Re: [TLS] TLS 1.3 - Support for compression to be removed

Eric Rescorla <ekr@rtfm.com> Thu, 08 October 2015 04:44 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E17961A8768 for <tls@ietfa.amsl.com>; Wed, 7 Oct 2015 21:44:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.012
X-Spam-Level:
X-Spam-Status: No, score=0.012 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F83v6zGXTBna for <tls@ietfa.amsl.com>; Wed, 7 Oct 2015 21:44:22 -0700 (PDT)
Received: from mail-wi0-f173.google.com (mail-wi0-f173.google.com [209.85.212.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E94471A8764 for <tls@ietf.org>; Wed, 7 Oct 2015 21:44:21 -0700 (PDT)
Received: by wicfx3 with SMTP id fx3so7792390wic.0 for <tls@ietf.org>; Wed, 07 Oct 2015 21:44:20 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=auZE5aIdbTMqL598x8tauePqGf1hWAabfb9wg901mI8=; b=h9eVqm/hL/mcmDOxv1+fgumedLLr/wNAsiCzTZE5D80hpVtQrdoYdsztbmguQTU2DQ j7y+eEZ48/lPdEY/wQi3v5iiPtQyvVLRMdUKknWUEzouWI89bQNJveUKfrfjFmmXL+zr o/PzM0BI2jpOocc2lBJ4VL69WBZjuCE7rSMHRVjJs84qFu3M9ALug0mPr3d5HWNebRcs bAjecxWGHtpEUKeI02pVMVX3A12xJAXxq3pLIiYHHRIv3hnnnmo1NZklfDmDv5QRTwwU BR5DzktQO2fkB6sCuUXE7TAHp/FW8+z6kOIFp1NbDc/qMVpH1u9WcOhOpBJzx85K0FTW xEAA==
X-Gm-Message-State: ALoCoQmQasR/STjj1SxeHNRxk+g7LmMeS6DcWv/AE7L15ukGsMEjZLLtdIdBpdKvX/HZqpaMah3u
X-Received: by 10.194.94.71 with SMTP id da7mr5195023wjb.8.1444279460411; Wed, 07 Oct 2015 21:44:20 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.27.79.200 with HTTP; Wed, 7 Oct 2015 21:43:40 -0700 (PDT)
In-Reply-To: <49943603-287F-4C78-AEC1-45628554C190@akamai.com>
References: <CABcZeBNfFHR3eDi1yoifOuZ_ALMPN+xRo1nBx+qk19J+LQjmLw@mail.gmail.com> <20151007211155.384AC1A2C5@ld9781.wdf.sap.corp> <CABcZeBPoF9Qm=ySx+xXkLCegWn1j=06LP+KPcZ=6N7NAbodBew@mail.gmail.com> <49943603-287F-4C78-AEC1-45628554C190@akamai.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 08 Oct 2015 06:43:40 +0200
Message-ID: <CABcZeBNkePGEhTyZs6_7dtnyiP5cVKkcSUzcD-NspZti2-MVPg@mail.gmail.com>
To: "Short, Todd" <tshort@akamai.com>
Content-Type: multipart/alternative; boundary="047d7bf0c10231d22c05219084cc"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/OblE30kw2VIiID_UDyUZTYw1c_0>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] TLS 1.3 - Support for compression to be removed
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Oct 2015 04:44:25 -0000

On Wed, Oct 7, 2015 at 11:28 PM, Short, Todd <tshort@akamai.com> wrote:

> However, for those ClientHello’s that support older versions, the
> compression_method field may contain other values. This means that if a
> TLSv1.3 client happened to support compression for TLSv1.2, it would be
> unable to negotiate that via a single ClientHello. There’s no way to
> attempt to negotiate TLSv1.2+compression and TLSv1.3+no-compression in a
> single ClientHello.
>
> In effect, the document is stating that a TLSv1.3 client MUST NOT support
> compression, regardless of the protocol version that may be negotiated.
>

Yes, this is what I believe it says and what I believe the WG had consensus
on, the reasoning being that we really wished to just remove the feature
entirely. If the chairs declare consensus on something else, I will of
course edit
it to say something else.

-Ekr

--
> -Todd Short
> // tshort@akamai.com
> // "One if by land, two if by sea, three if by the Internet."
>
> On Oct 7, 2015, at 5:15 PM, Eric Rescorla <ekr@rtfm.com> wrote:
>
>
>
> On Wed, Oct 7, 2015 at 11:11 PM, Martin Rex <mrex@sap.com> wrote:
>
>> Eric Rescorla wrote:
>> > Martin Rex <mrex@sap.com> wrote:
>> >> Eric Rescorla wrote:
>> >>>
>> >>> That is what the document says:
>> >>> "Versions of TLS before 1.3 supported compression and the list of
>> >>> compression methods was supplied in this field. For any TLS 1.3
>> >>> ClientHello, this field MUST contain only the ?null? compression
>> method
>> >>> with the code point of 0. If a TLS 1.3 ClientHello is received with
>> any
>> >>> other value in this field, the server MUST generate a fatal
>> >>> ?illegal_parameter? alert. Note that TLS 1.3 servers may receive TLS
>> 1.2
>> >>> or prior ClientHellos which contain other compression methods and MUST
>> >>> follow the procedures for the appropriate prior version of TLS."
>> >>
>> >> The quoted wording calls for a fatal handshake failure when ClientHello
>> >> offers
>> >>
>> >>   TLSv1.2+compression  _or_  TLSv1.3
>> >>
>> >> while at the same time the last requirement asserts that a ClientHello
>> with
>> >>
>> >>   TLSv1.2+compression
>> >>
>> >> is perfectly OK.  To me, this looks quite odd.
>> >
>> > That's not how I read this text.
>> >
>> > Rather, I read it as:
>> > If ClientHelloVersion >= TLS 1.3
>> >    then the compression field must be empty
>> > else:
>> >    the compression field is dictated by other versions
>> >
>> > This doesn't seem inconsistent to me. If you still think that the
>> paragraph
>> > reads differently, can you help me by diagramming it?
>>
>> What you describe would be considerable worse that what I understood,
>> because it would mean that a TLSv1.3 ClientHello will be unconditionally
>> invalid for a TLSv1.2 server.
>>
>>    https://tools.ietf.org/html/rfc5246#page-42
>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.ietf.org_html_rfc5246-23page-2D42&d=BQMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=QBEcQsqoUDdk1Q26CzlzNPPUkKYWIh1LYsiHAwmtRik&m=IxUTnzF6SN6y6C4zTXXfgQmiV1FojXWtLZ0S8hS5eGY&s=Uu3NPBs1t52N_fGVGPqXazTAStG7cPUeCfNh6eCTtkk&e=>
>>
>>    compression_methods
>>       This is a list of the compression methods supported by the client,
>>       sorted by client preference.  If the session_id field is not empty
>>       (implying a session resumption request), it MUST include the
>>
>> Dierks & Rescorla           Standards Track                    [Page 41]
>>
>> RFC 5246                          TLS                        August 2008
>>
>> *>    compression_method from that session.  This vector MUST contain,
>> *>    and all implementations MUST support, CompressionMethod.null.
>>       Thus, a client and server will always be able to agree on a
>>       compression method.
>
>
> Sorry, I spoke carelessly. It must contain solely the null method.
>
> -Ekr
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>
>
>