[TLS] checking on an scsv point
Stephen Farrell <stephen.farrell@cs.tcd.ie> Tue, 17 February 2015 22:25 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A579E1A88CE for <tls@ietfa.amsl.com>; Tue, 17 Feb 2015 14:25:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.311
X-Spam-Level:
X-Spam-Status: No, score=-2.311 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XBOynjFI2o3s for <tls@ietfa.amsl.com>; Tue, 17 Feb 2015 14:25:44 -0800 (PST)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4D5BA1A88CF for <tls@ietf.org>; Tue, 17 Feb 2015 14:25:44 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 0E4C7BF08 for <tls@ietf.org>; Tue, 17 Feb 2015 22:25:43 +0000 (GMT)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iJTpwuphzGHQ for <tls@ietf.org>; Tue, 17 Feb 2015 22:25:41 +0000 (GMT)
Received: from [172.16.20.132] (unknown [216.127.117.38]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 7425ABEFB for <tls@ietf.org>; Tue, 17 Feb 2015 22:25:41 +0000 (GMT)
Message-ID: <54E3BFE3.5080204@cs.tcd.ie>
Date: Tue, 17 Feb 2015 22:25:39 +0000
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/NErkY5CCmMWB6C4oyt3TFDiTt94>
Subject: [TLS] checking on an scsv point
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Feb 2015 22:25:46 -0000
Hiya, In going over the threads on this I think there was one point of Martin's where it wasn't clear to me that the WG considered his proposal. That might be because it was raised just before the holidays and was part of a mega-thread and fairly deeply embedded in a longer message. Anyway, I asked Martin if he could describe it better and he did (see below) so I'd like to just check that the WG don't in fact want this. If you do not want to make this change, silence if fine, but if you would implement this in your TLS stack then please say so in the next few days. (Pretty please: let's not side-track - I'm really only looking for "yes, I'd implement that in my TLS code" responses, or silence:-) I figure it's not likely that the WG will want this, but if there's a groundswell for doing it, we can handle the process stuff, so don't worry about that. Thanks, S. What I've been asking for time and time again is allowing (adding) an additional/alternative server behaviour, which a TLS (server) implementer will be _allowed_ to implement instead of a fatal handshake failure. The most simplistic alternative server behaviour would be for the server to continue the handshake successfully, using ServerHello.server_version = (ClientHello.client_version + 1) i.e. negotiating a _higher_ TLS version instead of aborting the TLS handshake with a fatal error. A client (and this affects only the clients that assert the FALLBACK_SCSV) will be able to recognize that the server supports a higher TLS protocol version than what the TLS client proposed in ClientHello.client_version, and it will be left to that client to decide whether the resulting TLS session properties are OK, or wether the client want to take chances, establishing a new connection, starting a new handshake and proposing other/additional TLS protocol features in ClientHello that it might have omitted (for whatever reason) in the last ClientHello. This alternative behaviour is better, because it provides actual *interoperability* between TLS client and TLS server -- and in many cases the same or reasonably secure TLS session properties without the need for complex heuristics and a whole new connection establishment and handshake through the entire application protocol stack (such as HTTP CONNECT proxy traversals or the stuff before STARTTLS). Keep in mind that I'm NOT asking to make early adopter servers(!) non-compliant. Admittedly, I don't know what exactly the early adopting clients will currently do when they receive ServerHello.server_version = (ClientHello.client_version + 1)
- [TLS] checking on an scsv point Stephen Farrell
- Re: [TLS] checking on an scsv point Martin Thomson
- Re: [TLS] checking on an scsv point Martin Rex
- Re: [TLS] checking on an scsv point Henrik Grubbström
- Re: [TLS] checking on an scsv point David Benjamin
- Re: [TLS] checking on an scsv point Martin Thomson
- Re: [TLS] checking on an scsv point Martin Rex
- Re: [TLS] checking on an scsv point Martin Rex
- Re: [TLS] checking on an scsv point Martin Thomson
- Re: [TLS] checking on an scsv point Martin Thomson
- Re: [TLS] checking on an scsv point Martin Rex
- Re: [TLS] checking on an scsv point Martin Thomson