Re: [TLS] PR#1091: Changes to provide middlebox robustness
Martin Thomson <martin.thomson@gmail.com> Wed, 08 November 2017 00:41 UTC
Return-Path: <martin.thomson@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DFBA612D0C3 for <tls@ietfa.amsl.com>; Tue, 7 Nov 2017 16:41:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NxhFwumdCQAU for <tls@ietfa.amsl.com>; Tue, 7 Nov 2017 16:41:21 -0800 (PST)
Received: from mail-oi0-x235.google.com (mail-oi0-x235.google.com [IPv6:2607:f8b0:4003:c06::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 28C72129C3E for <tls@ietf.org>; Tue, 7 Nov 2017 16:41:17 -0800 (PST)
Received: by mail-oi0-x235.google.com with SMTP id g125so789746oib.12 for <tls@ietf.org>; Tue, 07 Nov 2017 16:41:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=Q+HER7ynNI//2Ymb5lpZWdX2g8UcOO5K4+zhAzmjQAo=; b=i60oA24R+45ZaDKikexHiAHOTMc6JBWXN3TkE1tJm0Tqn8RSpk0XCtP6IDRms/lM2L NprNF4z1zb+5DwpS4YpvfnzzdEtKV0LmdNCbVavCrx8xu9d0IeSdQdhkm5UwRu1hInXf 3lE2hsCcEp+GB8LvQQzbGaByFFq83uhi3X549Cl+jAL8CAp0NINa/EwJ6QZJ/+9fadTy 0Kzsd5w0Zu4z8NGmoY3s/5bA0w++JQN8I9EHI0jKzMhin2JNT2R6FOfrZSjmsoYB5vcI DcOdieC2kDjD6Wuz54WvNCEE5g3bTRujDPAEMCEiyFGMJl0aKhkUPsbIk+HeneGNyvp+ bG4Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=Q+HER7ynNI//2Ymb5lpZWdX2g8UcOO5K4+zhAzmjQAo=; b=mFaYUVA9YnUtMchlOV9M245PxmIxeZMcLmMiF58AtOc6kbOWsbgCnl0crfd1hg7jey /5CX5ycwmqTtJHZccMGYYrF6rfvgLw2nEjMh3XhJ3r8OjHT0Ac8Kpihi3qhFwEt8uVD2 asbMYBYD0+ndRy2K2kp3lVUAaClYtc/qSFKIXh86VTJE1/ZJ/i6S6pMw/+M6G3QC3VeS uLyKGc1DKx1R1AutWAWxQAQvqOqNXwAHWz4/I027WgNl1TiDYAtssY9mTE3MLP1Z2CoP zn8N6yWdDXmonjmSCmP1P1DwS0zqGdS1ogFSDSRAWnHBrb2Q4GwXuNkD+HNPpk58RYaq 2X9w==
X-Gm-Message-State: AJaThX7wgni9RtmBfAjrUaj/dze/q8TYnmDuyBjLikUJQnrc2gVs6Hp2 Xk0NJc22hps1GSvpZHB3WQnrcrjdRcOpZCsYuGc=
X-Google-Smtp-Source: ABhQp+THlJ8nJz8z2cnoPpVklVZV52YxAOXai0eTXdOdM12HM0/6n8wsLANwqjRcawx1Yn/qjIjSN/BlNI6KXSXL7ys=
X-Received: by 10.202.75.216 with SMTP id y207mr337023oia.282.1510101676465; Tue, 07 Nov 2017 16:41:16 -0800 (PST)
MIME-Version: 1.0
Received: by 10.157.15.155 with HTTP; Tue, 7 Nov 2017 16:41:15 -0800 (PST)
In-Reply-To: <CABcZeBNm4bEMx0L6Kx-v7R+Tog9WLXxQLwTwjutapRWWW_x9+w@mail.gmail.com>
References: <CABcZeBNm4bEMx0L6Kx-v7R+Tog9WLXxQLwTwjutapRWWW_x9+w@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
Date: Wed, 08 Nov 2017 11:41:15 +1100
Message-ID: <CABkgnnV34_h1ANeAzG5s0D=RvFK066RLE1zzA84PHZDWrhRLng@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: "tls@ietf.org" <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/OprAsM9V5eATP3LanH-3BFgVCFI>
Subject: Re: [TLS] PR#1091: Changes to provide middlebox robustness
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Nov 2017 00:41:24 -0000
On Tue, Nov 7, 2017 at 5:19 AM, Eric Rescorla <ekr@rtfm.com> wrote: > - The client sends a fake session_id and the server echoes it One friendly amendment. I think that we should insist (with a MUST) that the server send CCS in the case that it receives a non-empty session_id. That gives clients the ability to insist on use of the compatibility hack by a server. Evidence shows that the server can't ensure that these (expletive deleted) middleboxes don't mess with the connect unless the client takes the steps that are outlined here, so it has no way to control the use of the compatibility mode. On the other hand, having the server not send CCS when compatibility mode was needed would somewhat undermine the client's efforts.
