Re: [TLS] Thoughts on Version Intolerance
Hubert Kario <hkario@redhat.com> Sat, 23 July 2016 22:10 UTC
Return-Path: <hkario@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B994E12D1BD for <tls@ietfa.amsl.com>; Sat, 23 Jul 2016 15:10:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.509
X-Spam-Level:
X-Spam-Status: No, score=-5.509 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-1.287, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hGdidD_vf56u for <tls@ietfa.amsl.com>; Sat, 23 Jul 2016 15:10:55 -0700 (PDT)
Received: from mx5-phx2.redhat.com (mx5-phx2.redhat.com [209.132.183.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1CCFD12D0CA for <tls@ietf.org>; Sat, 23 Jul 2016 15:10:55 -0700 (PDT)
Received: from zmail11.collab.prod.int.phx2.redhat.com (zmail11.collab.prod.int.phx2.redhat.com [10.5.83.13]) by mx5-phx2.redhat.com (8.14.4/8.14.4) with ESMTP id u6NMAptP002090; Sat, 23 Jul 2016 18:10:51 -0400
Date: Sat, 23 Jul 2016 18:10:50 -0400
From: Hubert Kario <hkario@redhat.com>
To: David Benjamin <davidben@chromium.org>
Message-ID: <1102073174.18586058.1469311850476.JavaMail.zimbra@redhat.com>
In-Reply-To: <CAF8qwaCmguZOpSV6HZEQyeusEVmSDX2vpFkx+3h__a3uLmi5Rg@mail.gmail.com>
References: <20160720173027.9BC3D1A504@ld9781.wdf.sap.corp> <4902846.OLd9Rrk6Df@pintsize.usersys.redhat.com> <201607211604.25745.davemgarrett@gmail.com> <2581885.dP5x8nd4GP@pintsize.usersys.redhat.com> <CAFewVt760KsO6oX5u-ZQJmKB-M5FcTb7mUTz4Z4FaT2QopwCxw@mail.gmail.com> <CAF8qwaCmguZOpSV6HZEQyeusEVmSDX2vpFkx+3h__a3uLmi5Rg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Originating-IP: [94.112.188.164, 10.5.101.181]
X-Mailer: Zimbra 8.0.6_GA_5922 (ZimbraWebClient - FF47 (Linux)/8.0.6_GA_5922)
Thread-Topic: Thoughts on Version Intolerance
Thread-Index: hie19C61y1WP9D2gxmOjBE8hB1CoPw==
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/B_5z-znuCEGQDhd88bkZ8XITu4g>
Cc: tls <tls@ietf.org>
Subject: Re: [TLS] Thoughts on Version Intolerance
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 23 Jul 2016 22:10:58 -0000
----- Original Message ----- > From: "David Benjamin" <davidben@chromium.org> > To: "Brian Smith" <brian@briansmith.org>, "Hubert Kario" <hkario@redhat.com> > Cc: "<tls@ietf.org>" <tls@ietf.org> > Sent: Saturday, July 23, 2016 8:03:41 AM > Subject: Re: [TLS] Thoughts on Version Intolerance > On Sat, Jul 23, 2016 at 3:37 AM Brian Smith < brian@briansmith.org > wrote: > > Hubert Kario < hkario@redhat.com > wrote: > > > > I'm quite sure that if I were sending a huge extension or many big > > > extensions, > > > > the percentage of servers that are incompatible to them would be similar, > > > if > > > > not worse. A relatively small 3KiB client hello already causes issues and > > > this > > > > is not exactly something impossible to achieve with just TLSv1.2 and > > > session > > > > tickets. > > (Note that one must complete the handshake to get a full picture. Sending the > ClientHello isn't enough. Full analysis pending, but sending a 1.2 > ServerHello and failing around the Finished message seems to happen often > enough.) technically, it's a regular bug, not intolerance intolerance is when we can't get Server Hello message On the other hand we have servers like clkmon.com, which seem to choke on measly 1356 byte long Client Hello messages... -- Regards, Hubert Kario Quality Engineer, QE BaseOS Security team Email: hkario@redhat.com Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
- [TLS] Client Hello size intolerance Was: Re: Thou… Hubert Kario
- Re: [TLS] Thoughts on Version Intolerance Yuhong Bao
- Re: [TLS] Thoughts on Version Intolerance Hubert Kario
- Re: [TLS] Thoughts on Version Intolerance Hubert Kario
- Re: [TLS] Thoughts on Version Intolerance Ivan Ristić
- Re: [TLS] Thoughts on Version Intolerance Yuhong Bao
- Re: [TLS] Thoughts on Version Intolerance Yuhong Bao
- Re: [TLS] Thoughts on Version Intolerance David Benjamin
- Re: [TLS] Thoughts on Version Intolerance Brian Smith
- Re: [TLS] Thoughts on Version Intolerance Hubert Kario
- Re: [TLS] Thoughts on Version Intolerance Hubert Kario
- Re: [TLS] Thoughts on Version Intolerance Peter Gutmann
- Re: [TLS] Thoughts on Version Intolerance Ilari Liusvaara
- Re: [TLS] Thoughts on Version Intolerance Hubert Kario
- Re: [TLS] Thoughts on Version Intolerance David Benjamin
- Re: [TLS] Thoughts on Version Intolerance Watson Ladd
- Re: [TLS] Thoughts on Version Intolerance Martin Rex
- Re: [TLS] Thoughts on Version Intolerance Benjamin Kaduk
- Re: [TLS] Thoughts on Version Intolerance Hubert Kario
- Re: [TLS] Thoughts on Version Intolerance Watson Ladd
- Re: [TLS] Thoughts on Version Intolerance Hubert Kario
- Re: [TLS] Thoughts on Version Intolerance Kyle Rose
- Re: [TLS] Thoughts on Version Intolerance Hubert Kario
- Re: [TLS] Thoughts on Version Intolerance Hubert Kario
- Re: [TLS] Thoughts on Version Intolerance Martin Rex
- Re: [TLS] Thoughts on Version Intolerance Hanno Böck
- Re: [TLS] Thoughts on Version Intolerance Hubert Kario
- Re: [TLS] Thoughts on Version Intolerance David Benjamin
- Re: [TLS] Thoughts on Version Intolerance Ilari Liusvaara
- Re: [TLS] Thoughts on Version Intolerance Hubert Kario
- [TLS] Thoughts on Version Intolerance Hanno Böck
- Re: [TLS] Client Hello size intolerance Was: Re: … David Benjamin
- Re: [TLS] Client Hello size intolerance Was: Re: … Hubert Kario
- Re: [TLS] Client Hello size intolerance Was: Re: … Brian Smith
- Re: [TLS] Thoughts on Version Intolerance Dave Garrett
- Re: [TLS] Thoughts on Version Intolerance Ilari Liusvaara