Re: [TLS] COMMENT: draft-ietf-tls-renegotiation
Martin Rex <mrex@sap.com> Wed, 16 December 2009 00:58 UTC
Return-Path: <mrex@sap.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5C6873A67FB; Tue, 15 Dec 2009 16:58:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.194
X-Spam-Level:
X-Spam-Status: No, score=-6.194 tagged_above=-999 required=5 tests=[AWL=0.055, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VsCg1xKneGsX; Tue, 15 Dec 2009 16:58:17 -0800 (PST)
Received: from smtpde01.sap-ag.de (smtpde01.sap-ag.de [155.56.68.171]) by core3.amsl.com (Postfix) with ESMTP id E08BB3A63EC; Tue, 15 Dec 2009 16:58:16 -0800 (PST)
Received: from mail.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id nBG0vwX0007980 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 16 Dec 2009 01:57:58 +0100 (MET)
From: Martin Rex <mrex@sap.com>
Message-Id: <200912160057.nBG0vvZw004261@fs4113.wdf.sap.corp>
To: nelson@bolyard.me
Date: Wed, 16 Dec 2009 01:57:57 +0100
In-Reply-To: <4B2818BF.507@bolyard.me> from "Nelson Bolyard" at Dec 15, 9 03:16:15 pm
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal05
X-SAP: out
Cc: canetti@tau.ac.il, iesg@ietf.org, tls@ietf.org
Subject: Re: [TLS] COMMENT: draft-ietf-tls-renegotiation
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Dec 2009 00:58:18 -0000
Nelson Bolyard wrote: > > > > Given that the TLS WG list is full of discussion about remaining > > backward-compatible with SSLv3, it's not clear if the industry is paying > > attention to the IETF anyway. more than 90% of the world are on TLSv1.0 + SSLv3 combined. > > There is a small number of individuals in this list who are generating a > very high volume of traffic arguing that it is necessary to preserve > backward compatibility with servers that are not only SSL 3.0 but a subset > thereof that is intolerant of any hello extensions and of client hellos > that bear any higher version than 3.0, being unable to successfully > negotiate an SSL 3.0 handshake in the presence of either. This misrepresents facts. What I am arguing for is that a solution does not need to unnecessarily create interoperability problems that can be easily and reliably avoided. If this solution should be patched into the installed base, then it should address the issues of the installed base! If you think the installed base doesn't matter, then you should rather propose to defer the solution to TLSv1.3. > > If one judges purely by the volume of traffic in the list, one might > conclude that the industry as a whole is behind that position. > But I believe that conclusion would not be supported by an actual > poll of vendors of SSL 3.x (including TLS 1.x) server products. > I think we are merely hearing from a very vociferous minority > who hopes to defeat the current draft by filibuster. The open IETF standards process is about discussing technical issues and providing solutions to technical issues. A few valid technical issues that have been raised against TLS extension RI, and not yet been addressed with sufficient clarity. Some issues were of the type "I can not do this-and-this to my installed base". And some answers have been "Tough luck. My installed base doesn't have that problem and I don't care about yours." This would be OK if we were discussing about optional features of a new protocol. But we are actually discussing about a strongly recommended, backwards-incompatible change to the entire installed base that becomes as mandatory as it can get for protocols that were finalized many many years ago. A broken or incomplete patch that is widely distributed will create much more damage than not shipping a patch at all, and ultimately, a conforming patch based on a broken or incomplete spec will create even worse problems. The TLS renegotiation vulnerability itself is compliant implementations of a vague and defective specification for the renegotiation, and we currently see how painful it is to fix that. No, I do not want to have the IETF ship a solution that is superficially evaluated at best. The fact that so many implementers completely missed the TLS renegotiation vulnerability for over 14 years worries me somewhat. A few implementors who have actually tried to implement both proposed solutions for secure TLS renegotiation have shared their results here. So far their results were very similar. If the original SSLv3 specification had described the TLS renegotiation algorithm in full detail, then the vulnerability would have been obvious from the beginning. It's not very different for the interop problems with the extension data in ClientHello and the protocol versions. Instead of just vaguely mentioning extensibility here or there, a specification will need to spell out its expectations by example in order for implementors to not create tomorrows interop problems today. OpenSSL (in the days of 0.9.4) had