- [TLS] PR#1091: Changes to provide middlebox robus… Eric Rescorla
- Re: [TLS] PR#1091: Changes to provide middlebox r… Hubert Kario
- Re: [TLS] PR#1091: Changes to provide middlebox r… David Benjamin
- Re: [TLS] PR#1091: Changes to provide middlebox r… Eric Rescorla
- Re: [TLS] PR#1091: Changes to provide middlebox r… Hubert Kario
- Re: [TLS] PR#1091: Changes to provide middlebox r… Eric Rescorla
- Re: [TLS] PR#1091: Changes to provide middlebox r… Salz, Rich
- Re: [TLS] PR#1091: Changes to provide middlebox r… Martin Thomson
- Re: [TLS] PR#1091: Changes to provide middlebox r… Salz, Rich
- Re: [TLS] PR#1091: Changes to provide middlebox r… Yuhong Bao
- Re: [TLS] PR#1091: Changes to provide middlebox r… Eric Rescorla
- Re: [TLS] PR#1091: Changes to provide middlebox r… Jana Iyengar
- Re: [TLS] PR#1091: Changes to provide middlebox r… Watson Ladd
- Re: [TLS] PR#1091: Changes to provide middlebox r… Salz, Rich
- Re: [TLS] PR#1091: Changes to provide middlebox r… Eric Rescorla
- Re: [TLS] PR#1091: Changes to provide middlebox r… Martin Thomson
- Re: [TLS] PR#1091: Changes to provide middlebox r… David Benjamin
- Re: [TLS] PR#1091: Changes to provide middlebox r… Yoav Nir
- Re: [TLS] PR#1091: Changes to provide middlebox r… Yoav Nir
- Re: [TLS] PR#1091: Changes to provide middlebox r… Nikos Mavrogiannopoulos
- Re: [TLS] PR#1091: Changes to provide middlebox r… Hubert Kario
- Re: [TLS] PR#1091: Changes to provide middlebox r… Eric Rescorla
- Re: [TLS] PR#1091: Changes to provide middlebox r… Eric Rescorla
- Re: [TLS] PR#1091: Changes to provide middlebox r… Benjamin Kaduk
- Re: [TLS] PR#1091: Changes to provide middlebox r… Eric Rescorla
- Re: [TLS] PR#1091: Changes to provide middlebox r… Tapio Sokura
- Re: [TLS] PR#1091: Changes to provide middlebox r… David Benjamin
- Re: [TLS] PR#1091: Changes to provide middlebox r… Yuhong Bao
- Re: [TLS] PR#1091: Changes to provide middlebox r… Eric Rescorla
- Re: [TLS] PR#1091: Changes to provide middlebox r… Yuhong Bao
- Re: [TLS] PR#1091: Changes to provide middlebox r… Peter Saint-Andre
- Re: [TLS] PR#1091: Changes to provide middlebox r… Yuhong Bao
- Re: [TLS] PR#1091: Changes to provide middlebox r… Andrei Popov
- Re: [TLS] PR#1091: Changes to provide middlebox r… Yuhong Bao
- Re: [TLS] PR#1091: Changes to provide middlebox r… Alex C
- Re: [TLS] PR#1091: Changes to provide middlebox r… Eric Rescorla
- Re: [TLS] PR#1091: Changes to provide middlebox r… Alex C