[TLS] Thoughts on Version Intolerance
Hanno Böck <hanno@hboeck.de> Mon, 18 July 2016 11:08 UTC
Return-Path: <hanno@hboeck.de>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0258E12D8C9 for <tls@ietfa.amsl.com>; Mon, 18 Jul 2016 04:08:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IBgGxVns3dCD for <tls@ietfa.amsl.com>; Mon, 18 Jul 2016 04:08:48 -0700 (PDT)
Received: from zucker2.schokokeks.org (zucker2.schokokeks.org [178.63.68.90]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D184412D8CB for <tls@ietf.org>; Mon, 18 Jul 2016 04:08:47 -0700 (PDT)
Received: from pc1 ([2001:67c:370:176:e394:67f1:be9a:d08e]) (AUTH: LOGIN hanno-default@schokokeks.org, TLS: TLSv1/SSLv3, 256bits, ECDHE-RSA-AES256-GCM-SHA384) by zucker.schokokeks.org with ESMTPSA; Mon, 18 Jul 2016 13:08:46 +0200 id 0000000000000051.00000000578CB8BE.000053DA
Date: Mon, 18 Jul 2016 13:08:43 +0200
From: Hanno Böck <hanno@hboeck.de>
To: "<tls@ietf.org>" <tls@ietf.org>
Message-ID: <20160718130843.0320d43f@pc1>
X-Mailer: Claws Mail 3.13.2 (GTK+ 2.24.30; x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/V_8x9tdbYg2rufL1ojSktI8Nl6I>
Subject: [TLS] Thoughts on Version Intolerance
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Jul 2016 11:08:52 -0000
Hi, Recently both Adam Langley [1] and David Benjamin [2] indicated that they expect with TLS 1.3 Browsers will have to bring back the infamous version falbacks that caused so much trouble in the past (POODLE etc.) to work around broken implementations of the TLS handshake. I don't blame browser vendors for this, I can understand their reasoning why they think they have to do this, although I don't share their opinion. But I think this sheds a light on the sorry state of TLS implementations and I want to ask if there's a better way out of this. Let me quickly summarize how I see the situation: * The issue has been known for a long time. I found a document from Mozilla [3] from 2003 that describes the core issue. * While there is a lot of scattered discussion about the issue, the pure documentation status of this problem is far from ideal. I am not aware of any good documentation that even describes how exactly version intolerance happens. The "classic" variant seems to be implementations that just close the connection if they are contacted with a version number higher than what they support. But there are also weirder variants where a connection attempt with TLS 1.2 will be downgraded to SSLv3, but a connection attempt with TLS 1.0 will lead to an answer with TLS 1.0. Questions I couldn't easily answer is how connections are terminated (TCP disconnect? TLS alert? Timeouts?) Also I'm not fully aware what the different version numbers (ClientHelo + record version number) mean in context of a handshake and how this influences version intolerance issues. * There don't seem to be any straightforward tools that test for version intolerance. The SSL Labs test does detect version intolerance, but it's limited to public facing https servers and it doesn't seem to detect some of the weirder variations (as described above). There's also a test in Hubert Kario's tlsfuzzer, but I've been unable to get it to work. I tried to create a test myself, but the results were highly erratic and I'm not sure why. * We don't have good data on the issue. The latest numbers I could find came from Ivan Ristic in 2013 [4], and from David Benjamin we know he considers the problem to be large enough that version fallbacks are inevitable. That's far from good data. We also don't seem to have any public list of affected vendors, devices and webpages. I want to try to work on some of those issues in the near future. Roughly I'd like to see that we work on a plan to reduce TLS brokenness in general and in particular - right now as this is an issue