Re: [TLS] Minutes from Tuesday (Martin Rex) Thu, 06 November 2014 10:01 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id F2FAC1A1AB7 for <>; Thu, 6 Nov 2014 02:01:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.551
X-Spam-Status: No, score=-6.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id FKrYkmiON8Ja for <>; Thu, 6 Nov 2014 02:01:46 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 715EF1A1AB5 for <>; Thu, 6 Nov 2014 02:01:46 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 9639C3A117; Thu, 6 Nov 2014 11:01:44 +0100 (CET)
Received: from ( []) by (Postfix) with ESMTP id 869324132B; Thu, 6 Nov 2014 11:01:44 +0100 (CET)
Received: by (Postfix, from userid 10159) id 812BE1AF98; Thu, 6 Nov 2014 11:01:44 +0100 (CET)
In-Reply-To: <>
To: Bodo Moeller <>
Date: Thu, 06 Nov 2014 11:01:44 +0100
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="ISO-8859-1"
Message-Id: <>
Cc: Manuel Pégourié-Gonnard <>, "" <>
Subject: Re: [TLS] Minutes from Tuesday
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 06 Nov 2014 10:01:49 -0000

Bodo Moeller wrote:
> Manuel Pégourié-Gonnard <>:
>> Martin Rex wrote:
>>> Bodo Moeller wrote:
>>>> [...] reacting to a fatal alert is something that all TLS
>>>> implementations already know how to do.
>>> That reaction is called interop failure.  That is the far opposite
>>> of what IETF working groups are supposed to consciously cause to happen
>>> when the alternative would be to make interop succeed.
>> the benefits of the solution you suggest, but I think the simplicity of the
>> current draft is a big advantage in getting it widely (and correctly)
>> deployed sooner rather than later, which IMO outweighs the advantages
>> of a more complex approach.

It's actually hard to think of a more unreasonable behaviour than
the one currently specified.

A different, equally simple and magnitudes more useful server behaviour
would be for the server to continue the handshake as normal and simply
assume in the processing of the ClientHello that the Client means
ClientHello.client_version +1 compared to what it sent over the wire.

(but when doing that, the server ought to skip the RSA premaster secret
 client_version check later on when selecting a cipher suite with
 static RSA key exchange.  Since Microsoft botched the RSA premaster
 secret version on renegotiation handshakes in Win7, and there is no
 security value in the check anyway, this should be perfectly OK.)