Re: [TLS] I-D Action: draft-ietf-tls-negotiated-ff-dhe-10.txt

Tony Arcieri <bascule@gmail.com> Wed, 03 June 2015 06:36 UTC

Return-Path: <bascule@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A73291B35A6 for <tls@ietfa.amsl.com>; Tue, 2 Jun 2015 23:36:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O6LSOMuHxnTW for <tls@ietfa.amsl.com>; Tue, 2 Jun 2015 23:36:09 -0700 (PDT)
Received: from mail-ob0-x233.google.com (mail-ob0-x233.google.com [IPv6:2607:f8b0:4003:c01::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 65DA61B35A7 for <tls@ietf.org>; Tue, 2 Jun 2015 23:36:07 -0700 (PDT)
Received: by obcnx10 with SMTP id nx10so390296obc.2 for <tls@ietf.org>; Tue, 02 Jun 2015 23:36:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=oaBeM0OxZH5hWHtPcsXq5wH9FwwTGgqj7qO9gvTiAfY=; b=iK9QWGs/YNigN2mLjPr+s6/UCtSpFUC/BQB9r3CFOs6ttNMP4TCuyPeoqwOvejvX/n Llg+c17kHqlTSpOX/f6KFXr8G66y8ALpCk5L3J86LAWlHkG1wzSM15MKkBgfvqjZ8hFN jYPDZn33voy80/tbfIisp1145n5pBDKApa9Z9WfP0PfKNyXAsyqvc4KVlrlgpcalYFSh cZNfEveO7tkcMihkn3WOMLs8kEM0NIguP9ZLu7cNJ6fODxZDxVuNFrOxZ+eWUj/DlTOG DufiKYW7GEY6rqMLBmfNhAVlYbaliBABxPtx3MTMvt2FJDfTgqEWf7zq125WpuR0ShRg L/kQ==
X-Received: by 10.202.210.80 with SMTP id j77mr24458983oig.68.1433313366901; Tue, 02 Jun 2015 23:36:06 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.76.110.241 with HTTP; Tue, 2 Jun 2015 23:35:46 -0700 (PDT)
In-Reply-To: <m2lhg1b8us.fsf@localhost.localdomain>
References: <20150601225057.17500.96911.idtracker@ietfa.amsl.com> <CAHOTMVJ1xu+mEaROWKuEtW1E8Ks3r3gKagEM9mJdBOKW3kSZJQ@mail.gmail.com> <1474500.r0W7gM0pAO@pintsize.usersys.redhat.com> <CAHOTMVJgqqRBYWR+8LtwxfdRVWxEXLZAgzr5Q-1DH7ejONAGnw@mail.gmail.com> <m2lhg1b8us.fsf@localhost.localdomain>
From: Tony Arcieri <bascule@gmail.com>
Date: Tue, 2 Jun 2015 23:35:46 -0700
Message-ID: <CAHOTMVLrgUNi449DQwggt556ioEeXCQTUN+M3phBftPk88xtOw@mail.gmail.com>
To: Geoffrey Keating <geoffk@geoffk.org>
Content-Type: multipart/alternative; boundary=001a113d2656160c4705179746fb
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/VQ1GKWIz3pgyYxlO6Jj4Xw9s7jQ>
Cc: TLS WG <tls@ietf.org>
Subject: Re: [TLS] I-D Action: draft-ietf-tls-negotiated-ff-dhe-10.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Jun 2015 06:36:10 -0000

On Tue, Jun 2, 2015 at 11:32 PM, Geoffrey Keating <geoffk@geoffk.org> wrote:

> It's covered in section 4:
>
>    If at least one FFDHE ciphersuite is present in the client
>    ciphersuite list, and the Supported Groups extension is either absent
>    from the ClientHello


Unless I'm mistaken, unless you configure the jdk.tls.disabledAlgorithms
property explicitly (with e.g. "DHE keySize > 2048"), Java clients are
aborting *before* they send the ClientHello. Please let me know if you're
seeing otherwise. I could be mistaken and perhaps there's a server-side
workaround for this that isn't "disable all DHE ciphersuites". But this is
what I've personally observed and have been advising people about.

I'm not saying it can't be fixed with additional configuration/errata/etc,
I'm arguing that it's *breaking clients in the field right now*

tl;dr: I am seeing *widespread TLS breakages* because of this resulting in
*huge outages* for Java clients

-- 
Tony Arcieri