Re: [TLS] Thoughts on Version Intolerance

Ivan Ristić <ivan.ristic@gmail.com> Sat, 23 July 2016 15:59 UTC

Return-Path: <ivan.ristic@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9916D12D578 for <tls@ietfa.amsl.com>; Sat, 23 Jul 2016 08:59:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BafBql8O3q7x for <tls@ietfa.amsl.com>; Sat, 23 Jul 2016 08:59:39 -0700 (PDT)
Received: from mail-wm0-x22d.google.com (mail-wm0-x22d.google.com [IPv6:2a00:1450:400c:c09::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8740F12D51A for <tls@ietf.org>; Sat, 23 Jul 2016 08:59:39 -0700 (PDT)
Received: by mail-wm0-x22d.google.com with SMTP id q128so88323230wma.1 for <tls@ietf.org>; Sat, 23 Jul 2016 08:59:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-transfer-encoding; bh=xnBjoGT1IU6CbXpTZfwH4Spe0LMPEFh1l6eFEclsy+E=; b=TLg8YSJltbrmlrbPPNzupuX9aQ1I2mn8Q3G40+44wOqTrqTrpgoL83CYr8Dotr6evS LfULJqvYtN+KqiHYOF45L7NwO1rkavn7oGw7zAyvx0sppfYtPM9jfyG+ZgE+eCJmlRru MSDWvFo4hfA6WH8HRwIOPRrqMPKSVdXAfWauGugQgR/SEHS9C3yolRYm7eKARaURThkK Ayu/Cn/bnuJyg/OaiEBGs1sGVvPc3hcgu/Y6peVFtvvU5tR/vWJFJlOctbfzlxBLiN3p Y6+1RlszCOt57s9fwBGqKVu1bMXcUSODJW5rjp+ltd14C+H7nNIlfj4wEJkskcWC0iI4 s1bQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=xnBjoGT1IU6CbXpTZfwH4Spe0LMPEFh1l6eFEclsy+E=; b=AmSQuqQFUbSRouP5BhDFOB795LfJCZCS2ONBwkae8VXswrWDOAc4oRLuZurOy/f81p 0ZGIvbvZXzat7Vs5jSl01vXO1JGWSRu8k3lPCsy0vAS5QWKe4pqQJLnqEhlzRq+YQjs4 nh2JiBdUPuftpt6QpjrdJCCbQ3SN63rsR243xjwRbZtw8SJ/da8LA3vVyJovpPflE50M I5hAw56i8hSChkAyDWU9JCbrsPFgbsuCWuvr6O5TikGrFaK3AQ0Vcz5Sj0ayLNua56BJ +DM31d7UMNiybxoWdYNnY475dhhwxWXba4hDbdthov/ZDup1Fw4eIvfh8+lq2QXK34Yb cpsA==
X-Gm-Message-State: AEkoousJhh04qFHUjOd8eAX7IBT07LFIHB3q9QJp3WAApfi37CM027Oz2EGbzdMEFBlP9Q==
X-Received: by 10.28.146.211 with SMTP id u202mr11677748wmd.54.1469289577809; Sat, 23 Jul 2016 08:59:37 -0700 (PDT)
Received: from qlue.local (178-222-95-201.dynamic.isp.telekom.rs. [178.222.95.201]) by smtp.gmail.com with ESMTPSA id c13sm6321296wjx.12.2016.07.23.08.59.36 for <tls@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 23 Jul 2016 08:59:36 -0700 (PDT)
To: tls@ietf.org
References: <20160718130843.0320d43f@pc1> <1735315.hXCMA8agXV@pintsize.usersys.redhat.com> <2867948.pp4OFeU9TP@pintsize.usersys.redhat.com> <20160720120125.43f61155@pc1>
From: =?UTF-8?Q?Ivan_Risti=c4=87?= <ivan.ristic@gmail.com>
Message-ID: <96400281-f648-205c-39da-78e6b92166f1@gmail.com>
Date: Sat, 23 Jul 2016 17:59:35 +0200
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.2.0
MIME-Version: 1.0
In-Reply-To: <20160720120125.43f61155@pc1>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/D2vT5QfV9ddN7LnfgYq-QF4f08A>
Subject: Re: [TLS] Thoughts on Version Intolerance
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 23 Jul 2016 15:59:41 -0000

On 20/07/2016 12:01, Hanno Böck wrote:
> On Wed, 20 Jul 2016 11:20:46 +0200
> Hubert Kario <hkario@redhat.com>; wrote:
> 
>> so it looks to me like while we may gain a bit of compatibility by
>> using extension based mechanism to indicate TLSv1.3,
> 
> Just quick: This was discussed yesterday, David Benjamin had an
> interesting proposal, but it was largely met with resistance. So from
> the WG discussion yesterday I had the impression that we will most
> likely stay with the existing clienthello version mechanism. While that
> will cause us more trouble, it's probably the cleaner option anyway. So
> we definitely should continue investigating version intolerance and
> tell people to fix their stuff.
> 
> I'm now also collecting some data and have some preliminary
> suspicion on affected devices. My numbers roughly match yours that we
> are in the more or less 3% area of 1.3 intolerance.

FYI: I am seeing TLS 1.3 intolerance at 3.2% in the most recent SSL
Pulse scan (July 2016).

I'll propose that a chart is added to the SSL Pulse monthly report so
that we can track the percentage it in the following months.


> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>