Re: [TLS] Thoughts on Version Intolerance

David Benjamin <> Sat, 23 July 2016 06:03 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 2257512D5AE for <>; Fri, 22 Jul 2016 23:03:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.986
X-Spam-Status: No, score=-3.986 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-1.287, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 3nNlAVhlvs7H for <>; Fri, 22 Jul 2016 23:03:54 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4010:c07::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id A595212D17B for <>; Fri, 22 Jul 2016 23:03:53 -0700 (PDT)
Received: by with SMTP id f93so98256881lfi.2 for <>; Fri, 22 Jul 2016 23:03:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=pJsV/dSDdzq8h2epWA6YVLMdlw+UJeIk60Y/lANLDKU=; b=IiDlzCCRgIbmz6Wy7B975i/h9UNCXy/yIj+SPr7pgsK0vOq0k3RaiZVL2cF4X99web D8r3E0gWUWtzEg4PM8VleKusLkj0BJNK8uToVLBqdsDFGgsMQSLptHfBrlop6J/p4q8Z gWbmAwBLvOT6MjDusOLUi9Mhyv1GvI0IbZDjM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=pJsV/dSDdzq8h2epWA6YVLMdlw+UJeIk60Y/lANLDKU=; b=JKLuooP/M40CtJZWwMh5kYNgnCd3uPIDG5ifXL1Ut7KasKAS11acNBPySTHg54Kz9t nTgpcBAxES8ssUO2/i0lJoNK3R/rr7QuPdyiKUsx+mdWQARJIS0995qfo9iiRI0kHbfE vARNM7LsGOtjAcBaF6xWq0xDOub7F3o6LKQsfADcWh4KWfxlYtDB4y2eBM737Hlqum/d 1Ve9Thg3yubNWCyBBTnd2AigU3c9Y0GrgUwPwsZNRSFRD10AvClVtjNtSkIQkE0IBaTg xhxbBYdgXXRFyZeL1cv5jvZB6AG9xpfx/gwLBRjz4Ff09rhpkmx3hIlqg1gMAsWg51B2 J/PQ==
X-Gm-Message-State: AEkoousCxlPRtX4QwC5ZWstrvX6LBjlmMn1ltcn4NEBBXHvYdQN1GNGI1sgfjYII61F7L7MnibVZaas78SiylZHI
X-Received: by with SMTP id r203mr4351665lfe.85.1469253831542; Fri, 22 Jul 2016 23:03:51 -0700 (PDT)
MIME-Version: 1.0
References: <> <> <> <> <>
In-Reply-To: <>
From: David Benjamin <>
Date: Sat, 23 Jul 2016 06:03:41 +0000
Message-ID: <>
To: Brian Smith <>, Hubert Kario <>
Content-Type: multipart/alternative; boundary="001a114032a2b71ecd05384750d4"
Archived-At: <>
Cc: "<>" <>
Subject: Re: [TLS] Thoughts on Version Intolerance
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 23 Jul 2016 06:03:56 -0000

On Sat, Jul 23, 2016 at 3:37 AM Brian Smith <> wrote:

> Hubert Kario <> wrote:
> > I'm quite sure that if I were sending a huge extension or many big
> extensions,
> > the percentage of servers that are incompatible to them would be
> similar, if
> > not worse. A relatively small 3KiB client hello already causes issues
> and this
> > is not exactly something impossible to achieve with just TLSv1.2 and
> session
> > tickets.
> Don't expect a server to accept a ClientHello with a session ticket it
> didn't produce. In particular, a server could very reasonably reject a
> session ticket larger than the ones it produces, and it might produce
> only very small ones.
> More generally, when assessing compatibility, generally it is better
> to consider only initial handshakes, using the data one would normally
> send in an initial handshake. And, if you are considering 0-RTT key
> shares, then it would be better to measure the case where only ECC key
> shares are used separately from the case where non-ECC (old-school DH)
> key shares are used.

Indeed I just finished a probe that tested many more handshake variations:

1. 1.2 ClientHello
2. 1.3 ClientHello with all curves predicted[*]
3. 1.3 ClientHello with only X25519 + P-256 predicted
4. 1.2 ClientHello with 1.3 sigalgs
5. 1.2 ClientHello with fake 1.3 version

I still need to fully analyze the data and experiment with the servers that
behave strangely, but the overwhelming majority of 1.3-intolerant servers
are intolerant to just the version. (They fail to connect with only 2, 3,
and 5.)

(Note that one must complete the handshake to get a full picture. Sending
the ClientHello isn't enough. Full analysis pending, but sending a 1.2
ServerHello and failing around the Finished message seems to happen often

I did find one group of servers which is intolerant to the new signature
algorithms in some inexplicable way. (It's not as straight-forward as
avoiding numbers that end in 0-3 or having too many. Hopefully I'll manage
to figure out what's up with them.)

I have not found any servers which are sensitive to 2 vs 3. (That said,
there is a group in my data which is consistent with being intolerant to
large ClientHellos. But every one I've looked at so far was a transient
network error in probing. I'll need to re-run a few of these hosts to get
better data.)

But the one thing that is extremely clear is the problem is
ClientHello.version. This should not be surprising. We've done this three
times already, and it's always been ClientHello.version. There may be the
occasional satellite problem beyond it, but we will never be rid of
fallbacks if we continue to try something which reality is desperately
trying to tell us doesn't work.


[*] Our implementation doesn't do FFDHE. Although between X25519, P-256,
P-384, and P-521, that's decently large.