IETF Logo Mail Archive

Re: [TLS] I-D Action: draft-ietf-tls-negotiated-ff-dhe-02.txt

Nikos Mavrogiannopoulos <nmav@redhat.com> Wed, 29 October 2014 08:57 UTC

Return-Path: <nmav@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D6B431A1A1D for <tls@ietfa.amsl.com>; Wed, 29 Oct 2014 01:57:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.911
X-Spam-Level:
X-Spam-Status: No, score=-6.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1goiluTJll_P for <tls@ietfa.amsl.com>; Wed, 29 Oct 2014 01:57:24 -0700 (PDT)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D82821A1A0F for <tls@ietf.org>; Wed, 29 Oct 2014 01:57:23 -0700 (PDT)
Received: from int-mx14.intmail.prod.int.phx2.redhat.com (int-mx14.intmail.prod.int.phx2.redhat.com [10.5.11.27]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id s9T8vLS6017431 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Wed, 29 Oct 2014 04:57:21 -0400
Received: from [10.34.2.127] (dhcp-2-127.brq.redhat.com [10.34.2.127]) by int-mx14.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id s9T8vIoV031984 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NO); Wed, 29 Oct 2014 04:57:20 -0400
Message-ID: <1414573038.723.4.camel@dhcp-2-127.brq.redhat.com>
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date: Wed, 29 Oct 2014 09:57:18 +0100
In-Reply-To: <874mupwf0k.fsf@alice.fifthhorseman.net>
References: <20141011044948.27553.93984.idtracker@ietfa.amsl.com> <5438B82B.6090600@fifthhorseman.net> <544BD3BF.9030702@streamsec.se> <1682594903.63043.1414266713793.JavaMail.zimbra@redhat.com> <544C1BC3.5060204@streamsec.se> <1749574094.84536.1414307373087.JavaMail.zimbra@redhat.com> <544E0682.30804@streamsec.se> <1414405551.2543.8.camel@dhcp-2-127.brq.redhat.com> <544E254A.3020501@streamsec.se> <1414408020.2543.13.camel@dhcp-2-127.brq.redhat.com> <544E2E5D.4000805@streamsec.se> <874mupwf0k.fsf@alice.fifthhorseman.net>
Content-Type: text/plain; charset="UTF-8"
Mime-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.27
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/REX6n7ds-p9HLwdhXFyyoYagJt0
Cc: tls@ietf.org
Subject: Re: [TLS] I-D Action: draft-ietf-tls-negotiated-ff-dhe-02.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Oct 2014 08:57:28 -0000

On Mon, 2014-10-27 at 14:20 -0400, Daniel Kahn Gillmor wrote:
> On Mon 2014-10-27 07:37:01 -0400, Henrick Hellström wrote:
> > It does however strike me as odd that, as a consequence, a named FFDHE 
> > compatible server, would still be allowed to negotiate DHE cipher suites 
> > with legacy clients that do not even implement RFC 4492, but not with 
> > legacy clients that implement DHE in the exact same way, but also 
> > support a few weak elliptic curves.
> 
> hm, yes, i agree that this is a bad outcome, and as of -02 that does
> appear to be the consequence of the draft.  Thanks for pointing this
> out, Henrick.
> 
> To be clear, i think the problem is:
> 
>  * a compatible server might see a client send a DHE ciphersuite and the
>    NamedCurves extension, but with at least one identified NamedCurve
>    that the server doesn't know.
> 
>  * In this case, the server cannot distinguish the following two peers:
> 
>     A) the client implements this draft, but only implements an unusual
>        FFDHE that the server has never heard of.
> 
>     B) the client does not implement with this draft and happens to
>        implement an elliptic curve that the server has never heard of.
> 
>  * The right logic here is that the server SHOULD NOT select DHE for
>    client A, but MAY select DHE for client B, as when interoperating
>    with any other legacy client implementation.  But the server can't
>    distinguish between these cases.

I wouldn't distinguish between these two cases. If the goal is to
promote interoperability, the DHE ciphersuites should not be negotiated
by a compliant server if there are no curves advertised by the client.

Otherwise in client B case, if the server proceeds with negotiating DHE,
the issue that the draft tries to solve reappears, i.e., a broken
session because the DH parameters presented to client for some reason
are not acceptable by the client (e.g., a java client which only
supports 1024-bit parameters).

> I think there needs to be explicit signalling from the client that it
> understands known FFDHE groups, so that a server can distinguish between
> these cases.
> I see three ways to achieve this goal:

I'd add that:
3) Keep the currently defined behavior (i.e., prefer any other
ciphersuite to DHE if the peers share no common groups).

regards,
Nikos

v2.23.0 | Report a Bug | By Email