Re: [TLS] I-D Action: draft-ietf-tls-negotiated-ff-dhe-10.txt

Michael D'Errico <mike-list@pobox.com> Wed, 03 June 2015 15:47 UTC

Return-Path: <mike-list@pobox.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0A80E1A90A7 for <tls@ietfa.amsl.com>; Wed, 3 Jun 2015 08:47:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c4SRdfjaeYum for <tls@ietfa.amsl.com>; Wed, 3 Jun 2015 08:47:55 -0700 (PDT)
Received: from sasl.smtp.pobox.com (pb-sasl1.int.icgroup.com [208.72.237.25]) by ietfa.amsl.com (Postfix) with ESMTP id D593C1A90A4 for <tls@ietf.org>; Wed, 3 Jun 2015 08:47:55 -0700 (PDT)
Received: from sasl.smtp.pobox.com (unknown [127.0.0.1]) by pb-sasl1.pobox.com (Postfix) with ESMTP id B191050AD1; Wed, 3 Jun 2015 11:47:49 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=message-id :date:from:mime-version:to:cc:subject:references:in-reply-to :content-type:content-transfer-encoding; s=sasl; bh=iJCDDCi8XEeE zStwycWg2pMgAm8=; b=J/MhmhQ0D7+G+PDpSZhXV7wQu5l02OMk1YD7EJvwNwia OvrfZpO2efBS0PFicvwEojL/bKhBvORc5ZKxWBvGcdC9y6w52vwk4PinmwLCbEh7 vlft+ATXVVt6rg+29E1ZZY5+nv+e9H0EEdtBZP7I71RWHbdDTXzvDBrFRE8t3eU=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=pobox.com; h=message-id:date :from:mime-version:to:cc:subject:references:in-reply-to :content-type:content-transfer-encoding; q=dns; s=sasl; b=J1IbMP pIKB/O+1/MSn5s075JyS2YU/eaWi1d0J75Ce1c/qUnAHwHiwsUpIcurX1/vVJzEw tIMf0e+3OGswm8TVwh0IPczEKFckRrO4q9QIM5ztPVhObyece0kWYZ5GaNo+jAiz K0K+ewLdFav8Gh04iXjSiva1ywlRGXXbrawjI=
Received: from pb-sasl1.int.icgroup.com (unknown [127.0.0.1]) by pb-sasl1.pobox.com (Postfix) with ESMTP id AAE9D50AD0; Wed, 3 Jun 2015 11:47:49 -0400 (EDT)
Received: from iMac.local (unknown [24.234.153.62]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by pb-sasl1.pobox.com (Postfix) with ESMTPSA id 0BD1250ACF; Wed, 3 Jun 2015 11:47:48 -0400 (EDT)
Message-ID: <556F21A2.6010303@pobox.com>
Date: Wed, 03 Jun 2015 08:47:46 -0700
From: Michael D'Errico <mike-list@pobox.com>
User-Agent: Thunderbird 2.0.0.24 (Macintosh/20100228)
MIME-Version: 1.0
To: Tony Arcieri <bascule@gmail.com>
References: <20150601225057.17500.96911.idtracker@ietfa.amsl.com> <CAHOTMVJ1xu+mEaROWKuEtW1E8Ks3r3gKagEM9mJdBOKW3kSZJQ@mail.gmail.com> <1474500.r0W7gM0pAO@pintsize.usersys.redhat.com> <CAHOTMVJgqqRBYWR+8LtwxfdRVWxEXLZAgzr5Q-1DH7ejONAGnw@mail.gmail.com> <m2lhg1b8us.fsf@localhost.localdomain> <CAHOTMVLrgUNi449DQwggt556ioEeXCQTUN+M3phBftPk88xtOw@mail.gmail.com> <BLU177-W17E87DB68F54CE64BDC44C3B40@phx.gbl> <CAHOTMVLpmS94cBZOxu6e3-e2MMO+Z0SAvPb7dWW47jQqXpT9+A@mail.gmail.com> <BLU177-W1EA1B34A70F648FD8C139C3B40@phx.gbl> <CAHOTMV+FxxG7tpq55UyKs+q06uk5H-dCqkTswBDJsM=5Bv6pqA@mail.gmail.com> <9A043F3CF02CD34C8E74AC1594475C73AB034F5F@uxcn10-tdc05.UoA.auckland.ac.nz> <CAHOTMVJM7tw8gDzaAOxoi39aC3v_PycFay3Jg6e09Wx5k9H4cw@mail.gmail.com>
In-Reply-To: <CAHOTMVJM7tw8gDzaAOxoi39aC3v_PycFay3Jg6e09Wx5k9H4cw@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Pobox-Relay-ID: E2E49DDE-0A07-11E5-94A6-B18815BAEDE0-38729857!pb-sasl1.pobox.com
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/KMrUUpxe_SDsY4yARrwkiJU6WeU>
Cc: TLS WG <tls@ietf.org>
Subject: Re: [TLS] I-D Action: draft-ietf-tls-negotiated-ff-dhe-10.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Jun 2015 15:47:57 -0000

Tony Arcieri wrote:
> On Wed, Jun 3, 2015 at 1:07 AM, Peter Gutmann wrote:
> 
>     *You've got that exactly reversed, it's not "DHE is breaking
>     Java handshakes", it's "(Sun/Oracle's) Java is breaking DHE
>     handshakes".*
> 
> Here in the real world things are written in Java and we have to deal 
> with that. Idealistically I'd wave a magic wand and all of the legacy 
> cruft would go away. Unfortunately I don't have that magic wand. I have 
> to keep the real-world systems talking to each other.
> 
> I want real-world solutions to real-world problems, not idealistic zealotry.

I recently added version-specific DH parameter sizes to my server code.
When a client supports TLS 1.2, 2048-bit (or larger) parameters are used,
otherwise 1024-bit parameters are sent.  Legacy Java clients won't be
negotiating version 1.2 so they are still able to connect.

Unfortunately this feature fairs poorly when graded by SSL Labs because
it is currently unaware of version-specific DH parameters, though I hear
they are working on it.

Mike