Re: [TLS] ALPN concerns

Geoffrey Keating <geoffk@geoffk.org> Wed, 06 November 2013 02:33 UTC

Return-Path: <geoffk@geoffk.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DBAB021F9D94 for <tls@ietfa.amsl.com>; Tue, 5 Nov 2013 18:33:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.359
X-Spam-Level:
X-Spam-Status: No, score=-1.359 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, SARE_LWSHORTT=1.24]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d2u3h5SydSBQ for <tls@ietfa.amsl.com>; Tue, 5 Nov 2013 18:32:57 -0800 (PST)
Received: from dragaera.releasedominatrix.com (dragaera.releasedominatrix.com [216.129.105.14]) by ietfa.amsl.com (Postfix) with ESMTP id E35A421F9D3E for <tls@ietf.org>; Tue, 5 Nov 2013 18:32:57 -0800 (PST)
Received: by dragaera.releasedominatrix.com (Postfix, from userid 501) id 9737433D115; Wed, 6 Nov 2013 02:32:57 +0000 (UTC)
Sender: geoffk@localhost.localdomain
To: Martin Thomson <martin.thomson@gmail.com>
References: <CAFewVt7-+e-e82LA3iPWOuoudRqCCk23uyf0w5+aXSFsAv64GA@mail.gmail.com> <CABkgnnXgUo_g-w=kefQUnFWLtcfdTByCWtSaxJHvLx-gtzZP_A@mail.gmail.com>
From: Geoffrey Keating <geoffk@geoffk.org>
Date: 05 Nov 2013 18:32:57 -0800
In-Reply-To: <CABkgnnXgUo_g-w=kefQUnFWLtcfdTByCWtSaxJHvLx-gtzZP_A@mail.gmail.com>
Message-ID: <m27gcm1cpy.fsf@localhost.localdomain>
Lines: 33
User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.4
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] ALPN concerns
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Nov 2013 02:33:03 -0000

Martin Thomson <martin.thomson@gmail.com> writes:

> On 5 November 2013 14:21, Brian Smith <brian@briansmith.org> wrote:
> > I am
> > very concerned about the issues that they've run into where many web
> > servers are failing to handshake when the ClientHello message is
> > larger than 255 bytes.
> 
> I can understand the need to avoid the ceiling in the short term, no
> question.  But how much headroom is there?
> 
> Having some specific numbers would definitely help inform the
> discussion.  Clearly, including SNI with a maximum-length hostname is
> going to blow this limit, so the question is where we think the line
> needs to be drawn.

To give an idea:

A TLS 1.2 ClientHello which lists all the authenticated ciphersuites
currently defined (no anonymous), EC curves and formats, and signature
algorithms, but no SNI, is 528 bytes.  So you can already be way over
255 bytes just with things already defined.

The TLS 1.2 Safari ClientHello in OS X 10.9 when connecting to
ssl.apple.com is 180 bytes, and that has SNI but no NPN or similar,
and a limited number of elliptic curves.

I think the Safari ClientHello is close to the minimum you would want;
that is, if your ClientHello is much shorter, you're probably missing
something more important than ALPN.  I would suggest allowing 30 bytes
for longer domain names.  So there's maybe 45 bytes to split between
ALPN, TLS 1.4, AEAD ciphers, new elliptic curves, and any other
feature that might be implemented in future.