affecting the deployment of TLS 1.3 - Version intolerance. Things that I think we could and should do: * Talk to developers of test tools (sslyze, testssl, openvas, but also commercial tools etc.) that they include appropriate tests in their tools and warn about these issues. Also it'd be great if e.g. things like the google webmaster tools or any other public test tools for webservers/websites could test for this. * Raise this issue with pentesters and tell them they should include this when they're testing devices / products. (Of course this requires to have test tools in the first place.) * Get some data from internet wide scans and make it public. Maybe have a public shame list of the top X pages breaking TLS. * In general, more and better detailed documentation of this and similar issues, also raise this as a potential research topic. My hope would be that we can avoid the reintroduction of version fallbacks or at the very least reduce the amount of time they have to be used. And hopefully at least avoid them altogether for TLS 1.4 or whatever comes after 1.3. I'm in Berlin at IETF96 in case people want to discuss this. As this is terribly late for this I don't know if this can be included in the TLS WG discussion as it's probably already packed with other issues (but I'd happily introduce the issue if people want to discuss it). [1] https://www.imperialviolet.org/2016/05/16/agility.html [2] https://www.ietf.org/mail-archive/web/tls/current/msg20207.html [3] https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Notes_on_TLS_-_SSL_3.0_Intolerant_Servers [4] https://www.ietf.org/mail-archive/web/tls/current/msg10657.html -- Hanno Böck https://hboeck.de/ mail/jabber: hanno@hboeck.de GPG: BBB51E42
- [TLS] Client Hello size intolerance Was: Re: Thou… Hubert Kario
- Re: [TLS] Thoughts on Version Intolerance Yuhong Bao
- Re: [TLS] Thoughts on Version Intolerance Hubert Kario
- Re: [TLS] Thoughts on Version Intolerance Hubert Kario
- Re: [TLS] Thoughts on Version Intolerance Ivan Ristić
- Re: [TLS] Thoughts on Version Intolerance Yuhong Bao
- Re: [TLS] Thoughts on Version Intolerance Yuhong Bao
- Re: [TLS] Thoughts on Version Intolerance David Benjamin
- Re: [TLS] Thoughts on Version Intolerance Brian Smith
- Re: [TLS] Thoughts on Version Intolerance Hubert Kario
- Re: [TLS] Thoughts on Version Intolerance Hubert Kario
- Re: [TLS] Thoughts on Version Intolerance Peter Gutmann
- Re: [TLS] Thoughts on Version Intolerance Ilari Liusvaara
- Re: [TLS] Thoughts on Version Intolerance Hubert Kario
- Re: [TLS] Thoughts on Version Intolerance David Benjamin
- Re: [TLS] Thoughts on Version Intolerance Watson Ladd
- Re: [TLS] Thoughts on Version Intolerance Martin Rex
- Re: [TLS] Thoughts on Version Intolerance Benjamin Kaduk
- Re: [TLS] Thoughts on Version Intolerance Hubert Kario
- Re: [TLS] Thoughts on Version Intolerance Watson Ladd
- Re: [TLS] Thoughts on Version Intolerance Hubert Kario
- Re: [TLS] Thoughts on Version Intolerance Kyle Rose
- Re: [TLS] Thoughts on Version Intolerance Hubert Kario
- Re: [TLS] Thoughts on Version Intolerance Hubert Kario
- Re: [TLS] Thoughts on Version Intolerance Martin Rex
- Re: [TLS] Thoughts on Version Intolerance Hanno Böck
- Re: [TLS] Thoughts on Version Intolerance Hubert Kario
- Re: [TLS] Thoughts on Version Intolerance David Benjamin
- Re: [TLS] Thoughts on Version Intolerance Ilari Liusvaara
- Re: [TLS] Thoughts on Version Intolerance Hubert Kario
- [TLS] Thoughts on Version Intolerance Hanno Böck
- Re: [TLS] Client Hello size intolerance Was: Re: … David Benjamin
- Re: [TLS] Client Hello size intolerance Was: Re: … Hubert Kario
- Re: [TLS] Client Hello size intolerance Was: Re: … Brian Smith
- Re: [TLS] Thoughts on Version Intolerance Dave Garrett
- Re: [TLS] Thoughts on Version Intolerance Ilari Liusvaara