MDHC8PiIhhmw8g0eU5NkAHf5EvMJRSu0a0aZbYlDSmJd3LQdI3DZvNvkYiY
MIME-Version: 1.0
X-Received: by with SMTP id f198mr33394603oig.46.1415757851125; Tue, 11 Nov 2014 18:04:11 -0800 (PST)
Received: by with HTTP; Tue, 11 Nov 2014 18:04:11 -0800 (PST)
In-Reply-To: <>
References: <> <>
Date: Tue, 11 Nov 2014 18:04:11 -0800
Message-ID: <>
From: Brian Smith <>
Content-Type: text/plain; charset="UTF-8"
Cc: Manuel Pégourié-Gonnard <>, "" <>
Subject: Re: [TLS] Minutes from Tuesday
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 12 Nov 2014 02:04:15 -0000

Martin Rex <> wrote:
> It's actually hard to think of a more unreasonable behaviour than
> the one currently specified.

No it isn't. For example, the server could do all of these, which are
more unreasonable:
1. Reboot the server.
2. Start thermonuclear war.
3. Send a reply on this thread to this mailing list.

There are many other more unreasonable things the server could do.

> A different, equally simple and magnitudes more useful server behaviour
> would be for the server to continue the handshake as normal and simply
> assume in the processing of the ClientHello that the Client means
> ClientHello.client_version +1 compared to what it sent over the wire.

No, because the client might have done multiple levels of fallback,
but the server might not have seen all of the levels. So, for example,
the server might be seeing ClientHello.client_version = SSL 3.0 with
the fallback SCSV, but the client actually supports TLS 1.2. It
wouldn't be good for the server to carry on with TLS 1.0 (because of
the CBC IV problems in TLS 1.0, amongst other reasons).

> (but when doing that, the server ought to skip the RSA premaster secret
>  client_version check later on when selecting a cipher suite with
>  static RSA key exchange.  Since Microsoft botched the RSA premaster
>  secret version on renegotiation handshakes in Win7, and there is no
>  security value in the check anyway, this should be perfectly OK.)

I disagree. If there is a compatibility issue regarding renegotiations
only, then the compatibility workaround should be limited to
renegotiations only. Since most clients don't even want to renegotiate
unless the server demands it, limiting the workaround to
renegotiations means that most connections will never be affected by