Re: [TLS] Triple Handshake Fix.
"Yngve N. Pettersen" <yngve@spec-work.net> Tue, 29 April 2014 21:32 UTC
Return-Path: <yngve@spec-work.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 319921A02AC for <tls@ietfa.amsl.com>; Tue, 29 Apr 2014 14:32:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8FCPu1bTM-AZ for <tls@ietfa.amsl.com>; Tue, 29 Apr 2014 14:32:15 -0700 (PDT)
Received: from smtp.domeneshop.no (smtp.domeneshop.no [194.63.252.54]) by ietfa.amsl.com (Postfix) with ESMTP id CF6561A08F0 for <tls@ietf.org>; Tue, 29 Apr 2014 14:32:14 -0700 (PDT)
Received: from 85.168.202.84.customer.cdi.no ([84.202.168.85]:56406 helo=killashandra.invalid.invalid) by smtp.domeneshop.no with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.72) (envelope-from <yngve@spec-work.net>) id 1WfFdM-0006Xy-U7; Tue, 29 Apr 2014 23:32:12 +0200
Content-Type: text/plain; charset="iso-8859-15"; format="flowed"; delsp="yes"
To: Eric Rescorla <ekr@rtfm.com>, "Joseph Salowey (jsalowey)" <jsalowey@cisco.com>, "tls@ietf.org" <tls@ietf.org>, Nico Williams <nico@cryptonector.com>, Adam Langley <agl@google.com>, Karthikeyan Bhargavan <karthikeyan.bhargavan@inria.fr>
References: <CAL9PXLyGjM0R-NRdqzbfKWOvbLjT+mwE9uT0BQTpiFt5p27ATQ@mail.gmail.com>
Date: Tue, 29 Apr 2014 23:31:56 +0200
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: "Yngve N. Pettersen" <yngve@spec-work.net>
Message-ID: <op.xe3krion3dfyax@killashandra.invalid.invalid>
In-Reply-To: <CAL9PXLyGjM0R-NRdqzbfKWOvbLjT+mwE9uT0BQTpiFt5p27ATQ@mail.gmail.com>
User-Agent: Opera Mail/12.16 (Win32)
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/PVxhStu7aphPaIzyvQsMjU9kKFo
Subject: Re: [TLS] Triple Handshake Fix.
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Apr 2014 21:32:20 -0000
Hi, On Tue, 29 Apr 2014 23:05:50 +0200, Adam Langley <agl@google.com> wrote: > I think the change to the master secret calculation is relatively > uncontroversial (and is probably what the master secret should always > have been). People might have differing opinions on the SCSV, but that > doesn't affect whether a TLS extension number will ultimately be > allocated for it. > > > [1] https://secure-resumption.com > [2] https://secure-resumption.com/draft-bhargavan-tls-session-hash-00.txt A comment about the draft: Section 5.3 states: In its ClientHello message, a client MUST either send the "extended_master_secret" extension, or the "TLS_EXTENDED_MASTER_SECRET" SCSV. Clients SHOULD NOT include both. In my opinion, the "SHOULD NOT" ought to be a "MUST NOT", *unless* the document also states something like "Servers MUST accept ClientHello messages that contain both the "extended_master_secret" extension and the "TLS_EXTENDED_MASTER_SECRET" SCSV, and treat them as if only one had been received" When I originally implemented the Renego Information extension in Opera, I decided to send both, since deciding when to send either complicates the code, at least a little. However, I had to eventually change the code to send only one of them (SCSV in extension less handshakes, extension otherwise), as 4.7% of Renego patched servers does not tolerate the combination, some of them major sites like Linkedin and Paypal. A SHOULD NOT means that the server may encounter handshakes with both, and since server vendors apparently are apt to think that "either" and "SHOULD NOT include both" in combination means "MUST NOT include both", then the document should either specify how the server should handle reception of both indicators, or say that both are forbidden. -- Sincerely, Yngve N. Pettersen Using Opera's mail client: http://www.opera.com/mail/
- [TLS] Triple Handshake Fix. Adam Langley
- Re: [TLS] Triple Handshake Fix. Alfredo Pironti
- Re: [TLS] Triple Handshake Fix. Yngve N. Pettersen
- Re: [TLS] Triple Handshake Fix. Nico Williams
- Re: [TLS] Triple Handshake Fix. Martin Rex
- Re: [TLS] Triple Handshake Fix. Martin Thomson
- Re: [TLS] Triple Handshake Fix. Geoffrey Keating
- Re: [TLS] Triple Handshake Fix. Nico Williams
- Re: [TLS] Triple Handshake Fix. Watson Ladd
- Re: [TLS] Triple Handshake Fix. Bodo Moeller
- Re: [TLS] Triple Handshake Fix. Bodo Moeller
- Re: [TLS] Triple Handshake Fix. Karthik Bhargavan
- Re: [TLS] Triple Handshake Fix. Karthik Bhargavan
- Re: [TLS] Triple Handshake Fix. Geoffrey Keating
- Re: [TLS] Triple Handshake Fix. Nico Williams
- Re: [TLS] Triple Handshake Fix. Bodo Moeller
- Re: [TLS] Triple Handshake Fix. Nico Williams
- Re: [TLS] Triple Handshake Fix. Martin Thomson
- Re: [TLS] Triple Handshake Fix. Bodo Moeller
- Re: [TLS] Triple Handshake Fix. Bodo Moeller
- Re: [TLS] Triple Handshake Fix. Nico Williams
- Re: [TLS] Triple Handshake Fix. Bodo Moeller
- Re: [TLS] Triple Handshake Fix. Watson Ladd
- Re: [TLS] Triple Handshake Fix. Nico Williams
- Re: [TLS] Triple Handshake Fix. Bodo Moeller