Re: [TLS] draft-ietf-tls-tls13-24 supported_versions complexity
David Benjamin <davidben@chromium.org> Thu, 01 March 2018 18:43 UTC
Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C768012EC7A for <tls@ietfa.amsl.com>; Thu, 1 Mar 2018 10:43:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.459
X-Spam-Level:
X-Spam-Status: No, score=-2.459 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9P_Vw4qZqedq for <tls@ietfa.amsl.com>; Thu, 1 Mar 2018 10:43:07 -0800 (PST)
Received: from mail-qk0-x22f.google.com (mail-qk0-x22f.google.com [IPv6:2607:f8b0:400d:c09::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 034BB12EC6C for <tls@ietf.org>; Thu, 1 Mar 2018 10:43:06 -0800 (PST)
Received: by mail-qk0-x22f.google.com with SMTP id j4so8809869qke.10 for <tls@ietf.org>; Thu, 01 Mar 2018 10:43:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=lIloDttoGVjgQC2tfr7Dl9pUmSKwT3Tv79gWyEkR7k0=; b=NsfZXeicw6ttxqEKfHVoxosunIJ8XI95f+DgDgTvfkmmkmaTgsB2v/BZwKbQia9+Od dFrfYucsDvWaDnKw/WU8VESKsWYqmrrii8ByQ2Yd4mt62os3FEqrCrzqARJJ7YTXdbBT ms+cZv/nvKVfVTuOsmNPfW4oSjN77dDBsIRRs=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=lIloDttoGVjgQC2tfr7Dl9pUmSKwT3Tv79gWyEkR7k0=; b=bELjhVYET1qKvewVfcy3dllYschNkRnO2Y2JX6RCc1Sz72R155DD25y2AkO5XwlDyr lMB5hlBpYam3sHYOqf3/bHQqA4/VMQgYb3w3PlzsHJhVCkph8XVFzaMgHLUAZCdcMKqg jD324vCp6py+BrU2FQD/eTz/4VDJsYieUbZVKe3ndYW+4boHd0dNZnqJ+KhF9BSoU4hb 2L+okFqpNrTQS22EJ9JNCVMALcTpth+nR+K83mR2eR2lKq4M4DvBC+AWaFyRv3CnldRJ qOn0wdx2ECa5eLYs3NE4Vpbdfn0gYqglP3pkUUfjXaNuLawt81FvqDEQl/XPtbI0DuWf wqXw==
X-Gm-Message-State: AElRT7HAwrgiVQJ0qcCpYmMC49hOYOyPPpEDrnjrXhzMKhyiQk7hjHAw 3wjsH6ldZjwQRtG5bzA3rLl3LGsdZN0CDCoTRoXx
X-Google-Smtp-Source: AG47ELufWEM4axprtUiB673mMA8ifQaClSlqlwIKopxeI0pAtMM3oLtNtnISnDzAdbF7I09AFebzc5SgZTqifO0HcRk=
X-Received: by 10.55.107.70 with SMTP id g67mr4242090qkc.105.1519929785863; Thu, 01 Mar 2018 10:43:05 -0800 (PST)
MIME-Version: 1.0
References: <9233569e-fc21-e6dd-b84c-6a98e29a4f02@nist.gov>
In-Reply-To: <9233569e-fc21-e6dd-b84c-6a98e29a4f02@nist.gov>
From: David Benjamin <davidben@chromium.org>
Date: Thu, 01 Mar 2018 18:42:55 +0000
Message-ID: <CAF8qwaCz1L=S9WWUVx0T41RtEscw2H7kGfLvqUq3FJcvTAc_Pw@mail.gmail.com>
To: "David A. Cooper" <david.cooper@nist.gov>
Cc: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="001a114873f2f906d205665e3a4c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/VtDCgV9A8rGzgHSCLVrh7g4EfvM>
Subject: Re: [TLS] draft-ietf-tls-tls13-24 supported_versions complexity
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Mar 2018 18:43:10 -0000
FWIW, this was BoringSSL's interpretation as well. We don't consider supported_versions an acceptable TLS 1.2 (or earlier) ServerHello extension. I generally agree that we shouldn't add new unnecessary combinations. (TBH, I don't even consider the ability to advertise TLS 1.3 and TLS 1.1 on the client side to be an especially valuable feature, but I suppose that falls out naturally enough.) David On Thu, Mar 1, 2018 at 10:49 AM David A. Cooper <david.cooper@nist.gov> wrote: > > > I believe you are misinterpreting the text, but agree that it could be > made more clear. > > Suppose that the ClientHello includes a supported_versions extensions > that contains two values, TLS 1.4 and TLS 1.0, and the server supports > TLS 1.3 and below. My interpretation of the current draft is that the > server MUST use the supported_versions extension to determine the > client's preference, but then once deciding to use TLS 1.0 for the > connection sends a normal TLS 1.0 ServerHello, with version field set to > 0x0300 and no supported_versions extension. Note that Section 4.2.1 says > that > > A server which negotiates TLS 1.3 MUST respond by sending a > "supported_versions" extension containing the selected version > value (0x0304). > > It says nothing about a server that negotiates an earlier version. > > If my understanding is correct, then I believe the text in Section 4.1.3 > could be made more clear. Draft -21 said that the version field of > ServerHello "contains the version of TLS negotiated for this > connection." (this is similar to what RFC 5246 said). The current draft > says: > > In TLS 1.3, the TLS server indicates its version using the > "supported_versions" extension (Section 4.2.1), and the > legacy_version field MUST be set to 0x0303, which is the > version number for TLS 1.2. > > To be consistent with RFC 5246 and earlier, it seems like the text > should say something like: > > For a TLS 1.3 ServerHello the TLS server indicates its version > using the "supported_versions" extension (Section 4.2.1), and > the legacy_version field MUST be set to 0x0303, which is the > version number for TLS 1.2. For a TLS 1.2 and earlier ServerHello > the legacy_version field contains the version of TLS negotiated > for this connection. > > On Thu, Mar 1, 2018 at 5:24 AM, Nikos Mavrogiannopoulos > <nmav@redhat.com> wrote: > > > The TLS draft after version -21 requires TLS1.3 servers to negotiate > > pre-TLS1.3 versions with a new, mechanism. The document states: > > > > "If this extension is present, servers MUST ignore the > > ClientHello.legacy_version value and MUST use only the > > "supported_versions" extension to determine client preferences." > > > > ... > > > > "Note that this mechanism makes it possible to negotiate a > > version prior to TLS 1.2 if one side supports a sparse range." > > > > > > At this point, a server receiving a supported_versions extension which > > contains the single value 'TLS 1.0' has to follow the draft's > > recommendations and do: > > > > 1. It MUST set the ServerHello.legacy_version field to 0x0303 > > (TLS 1.2). > > 2. On the serverHello extensions include a supported_versions > > extension and advertise TLS1.0 > > > > That modifies the way TLS 1.1 or TLS 1.0 are negotiated, possibly > > introducing new issues with middle-boxes which see TLS1.2 in the > > ServerHello but TLS1.0 anywhere else. That is also a quite impossible > > code path (why would an implementation negotiate TLS1.0 using a TLS1.3 > > mechanism?). It is however anticipated to be used for that purpose as > > this draft mentions: > > > > "Servers should be prepared to receive ClientHellos that include > > this extension but do not include 0x0304 in the list of versions." > > > > Irrespective to any middle-box issues, I believe impossible code paths > > allowed by the protocol are more likely to cause problems than solve > > any, because they are often not tested, and provide attackers with > > additional tools to manipulate implementations. > > > > My recommendation to address that would to either ignore that extension > > if pre-TLS1.2 is negotiated, or revert to -21 draft behavior for pre- > > TLS1.3 protocol negotiation. That is, the server MUST not send the > > supported_versions extension if a pre-TLS1.3 protocol is to be > > negotiated. The first case ensures that there is a single way to > > negotiate TLS1.x, where x<3, and the second that the clientHello > > extension is only used informatively. > > > > regards, > > Nikos > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- [TLS] draft-ietf-tls-tls13-24 supported_versions … Nikos Mavrogiannopoulos
- Re: [TLS] draft-ietf-tls-tls13-24 supported_versi… Eric Rescorla
- Re: [TLS] draft-ietf-tls-tls13-24 supported_versi… David A. Cooper
- Re: [TLS] draft-ietf-tls-tls13-24 supported_versi… David Benjamin
- Re: [TLS] draft-ietf-tls-tls13-24 supported_versi… Yuhong Bao
- Re: [TLS] draft-ietf-tls-tls13-24 supported_versi… Eric Rescorla
- Re: [TLS] draft-ietf-tls-tls13-24 supported_versi… Nikos Mavrogiannopoulos
- Re: [TLS] draft-ietf-tls-tls13-24 supported_versi… Eric Rescorla