Re: [TLS] Thoughts on Version Intolerance

Brian Smith <brian@briansmith.org> Sat, 23 July 2016 01:37 UTC

Return-Path: <brian@briansmith.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4B98312DBB6 for <tls@ietfa.amsl.com>; Fri, 22 Jul 2016 18:37:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=briansmith-org.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g_TBQhdEhbWC for <tls@ietfa.amsl.com>; Fri, 22 Jul 2016 18:37:25 -0700 (PDT)
Received: from mail-io0-x22f.google.com (mail-io0-x22f.google.com [IPv6:2607:f8b0:4001:c06::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A99ED12DBB5 for <tls@ietf.org>; Fri, 22 Jul 2016 18:37:25 -0700 (PDT)
Received: by mail-io0-x22f.google.com with SMTP id m101so119643828ioi.2 for <tls@ietf.org>; Fri, 22 Jul 2016 18:37:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=briansmith-org.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=Ezu4QXGIz6k1JGtFiEt0ei6Bw0wFfb9gwff33RUrKHE=; b=iRfRFnJh0fMdAYyhCFI9omlbyzjRfjaN50lbyjlyj1vIo8DRv4SJp1WQLcVnzIvcMr 7tXJ7K1cT/FB+Qsao+FKI5kaqkMJJHXwyxoyeHgnFYqJjsMuMhZ0cO7BGOyZZED2rAbI xH+F5MNnxwoaSUxdE9GqLB/2QnF7FbLrZqjaYpfK55UILEGLZoeRB0UHCKEtrRxxmugJ 1RBjVDrvjoA+Dqa36w0Z6wlB6UdUl0DqKRGAUpzvpJ29AeeKhTPl39nt3nDvSLhmVUem WGua35lZKK2djFmnV9e0aPX0CmzptGfmknQTrbWn/xoV3k70L1jycTK0dNZfO2J5b04q KJlA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=Ezu4QXGIz6k1JGtFiEt0ei6Bw0wFfb9gwff33RUrKHE=; b=JxpLYENzUlf2qnv0yH0BuXWoRY/vEjgnswpkSSheWguU+woW1MkqZm01jIVkg2YS2n YTvBgSVFJDN2Gm4qrOu8HfjhB2zFjNhflMSlwPfs5ajwDEosX2Skzpeu/gWdXoMqMdaj oFZa6nzER7WJieS7ypN4fCuY56GXG52nb9+o4nlohidUOeh8aJU+pSCWhdrO4GQPj0Mn 2ES8opRMYvwA2pB1Y6nIoNRdJJDDg60r3drs49xG51AyM9pe80n6GEvons3tH1yvq16M GD9MZ7ecg/RjdzvLNXyx29Iw7IrPWu0k7J/JUSKzAmD7dvKFCvFiYDm65Au1EDPjRYNd v1Dw==
X-Gm-Message-State: AEkoouvpxIlL1VMj+DyWOpCMK+kKaiS/FCe0i9GHSGZyyHuaKjEvbh89mXD+0Tdn7JNme40n2DwOenzy8Zi1og==
X-Received: by 10.107.55.70 with SMTP id e67mr8189707ioa.51.1469237844979; Fri, 22 Jul 2016 18:37:24 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.36.74.73 with HTTP; Fri, 22 Jul 2016 18:37:24 -0700 (PDT)
In-Reply-To: <2581885.dP5x8nd4GP@pintsize.usersys.redhat.com>
References: <20160720173027.9BC3D1A504@ld9781.wdf.sap.corp> <4902846.OLd9Rrk6Df@pintsize.usersys.redhat.com> <201607211604.25745.davemgarrett@gmail.com> <2581885.dP5x8nd4GP@pintsize.usersys.redhat.com>
From: Brian Smith <brian@briansmith.org>
Date: Fri, 22 Jul 2016 15:37:24 -1000
Message-ID: <CAFewVt760KsO6oX5u-ZQJmKB-M5FcTb7mUTz4Z4FaT2QopwCxw@mail.gmail.com>
To: Hubert Kario <hkario@redhat.com>
Content-Type: text/plain; charset=UTF-8
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/RXfkAMzcRnzc0vNB5mGOoxhvLfw>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] Thoughts on Version Intolerance
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 23 Jul 2016 01:37:27 -0000

Hubert Kario <hkario@redhat.com>; wrote:
> I'm quite sure that if I were sending a huge extension or many big extensions,
> the percentage of servers that are incompatible to them would be similar, if
> not worse. A relatively small 3KiB client hello already causes issues and this
> is not exactly something impossible to achieve with just TLSv1.2 and session
> tickets.

Don't expect a server to accept a ClientHello with a session ticket it
didn't produce. In particular, a server could very reasonably reject a
session ticket larger than the ones it produces, and it might produce
only very small ones.

More generally, when assessing compatibility, generally it is better
to consider only initial handshakes, using the data one would normally
send in an initial handshake. And, if you are considering 0-RTT key
shares, then it would be better to measure the case where only ECC key
shares are used separately from the case where non-ECC (old-school DH)
key shares are used.

Cheers,
Brian