nursing problems with the TLSv1.0 protocol version, because the protocol version comparisons were hardwired for major and minor version. Today, OpenSSL is forwards compatible on the minor_version, but the major_version is still hardwired. Netscape 6 had problems sending correct protocol versions according to the workarounds in OpenSSL, and Microsoft had a protocol version problem in renegotiation handshakes. To me, the effectively usable protocol version negotiation in TLS (as inherited from SSLv3) for the installed base is a mess. If they had used a set (like its done with the cipher_suites and compression_methods), then the nursing problems would probably be gone by now. Another drawback from the exitisting version negotiation is that implementations de-facto have to implement all protocol versions, and given budget constraints of todays world, TLSv1.0 is likely the protocol with the highest return-of-investment. Due to a complete lack of guidance about protocol version evolvement, implementers made arbitrary choices which values they considered valid and this is what resulted interop problems we currently face. As a side-effect, the original "version rollback protection" no longer works as expected for clients with re-connect fallbacks and conservative clients. > > >> Removing support for (i.e., not fixing) a fundamental and widely-used > >> protocol feature like renegotiation is not an option. > > > > I think the question Russ raised is: just how fundamental is TLS > > renegotiation? And the answer so far seems to be: some deployments seem > > to use it, but it might not be fundamental. > > I believe it is very heavily used in business-to-business https transactions > including so-called intranet transactions, where parts of a web site require > different authentication than the rest. The issue is more, that those environments where renegotiation was offered to applications and got used, now have a vital dependency on that functionality being available. And while _our_ own installed base has no such dependency on TLS renegotiation, *I* do care for the installed base of others, and would be willing to bear the effort and burden to ship an update for the entire installed base, provided that the operational risk such a backwards-incompatible change means for an installed base of largely unknown usage scenarios is designed to be sufficiently small, and the spec on which this change is based is sufficiently clear as to not create new interoperability problems. There are probably less than 10% of the implementers of SSLv3 and TLS implementations participating the IETF. So any spec we come up with should be sufficiently clear and sufficiently simple that implementors around the world can come up with independent interoperable implementations when all what they have is the RFC document that we publish. While we can not fix all of the problems (like unexpected identity changes) universally at the TLS level, we can fix the most serious problems with a relatively modest change in a central location of the software stack and with a much better prerequisites for applying a consistent fix throughout the entire infrastructure than any approach that all of the affected applications would have to individually pursue. -Martin
- [TLS] COMMENT: draft-ietf-tls-renegotiation Russ Housley
- Re: [TLS] COMMENT: draft-ietf-tls-renegotiation Steven Bellovin
- Re: [TLS] COMMENT: draft-ietf-tls-renegotiation Nicolas Williams
- Re: [TLS] COMMENT: draft-ietf-tls-renegotiation Russ Housley
- Re: [TLS] COMMENT: draft-ietf-tls-renegotiation Peter Saint-Andre
- Re: [TLS] COMMENT: draft-ietf-tls-renegotiation Kemp, David P.
- Re: [TLS] COMMENT: draft-ietf-tls-renegotiation Peter Gutmann
- Re: [TLS] COMMENT: draft-ietf-tls-renegotiation Stefan Santesson
- Re: [TLS] COMMENT: draft-ietf-tls-renegotiation Pasi.Eronen
- Re: [TLS] COMMENT: draft-ietf-tls-renegotiation Huang Min
- Re: [TLS] COMMENT: draft-ietf-tls-renegotiation Ben Laurie
- Re: [TLS] COMMENT: draft-ietf-tls-renegotiation Robert Dugal
- Re: [TLS] COMMENT: draft-ietf-tls-renegotiation Badra
- Re: [TLS] COMMENT: draft-ietf-tls-renegotiation Robert Dugal
- Re: [TLS] COMMENT: draft-ietf-tls-renegotiation Steve Dispensa
- Re: [TLS] COMMENT: draft-ietf-tls-renegotiation Ran Canetti
- Re: [TLS] COMMENT: draft-ietf-tls-renegotiation Marsh Ray
- Re: [TLS] COMMENT: draft-ietf-tls-renegotiation Peter Saint-Andre
- Re: [TLS] COMMENT: draft-ietf-tls-renegotiation Martin Rex
- Re: [TLS] COMMENT: draft-ietf-tls-renegotiation Nelson Bolyard
- Re: [TLS] COMMENT: draft-ietf-tls-renegotiation Nicolas Williams
- Re: [TLS] COMMENT: draft-ietf-tls-renegotiation Martin Rex
- Re: [TLS] COMMENT: draft-ietf-tls-renegotiation Martin Rex
- Re: [TLS] COMMENT: draft-ietf-tls-renegotiation Steven Bellovin
- Re: [TLS] COMMENT: draft-ietf-tls-renegotiation Steve Dispensa