Re: [TLS] interop for TLS clients proposing TLSv1.1
Martin Rex <mrex@sap.com> Mon, 26 September 2011 14:25 UTC
Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1C5D121F8D4C for <tls@ietfa.amsl.com>; Mon, 26 Sep 2011 07:25:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.014
X-Spam-Level:
X-Spam-Status: No, score=-9.014 tagged_above=-999 required=5 tests=[AWL=-0.854, BAYES_05=-1.11, HELO_EQ_DE=0.35, J_CHICKENPOX_33=0.6, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y58UKPGpoTTQ for <tls@ietfa.amsl.com>; Mon, 26 Sep 2011 07:25:04 -0700 (PDT)
Received: from smtpde02.sap-ag.de (smtpde02.sap-ag.de [155.56.68.140]) by ietfa.amsl.com (Postfix) with ESMTP id 9DB0221F8D56 for <tls@ietf.org>; Mon, 26 Sep 2011 07:25:03 -0700 (PDT)
Received: from mail.sap.corp by smtpde02.sap-ag.de (26) with ESMTP id p8QERgVc006749 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Mon, 26 Sep 2011 16:27:42 +0200 (MEST)
From: Martin Rex <mrex@sap.com>
Message-Id: <201109261427.p8QERf9g008042@fs4113.wdf.sap.corp>
To: fweimer@bfk.de
Date: Mon, 26 Sep 2011 16:27:41 +0200
In-Reply-To: <82oby7ctxe.fsf@mid.bfk.de> from "Florian Weimer" at Sep 26, 11 01:30:37 pm
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-SAP: out
Cc: tls@ietf.org
Subject: Re: [TLS] interop for TLS clients proposing TLSv1.1
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Sep 2011 14:25:10 -0000
Florian Weimer wrote: > > * Martin Rex: > > > I really think we (the TLS WG) should provide a remedy to this awful > > situation for the TLS protocol version negotiation in the installed > > base. > > Most vendors offer automated updates these days. Deployments which are > not updated are likely to have other issues besides interoperability > problems. Protocol fixes still do not end up in deployment. The installed base of TLS is around 2 Billien endpoints (no kidding), so any "updates" and new features should seriously take into account how the installed base (in particular the part that is not going to be updated) reacts to them. Allergic reaction (=interop problems) need to be avoided as much as possible. It seems that no TLS client that propose TLSv1.1 or higher today would want to do so without a reconnect fallback facility in place. The problem of the reconnect fallback is, that it precludes a protected negotiation of the TLS version. There seems to be only one extensibility left in TLS that is sufficiently robust to be usable in _all_ scenarios (and that allows for a real negotiation inside TLS rather than an application level fallback after a TLS handshake failure). > > I think we should try to figure out the reason before we try to work > around it. TLS version negotiation (and the checking of the TLS version in the RSA premaster secret) is sufficiently broken across the installed base that we really don't need to know anything else. A "nanny" spec that provide very detailed guidance about how an alternative TLS version negotiation works, plus all the known issues about the known defects in existing TLS version negotiation and how thing MUST be done in future implementations, should be just fine to address the problem ... and to bridge the 10-15 years that it takes before all of the problematic TLS implementations, that currently exist in the installed base, have died off sufficiently so that the original TLS version negotiation (which is _not_ going to be deprecated, just extended) can be expected to work as originally intended. > > If we're unlucky, the workarounds are broken in a similar way, It is not the original TLS version negotiation that is really broken, but it seems to have been underexplained in a fashion that there was apparent confusion among implementors about which protocol version to use on the record layer for a ClientHello and which protocol version to use (and to check) in the RSA permaster secret. To address the problems apparent in the original installed base, I believe that using a much clearer specification with the scope limited to TLS version negotiation, plus real interop testing of that extensibility feature should be sufficient. Traditional SSL&TLS interop was done only in a limited fashion and only about features that were implemented. If anyone had interop-tested the extensibility before shipping, they would have realized their bugs. It's a real pity that Microsoft did _not_ interop test their RSA premaster version check on renegotiation handshakes before they shipped the TLS renegotiation fix for win7/2008R2 (I haven't checked their older SChannels for this characteristic). > > and we gain very little because vendors and deployments which use > arguably more secure protocol versions are still punished by an > incompatible installation base. We can not do anything about the lack of features in the installed base, other than _not_ let that stop us from using better features with newer peers. Currently, the installed base is a _real_ problem for TLS clients to perform a protected TLS version negotiation, and realizing that, the TLS WG should provide an alternative. -Martin
- [TLS] interop for TLS clients proposing TLSv1.1 Martin Rex
- Re: [TLS] interop for TLS clients proposing TLSv1… Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [TLS] interop for TLS clients proposing TLSv1… Yoav Nir
- Re: [TLS] interop for TLS clients proposing TLSv1… Martin Rex
- Re: [TLS] interop for TLS clients proposing TLSv1… Martin Rex
- Re: [TLS] interop for TLS clients proposing TLSv1… Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [TLS] interop for TLS clients proposing TLSv1… Geoffrey Keating
- Re: [TLS] interop for TLS clients proposing TLSv1… Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [TLS] interop for TLS clients proposing TLSv1… Martin Rex
- Re: [TLS] interop for TLS clients proposing TLSv1… Martin Rex
- Re: [TLS] interop for TLS clients proposing TLSv1… Geoffrey Keating
- Re: [TLS] interop for TLS clients proposing TLSv1… Peter Gutmann
- Re: [TLS] interop for TLS clients proposing TLSv1… Florian Weimer
- Re: [TLS] interop for TLS clients proposing TLSv1… Martin Rex
- Re: [TLS] interop for TLS clients proposing TLSv1… Yngve N. Pettersen
- Re: [TLS] interop for TLS clients proposing TLSv1… Bill Frantz
- Re: [TLS] interop for TLS clients proposing TLSv1… Martin Rex
- Re: [TLS] interop for TLS clients proposing TLSv1… Nikos Mavrogiannopoulos
- Re: [TLS] interop for TLS clients proposing TLSv1… Juho Vähä-Herttua