Re: [TLS] I-D Action: draft-ietf-tls-negotiated-ff-dhe-02.txt
Nikos Mavrogiannopoulos <nmav@redhat.com> Wed, 29 October 2014 08:57 UTC
Return-Path: <nmav@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D6B431A1A1D for <tls@ietfa.amsl.com>; Wed, 29 Oct 2014 01:57:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.911
X-Spam-Level:
X-Spam-Status: No, score=-6.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1goiluTJll_P for <tls@ietfa.amsl.com>; Wed, 29 Oct 2014 01:57:24 -0700 (PDT)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D82821A1A0F for <tls@ietf.org>; Wed, 29 Oct 2014 01:57:23 -0700 (PDT)
Received: from int-mx14.intmail.prod.int.phx2.redhat.com (int-mx14.intmail.prod.int.phx2.redhat.com [10.5.11.27]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id s9T8vLS6017431 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Wed, 29 Oct 2014 04:57:21 -0400
Received: from [10.34.2.127] (dhcp-2-127.brq.redhat.com [10.34.2.127]) by int-mx14.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id s9T8vIoV031984 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NO); Wed, 29 Oct 2014 04:57:20 -0400
Message-ID: <1414573038.723.4.camel@dhcp-2-127.brq.redhat.com>
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date: Wed, 29 Oct 2014 09:57:18 +0100
In-Reply-To: <874mupwf0k.fsf@alice.fifthhorseman.net>
References: <20141011044948.27553.93984.idtracker@ietfa.amsl.com> <5438B82B.6090600@fifthhorseman.net> <544BD3BF.9030702@streamsec.se> <1682594903.63043.1414266713793.JavaMail.zimbra@redhat.com> <544C1BC3.5060204@streamsec.se> <1749574094.84536.1414307373087.JavaMail.zimbra@redhat.com> <544E0682.30804@streamsec.se> <1414405551.2543.8.camel@dhcp-2-127.brq.redhat.com> <544E254A.3020501@streamsec.se> <1414408020.2543.13.camel@dhcp-2-127.brq.redhat.com> <544E2E5D.4000805@streamsec.se> <874mupwf0k.fsf@alice.fifthhorseman.net>
Content-Type: text/plain; charset="UTF-8"
Mime-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.27
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/REX6n7ds-p9HLwdhXFyyoYagJt0
Cc: tls@ietf.org
Subject: Re: [TLS] I-D Action: draft-ietf-tls-negotiated-ff-dhe-02.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Oct 2014 08:57:28 -0000
On Mon, 2014-10-27 at 14:20 -0400, Daniel Kahn Gillmor wrote: > On Mon 2014-10-27 07:37:01 -0400, Henrick Hellström wrote: > > It does however strike me as odd that, as a consequence, a named FFDHE > > compatible server, would still be allowed to negotiate DHE cipher suites > > with legacy clients that do not even implement RFC 4492, but not with > > legacy clients that implement DHE in the exact same way, but also > > support a few weak elliptic curves. > > hm, yes, i agree that this is a bad outcome, and as of -02 that does > appear to be the consequence of the draft. Thanks for pointing this > out, Henrick. > > To be clear, i think the problem is: > > * a compatible server might see a client send a DHE ciphersuite and the > NamedCurves extension, but with at least one identified NamedCurve > that the server doesn't know. > > * In this case, the server cannot distinguish the following two peers: > > A) the client implements this draft, but only implements an unusual > FFDHE that the server has never heard of. > > B) the client does not implement with this draft and happens to > implement an elliptic curve that the server has never heard of. > > * The right logic here is that the server SHOULD NOT select DHE for > client A, but MAY select DHE for client B, as when interoperating > with any other legacy client implementation. But the server can't > distinguish between these cases. I wouldn't distinguish between these two cases. If the goal is to promote interoperability, the DHE ciphersuites should not be negotiated by a compliant server if there are no curves advertised by the client. Otherwise in client B case, if the server proceeds with negotiating DHE, the issue that the draft tries to solve reappears, i.e., a broken session because the DH parameters presented to client for some reason are not acceptable by the client (e.g., a java client which only supports 1024-bit parameters). > I think there needs to be explicit signalling from the client that it > understands known FFDHE groups, so that a server can distinguish between > these cases. > I see three ways to achieve this goal: I'd add that: 3) Keep the currently defined behavior (i.e., prefer any other ciphersuite to DHE if the peers share no common groups). regards, Nikos
- [TLS] I-D Action: draft-ietf-tls-negotiated-ff-dh… internet-drafts
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Daniel Kahn Gillmor
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Peter Gutmann
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Daniel Kahn Gillmor
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Peter Gutmann
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Peter Gutmann
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Alyssa Rowan
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Manuel Pégourié-Gonnard
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Geoffrey Keating
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Alyssa Rowan
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Stephen Checkoway
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Henrick Hellström
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Ilari Liusvaara
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Henrick Hellström
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Ilari Liusvaara
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Nikos Mavrogiannopoulos
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Watson Ladd
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Ilari Liusvaara
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Watson Ladd
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Henrick Hellström
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Nikos Mavrogiannopoulos
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Nikos Mavrogiannopoulos
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Henrick Hellström
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Henrick Hellström
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Nikos Mavrogiannopoulos
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Henrick Hellström
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Nikos Mavrogiannopoulos
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Henrick Hellström
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Ilari Liusvaara
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Henrick Hellström
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Daniel Kahn Gillmor
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Viktor Dukhovni
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Peter Gutmann
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Nikos Mavrogiannopoulos
- Re: [TLS] I-D Action: draft-ietf-tls-negotiated-f… Hubert Kario