Re: [TLS] consensus on backwards compatibility changes

Sean Turner <turners@ieca.com> Tue, 27 January 2015 17:21 UTC

Return-Path: <turners@ieca.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5AEFE1A88A7 for <tls@ietfa.amsl.com>; Tue, 27 Jan 2015 09:21:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.567
X-Spam-Level:
X-Spam-Status: No, score=-0.567 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FSL_HELO_BARE_IP_2=1, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pTS0H1jkctls for <tls@ietfa.amsl.com>; Tue, 27 Jan 2015 09:21:09 -0800 (PST)
Received: from gateway13.websitewelcome.com (gateway13.websitewelcome.com [67.18.71.14]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AA0691A889D for <tls@ietf.org>; Tue, 27 Jan 2015 09:21:07 -0800 (PST)
Received: by gateway13.websitewelcome.com (Postfix, from userid 5007) id 01B1866F4476A; Tue, 27 Jan 2015 11:21:07 -0600 (CST)
Received: from gator3286.hostgator.com (gator3286.hostgator.com [198.57.247.250]) by gateway13.websitewelcome.com (Postfix) with ESMTP id D8B2566F446E4 for <tls@ietf.org>; Tue, 27 Jan 2015 11:21:06 -0600 (CST)
Received: from [96.231.226.60] (port=65043 helo=192.168.1.2) by gator3286.hostgator.com with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.82) (envelope-from <turners@ieca.com>) id 1YG9p3-0007FD-Vv; Tue, 27 Jan 2015 11:21:06 -0600
Content-Type: text/plain; charset=windows-1252
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Sean Turner <turners@ieca.com>
In-Reply-To: <CABcZeBPujH595MjfRDstnaDk5fmQVi4qi+-nUhu5zh3L4CxUgw@mail.gmail.com>
Date: Tue, 27 Jan 2015 12:21:03 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <83CBC7E2-CDC9-4EDD-8648-8C80EE588343@ieca.com>
References: <201412300503.03923.davemgarrett@gmail.com> <CABcZeBPujH595MjfRDstnaDk5fmQVi4qi+-nUhu5zh3L4CxUgw@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
X-Mailer: Apple Mail (2.1878.6)
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - gator3286.hostgator.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - ieca.com
X-BWhitelist: no
X-Source-IP: 96.231.226.60
X-Exim-ID: 1YG9p3-0007FD-Vv
X-Source:
X-Source-Args:
X-Source-Dir:
X-Source-Sender: (192.168.1.2) [96.231.226.60]:65043
X-Source-Auth: sean.turner@ieca.com
X-Email-Count: 3
X-Source-Cap: ZG9tbWdyNDg7ZG9tbWdyNDg7Z2F0b3IzMjg2Lmhvc3RnYXRvci5jb20=
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/GQ7Z54jxV80CFke6Q5E3PL50cfQ>
Cc: "TLS@ietf.org \(tls@ietf.org\)" <tls@ietf.org>
Subject: Re: [TLS] consensus on backwards compatibility changes
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Jan 2015 17:21:11 -0000

We believe that what’s reflected in PR #105 reflects list consensus.  But, we (as chairs) have a couple of thoughts:

0) We both hate “MAY” requirements language.  We’d prefer that the following be reworded (this is just a starting point):

OLD:

 Implementations MAY accept an SSL version 2.0 compatible
 CLIENT-HELLO in order to negotiate older versions of TLS,
 however this is not recommended.

NEW:

 Implementations are NOT RECOMMENDED to accept an
 SSL version 2.0 compatible CLIENT-HELLO in order to
 negotiate older versions of TLS.

note that the using “NOT RECOMMENDED” also means we need to add that to the 2119 language clause but we can do that later.  Basically:

s1.1: OLD:

 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
 document are to be interpreted as described in RFC 2119 [RFC2119].

NEW:

 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", “SHALL NOT”,
 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED”,
 "MAY", and "OPTIONAL" in this document are to be interpreted as described
 in RFC 2119 [RFC2119].

1) We’d like to make it crystal clear in the SSL3.0 text whether you’re talking about the hello version or record version. We’re pretty sure that “protocol version” in the following is the hello version but we think that should be made clear.

 Implementations MUST NOT send a ClientHello or ServerHello with
 the protocol version set to { 3, 0 } or less. Any endpoint receiving a
 Hello message with the protocol version set to { 3, 0 } MUST respond
 with a "protocol_version" alert message and close the connection.

spt

On Jan 25, 2015, at 14:36, Eric Rescorla <ekr@rtfm.com> wrote:

> Based on reading the mailing list, it seems to me that there is rough consensus
> on PR#105, but not (yet?) on PR#107.
> 
> Chairs,
> I'd like to merge PR#105. Do you agree that there is consensus? If so,
> I will merge.
> 
> Can you please advise on how you would like to proceed on PR#107?
> 
> -Ekr
> 
> 
> 
> 
> On Tue, Dec 30, 2014 at 2:03 AM, Dave Garrett <davemgarrett@gmail.com> wrote:
> Per Brian's suggestion, I've split the topic of full prohibition of SSL v2
> CLIENT-HELLO usage into its own issue, as there is clearly no consensus on this
> yet. It would be really nice if some real-world stats on how much this is
> actually used could be provided. (I think continued acceptance of it is
> illegitimate, but hard data is harder to argue with)
> 
> Issue #113 Prohibit SSL v2 CLIENT-HELLO entirely
> https://github.com/tlswg/tls13-spec/issues/113
> 
> I have heard notable support for this, including Eric, but I do concede there
> might be too much desire for infinite backwards compatibility to reach consensus.
> I'm still hopeful we can come to an agreement that two decades is a sufficient
> deprecation period. :/
> 
> I have two PRs for the backwards compatibility section.
> 
> The first has all SSL backwards compatibility changes. In addition to RFC 6176
> SSL 2 language, I've added SSL 3 negotiation prohibition as per Martin's
> suggestion (based on the current I-D). The v2 hello documentation is cut out,
> but seeing as it's only valid for prior versions, prior RFCs can be referenced
> if needed.
> 
> PR #105 remove SSL 2 backwards compatibility section & prohibit SSL negotiation
> https://github.com/tlswg/tls13-spec/pull/105
> 
> The second PR has more general backwards compatibility section improvements,
> prohibition of RC4 (also based on its current I-D), and Brian's ClientHello
> version freeze proposal. Currently, I have the ClientHello version listed as a
> "MUST", but I leave for the possibility that a "SHOULD" might be appropriate if
> other tactics for dealing with buggy servers should continue to be permitted.
> Feedback from Microsoft, Oracle, or anyone else implementing alternate
> workarounds here would be greatly appreciated.
> 
> PR #107 revise backwards compatibility & fix ClientHello version
> https://github.com/tlswg/tls13-spec/pull/107
> 
> Note that the SSL3 & RC4 language based on current drafts is of course
> contingent on those being passed successfully, though this is generally
> expected.
> 
> Both PRs update the Informative References as needed, which I've hopefully done
> correctly.
> 
> 
> Dave
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls