Re: [TLS] A new TLS version negotiation mechanism

[Dave Garrett <davemgarrett@gmail.com>]

On Wednesday, March 11, 2015 02:13:56 pm Stephen Checkoway wrote:
> Do you expect that there's a significant fraction of servers that (a) tolerate 1.2; (b) don't tolerate > 1.2; and (c) aren't maintained or can't be upgraded?

Yes.

> I'd be surprised by data showing this. I imagine that any server satisfying (b) and (c), probably doesn't satisfy (a) so this proposal doesn't help.

http://www.ietf.org/mail-archive/web/tls/current/msg15141.html
On Tuesday, January 20, 2015 11:01:31 pm Xiaoyin Liu wrote:
> For each site, I made at most four attempts with the following order to fallback:
> (TLS 1.3, TLS 1.3) -> (TLS 1.0, TLS 1.3) -> (TLS 1.0, TLS 1.2) -> (TLS 1.0, TLS 1.0)
> where the first is TLS record layer version, and the second is Client Hello version.
>  
> Here is the result:
> (1) Number of sites scanned: 1,000,001
> (2) Number of DNS Error: 45,402
> (3) Number of sites that refuse TCP connection on port 443 (RST, timeout): 289,334
> (4) Number of sites that fail sending ServerHello in all 4 attempts: 238,846
> (5) Number of sites that are tolerant to (TLS1.3, TLS1.3): 397,152 (93.1%)
> (6) Number of sites that need to fallback to (TLS1.0, TLS1.3): 22,461 (5.3%)
> (7) Number of sites that need to fallback to (TLS1.0, TLS1.2): 6,352 (1.5%)
> (8) Number of sites that need to fallback to (TLS1.0, TLS1.0): 454 (0.1%)
> 
> The total number of TLS enabled sites is 426,419. TLS 1.3 intolerant sites (7 and 8) are about 1.6%. TLS 1.2 intolerant sites are about 0.1%. Also it shows setting a lower record layer version does improve compatibility a lot. An example is https://paypal.com is intolerant to (TLS 1.3, TLS 1.3) but is tolerant to (TLS 1.0, TLS 1.3). Please note that I did not validate certificates nor check the integrity of handshakes. I closed the connection immediately after receiving ServerHello.

Anecdotally, I am seeing TLS 1.3 intolerant servers that otherwise work popping up reports of servers breaking with the RC4 phase out.

An arbitrary and not scientific survey of the sites currently listed in the Mozilla RC4-Dependence meta-bug shows the following:

https://bugzilla.mozilla.org/show_bug.cgi?id=1138101
42 sites checked (popular enough to get reported there, at least)
of those, 5 have fixed their RC4 dependence; the others have not (as of this email)

5 are TLS 1.1-1.3 intolerant
1 is TLS 1.2-1.3 intolerant
8 are TLS 1.3 intolerant, but not 1.2 or less
3 are even tolerant to TLS 1.98 & 2.98 tests (the others are not)

(not bothering with percentages because the sample size is low and biased)

The rough things learned here are:
1) TLS 1.3 intolerance is more common than TLS 1.2 intolerance
2) TLS 1.2 intolerance without TLS 1.1 intolerance is actually a thing that happens
3) It is seemingly rare for any server to fully implement version negotiation properly
    (the domain that runs the test I use is even intolerant to TLS 2.98)
4) It appears that TLS 1.3 intolerance is more common with servers that have other problems that should've been fixed by now, but aren't

Again, this is anecdotal. I don't claim this is fully extrapolatable to the entire Internet, just that I'm seeing enough of it to be concerned.

I argue that TLS should never formally change its ClientHello version to anything greater than 1.x, though a spec name with yet another hacky numbering that doesn't match the official version number would be fine. (e.g. Call it TLS2 but number it {3,4} still)

I also argue that TLS 1.3 intolerance is something that must be addressed fully BEFORE attempting to get draft implementations out there and encouraging insecure fallback to deal with it.


Dave