Re: [TLS] Renego Indication RI patch interaction with TLS major version interop
Marsh Ray <marsh@extendedsubset.com> Tue, 15 June 2010 23:10 UTC
Return-Path: <marsh@extendedsubset.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B39393A69C1 for <tls@core3.amsl.com>; Tue, 15 Jun 2010 16:10:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.036
X-Spam-Level:
X-Spam-Status: No, score=-0.036 tagged_above=-999 required=5 tests=[AWL=-0.037, BAYES_50=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SWiXAZhVlWyX for <tls@core3.amsl.com>; Tue, 15 Jun 2010 16:10:24 -0700 (PDT)
Received: from mho-02-ewr.mailhop.org (mho-02-ewr.mailhop.org [204.13.248.72]) by core3.amsl.com (Postfix) with ESMTP id A84383A69AA for <TLS@ietf.org>; Tue, 15 Jun 2010 16:10:24 -0700 (PDT)
Received: from xs01.extendedsubset.com ([69.164.193.58]) by mho-02-ewr.mailhop.org with esmtpa (Exim 4.68) (envelope-from <marsh@extendedsubset.com>) id 1OOfH1-000HmJ-FB; Tue, 15 Jun 2010 23:10:28 +0000
Received: from [127.0.0.1] (localhost [127.0.0.1]) by xs01.extendedsubset.com (Postfix) with ESMTP id CAC4164D8; Tue, 15 Jun 2010 23:10:25 +0000 (UTC)
X-Mail-Handler: MailHop Outbound by DynDNS
X-Originating-IP: 69.164.193.58
X-Report-Abuse-To: abuse@dyndns.com (see http://www.dyndns.com/services/mailhop/outbound_abuse.html for abuse reporting information)
X-MHO-User: U2FsdGVkX1+/USKAZmZYhfAk45wxsEaYwWFexT8Zfmo=
Message-ID: <4C180862.6090707@extendedsubset.com>
Date: Tue, 15 Jun 2010 18:10:26 -0500
From: Marsh Ray <marsh@extendedsubset.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.8) Gecko/20100216 Thunderbird/3.0.2
MIME-Version: 1.0
To: Brian Smith <brian@briansmith.org>
References: <4C17AA89.8060904@extendedsubset.com> <4C17B2FE.7080604@pobox.com> <4C17B7C9.8090006@extendedsubset.com> <000f01cb0cd7$dc390f20$94ab2d60$@briansmith.org>
In-Reply-To: <000f01cb0cd7$dc390f20$94ab2d60$@briansmith.org>
X-Enigmail-Version: 1.0.1
OpenPGP: id=1E36DBF2
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: TLS@ietf.org
Subject: Re: [TLS] Renego Indication RI patch interaction with TLS major version interop
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Jun 2010 23:10:25 -0000
> I just mean that the article is misleading in that it implies that the vast > majority of servers are implementing the renegotiation protection draft > incorrectly, when really they are implementing something else wrongly that > doesn't have a *practical* effect on renegotiation protection. I agree. Still it seems weird though that patching for RI would introduce new breakage systematically across multiple implementations or distributions, which is why I brought it to this list. No evidence of a spec bug yet it seems. Given the adoption rate (0 to 12% increase in time period of graph) I would have thought the "all servers" (red) line would have shown a little of the wild variation from the "renego patched" (blue) line. Perhaps it's not all servers, but non-patched servers on the red line. > If the test > fails for 0x03FF then, yes, there may be something to worry about. But I > think we would all be quite relieved if supporting versions >= 0x0400 was > one of the top 10 (or 100) most pressing issues regarding TLS. Still, we need to be aware of it. As we've seen, this class of issue can just as easily be a problem with clients advertising version 1.1. Thank you Yngve and Opera for compiling and publishing this info! > Regarding NSS on servers: I think it will become increasingly common due to > initiatives like the following > http://fedoraproject.org/wiki/FedoraCryptoConsolidation > http://en.opensuse.org/SharedCertStore Those are interesting projects. Though I'm not sure I'm ready to unify my web browser and SSH server under a single trust model yet. :-) - Marsh
- [TLS] Renego Indication RI patch interaction with… Marsh Ray
- Re: [TLS] Renego Indication RI patch interaction … Brian Smith
- Re: [TLS] Renego Indication RI patch interaction … Michael D'Errico
- Re: [TLS] Renego Indication RI patch interaction … Marsh Ray
- Re: [TLS] Renego Indication RI patch interaction … Simon Josefsson
- Re: [TLS] Renego Indication RI patch interaction … Adam Langley
- Re: [TLS] Renego Indication RI patch interaction … Simon Josefsson
- Re: [TLS] Renego Indication RI patch interaction … Brian Smith
- Re: [TLS] Renego Indication RI patch interaction … Marsh Ray
- Re: [TLS] Renego Indication RI patch interaction … Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [TLS] Renego Indication RI patch interaction … Martin Rex
- Re: [TLS] Renego Indication RI patch interaction … Michael D'Errico
- Re: [TLS] Renego Indication RI patch interaction … Martin Rex
- Re: [TLS] Renego Indication RI patch interaction … Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [TLS] Renego Indication RI patch interaction … Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [TLS] Renego Indication RI patch interaction … Ivan Ristic
- Re: [TLS] Renego Indication RI patch interaction … Peter Gutmann
- Re: [TLS] Renego Indication RI patch interaction … Peter Gutmann
- Re: [TLS] Version (in)tolerance Marsh Ray
- Re: [TLS] Version (in)tolerance Peter Gutmann
- Re: [TLS] Version (in)tolerance Marsh Ray
- Re: [TLS] Version (in)tolerance Martin Rex
- Re: [TLS] Version (in)tolerance Marsh Ray