IETF Logo Mail Archive

Re: [TLS] Renego Indication RI patch interaction with TLS major

Martin Rex <mrex@sap.com> Wed, 16 June 2010 00:00 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id AB0C53A63CB for <tls@core3.amsl.com>; Tue, 15 Jun 2010 17:00:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.787
X-Spam-Level:
X-Spam-Status: No, score=-7.787 tagged_above=-999 required=5 tests=[AWL=0.048, BAYES_40=-0.185, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CdzMQ3R1Ddfp for <tls@core3.amsl.com>; Tue, 15 Jun 2010 17:00:46 -0700 (PDT)
Received: from smtpde01.sap-ag.de (smtpde01.sap-ag.de [155.56.68.170]) by core3.amsl.com (Postfix) with ESMTP id 6BE423A69AD for <tls@ietf.org>; Tue, 15 Jun 2010 17:00:46 -0700 (PDT)
Received: from mail.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id o5G00ecB010404 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 16 Jun 2010 02:00:45 +0200 (MEST)
From: Martin Rex <mrex@sap.com>
Message-Id: <201006160000.o5G00drV019064@fs4113.wdf.sap.corp>
To: brian@briansmith.org
Date: Wed, 16 Jun 2010 02:00:39 +0200
In-Reply-To: <005101cb0caa$46166ec0$d2434c40$@briansmith.org> from "Brian Smith" at Jun 15, 10 11:46:11 am
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal05
X-SAP: out
Cc: tls@ietf.org
Subject: Re: [TLS] Renego Indication RI patch interaction with TLS major
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Jun 2010 00:00:47 -0000

Brian Smith wrote:
> 
> > Article from Yngve:
> > http://my.opera.com/yngve/blog/2010/06/02/renego-patched-servers-a-long-
> > term-interoperability-time-bomb-brewing
> 
> NSS has an explicit check that the first byte of every version number is
> 0x03. I imagine other implementations have a similar check.

Our OEM implementation restricts the version_minor range besides
requiring 0x03 for the version_major. (I added version_minor range
check several years ago when I noticed interop problems with TLSv1.1).

OpenSSL 0.9.8 seems to require a version_major of 0x03 as well.

One version_major value was already re-purposed for DTLS.
IMHO, the assumption that protocol version negotiation would work
for completely arbitrary protocol versions is flawed.

If Yngve was to collect any meaningful data on version negotiation
capabilities, he should test with version 0x03,0x03 (TLSv1.2)
and 0x03,x04 (not yet defined).

-Martin

v2.23.0 | Report a Bug | By Email