Re: [TLS] Thoughts on Version Intolerance

Hubert Kario <hkario@redhat.com> Sat, 23 July 2016 22:10 UTC

Return-Path: <hkario@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B994E12D1BD for <tls@ietfa.amsl.com>; Sat, 23 Jul 2016 15:10:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.509
X-Spam-Level:
X-Spam-Status: No, score=-5.509 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-1.287, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hGdidD_vf56u for <tls@ietfa.amsl.com>; Sat, 23 Jul 2016 15:10:55 -0700 (PDT)
Received: from mx5-phx2.redhat.com (mx5-phx2.redhat.com [209.132.183.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1CCFD12D0CA for <tls@ietf.org>; Sat, 23 Jul 2016 15:10:55 -0700 (PDT)
Received: from zmail11.collab.prod.int.phx2.redhat.com (zmail11.collab.prod.int.phx2.redhat.com [10.5.83.13]) by mx5-phx2.redhat.com (8.14.4/8.14.4) with ESMTP id u6NMAptP002090; Sat, 23 Jul 2016 18:10:51 -0400
Date: Sat, 23 Jul 2016 18:10:50 -0400
From: Hubert Kario <hkario@redhat.com>
To: David Benjamin <davidben@chromium.org>
Message-ID: <1102073174.18586058.1469311850476.JavaMail.zimbra@redhat.com>
In-Reply-To: <CAF8qwaCmguZOpSV6HZEQyeusEVmSDX2vpFkx+3h__a3uLmi5Rg@mail.gmail.com>
References: <20160720173027.9BC3D1A504@ld9781.wdf.sap.corp> <4902846.OLd9Rrk6Df@pintsize.usersys.redhat.com> <201607211604.25745.davemgarrett@gmail.com> <2581885.dP5x8nd4GP@pintsize.usersys.redhat.com> <CAFewVt760KsO6oX5u-ZQJmKB-M5FcTb7mUTz4Z4FaT2QopwCxw@mail.gmail.com> <CAF8qwaCmguZOpSV6HZEQyeusEVmSDX2vpFkx+3h__a3uLmi5Rg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Originating-IP: [94.112.188.164, 10.5.101.181]
X-Mailer: Zimbra 8.0.6_GA_5922 (ZimbraWebClient - FF47 (Linux)/8.0.6_GA_5922)
Thread-Topic: Thoughts on Version Intolerance
Thread-Index: hie19C61y1WP9D2gxmOjBE8hB1CoPw==
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/B_5z-znuCEGQDhd88bkZ8XITu4g>
Cc: tls <tls@ietf.org>
Subject: Re: [TLS] Thoughts on Version Intolerance
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 23 Jul 2016 22:10:58 -0000

----- Original Message ----- 

> From: "David Benjamin" <davidben@chromium.org>
> To: "Brian Smith" <brian@briansmith.org>, "Hubert Kario" <hkario@redhat.com>
> Cc: "<tls@ietf.org>" <tls@ietf.org>
> Sent: Saturday, July 23, 2016 8:03:41 AM
> Subject: Re: [TLS] Thoughts on Version Intolerance

> On Sat, Jul 23, 2016 at 3:37 AM Brian Smith < brian@briansmith.org > wrote:

> > Hubert Kario < hkario@redhat.com > wrote:
> 
> > > I'm quite sure that if I were sending a huge extension or many big
> > > extensions,
> 
> > > the percentage of servers that are incompatible to them would be similar,
> > > if
> 
> > > not worse. A relatively small 3KiB client hello already causes issues and
> > > this
> 
> > > is not exactly something impossible to achieve with just TLSv1.2 and
> > > session
> 
> > > tickets.
> 

> (Note that one must complete the handshake to get a full picture. Sending the
> ClientHello isn't enough. Full analysis pending, but sending a 1.2
> ServerHello and failing around the Finished message seems to happen often
> enough.)

technically, it's a regular bug, not intolerance

intolerance is when we can't get Server Hello message

On the other hand we have servers like clkmon.com, which seem to choke on measly
1356 byte long Client Hello messages...
-- 
Regards,
Hubert Kario
Quality Engineer, QE BaseOS Security team
Email: hkario@redhat.com
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic