Re: [TLS] [FORGED] Re: no fallbacks please [was: Downgrade protection, fallbacks, and server time]

Hubert Kario <hkario@redhat.com> Tue, 07 June 2016 17:33 UTC

Return-Path: <hkario@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 90A6E12D73B for <tls@ietfa.amsl.com>; Tue, 7 Jun 2016 10:33:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.328
X-Spam-Level:
X-Spam-Status: No, score=-8.328 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-1.426, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HO-46Y86c2e0 for <tls@ietfa.amsl.com>; Tue, 7 Jun 2016 10:33:53 -0700 (PDT)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1913F12D5D1 for <tls@ietf.org>; Tue, 7 Jun 2016 10:33:53 -0700 (PDT)
Received: from int-mx13.intmail.prod.int.phx2.redhat.com (int-mx13.intmail.prod.int.phx2.redhat.com [10.5.11.26]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 48053811DF; Tue, 7 Jun 2016 17:33:52 +0000 (UTC)
Received: from pintsize.usersys.redhat.com (dhcp-0-122.brq.redhat.com [10.34.0.122]) by int-mx13.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id u57HXoQc011238 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 7 Jun 2016 13:33:51 -0400
From: Hubert Kario <hkario@redhat.com>
To: tls@ietf.org
Date: Tue, 07 Jun 2016 19:33:39 +0200
Message-ID: <4418055.GXTqvqFNm1@pintsize.usersys.redhat.com>
User-Agent: KMail/4.14.10 (Linux/4.4.11-200.fc22.x86_64; KDE/4.14.17; x86_64; ; )
In-Reply-To: <19D9A152-3801-44DA-ADF0-345011EDF54D@gmail.com>
References: <CAF8qwaDuGyHOu_4kpWN+c+vJKXyERPJu-2xR+nu=sPzG5vZ+ag@mail.gmail.com> <CAJU8_nU6dN7_GgjkC9c5VJawi91B4SpyvgyYU+_F4HeLtHWUaw@mail.gmail.com> <19D9A152-3801-44DA-ADF0-345011EDF54D@gmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="nextPart13205527.zGqXmMRM9P"; micalg="pgp-sha512"; protocol="application/pgp-signature"
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.26
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.26]); Tue, 07 Jun 2016 17:33:52 +0000 (UTC)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/GrWJjMJqGve39rzmhuPtuzrpNvI>
Subject: Re: [TLS] [FORGED] Re: no fallbacks please [was: Downgrade protection, fallbacks, and server time]
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Jun 2016 17:33:55 -0000

On Tuesday 07 June 2016 17:36:01 Yoav Nir wrote:
> I’m not sure this helps.
> 
> I’ve never installed a server that is version intolerant. TLS stacks
> from OpenSSL, Microsoft, 

are you sure about that Microsoft part?

there is quite a long thread on the filezilla forums about TLS version 
tolerance in IIS:
https://forum.filezilla-project.org/viewtopic.php?f=2&t=27898

> Java, and most any implementation we can
> name have been version tolerant forever.

tls version intolerance is only one thing, then we have:

 * old-ish Java is intolerant of 2048 bit DH key share
 * many versions of OpenSSL are intolerant to very big Client Hello 
   messages (over ~1500 bytes)
 * old-ish IIS is intolerant to placing RC4 ciphersuites very low in 
   order

and so on...

> Certainly none of us can
> name any implementation that at any point had a version out that was
> tolerant (or implementing) TLS 1.2 but intolerant of TLS 1.3.

I don't know for sure what ebay.com is running, but it certainly is TLS 
1.3 intolerant

tls_prober[1] identifies it at Microsoft IIS 7.5

> And these are the same implementations we’re likely to participate in
> a bakeoff or run the suite we create in the hackathon.

if bugs get fixed, then we have achieved something

1 - https://github.com/WestpointLtd/tls_prober

> Yoav
> 
> > On 7 Jun 2016, at 5:22 PM, Kyle Rose <krose@krose.org>; wrote:
> > 
> > I'm a big fan of the idea of a very strict qualification suite, as
> > well, to try to head off some of these problems before (faulty)
> > implementations proliferate.
> > 
> > Hackathon?
> > 
> > Kyle
> > 
> > On Jun 7, 2016 2:00 AM, "Peter Gutmann" <pgut001@cs.auckland.ac.nz
> > <mailto:pgut001@cs.auckland.ac.nz>> wrote:> 
> > Dave Garrett <davemgarrett@gmail.com 
<mailto:davemgarrett@gmail.com>> writes:
> > >Also, as with any new system, we now have the ability to loudly
> > >stress to TLS 1.3+ implementers to not screw it up and test for
> > >future-proofing this time around.
> > 
> > I think that's the main contribution of a new mechanism, it doesn't
> > really matter whether it's communicated as a single value, a list,
> > or interpretive dance, the main thing is that there needs to be a
> > single location where the version is given (not multiple locations
> > that can disagree with each other as for TLS < 1.3), and the spec
> > should include a pseudocode algorithm for dealing with the version
> > data rather than just "implementations should accept things that
> > look about right".
> > 
> > Peter.
> > _______________________________________________
> > TLS mailing list
> > TLS@ietf.org <mailto:TLS@ietf.org>
> > https://www.ietf.org/mailman/listinfo/tls
> > <https://www.ietf.org/mailman/listinfo/tls>
> > _______________________________________________
> > TLS mailing list
> > TLS@ietf.org
> > https://www.ietf.org/mailman/listinfo/tls

-- 
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic