Re: [TLS] History of extensions
Martin Rex <mrex@sap.com> Thu, 12 November 2009 14:00 UTC
Return-Path: <mrex@sap.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8DAF93A6AB5 for <tls@core3.amsl.com>; Thu, 12 Nov 2009 06:00:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.162
X-Spam-Level:
X-Spam-Status: No, score=-6.162 tagged_above=-999 required=5 tests=[AWL=0.087, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CdxW+1hM-pmb for <tls@core3.amsl.com>; Thu, 12 Nov 2009 06:00:44 -0800 (PST)
Received: from smtpde01.sap-ag.de (smtpde01.sap-ag.de [155.56.68.171]) by core3.amsl.com (Postfix) with ESMTP id 140AA3A6A70 for <tls@ietf.org>; Thu, 12 Nov 2009 06:00:43 -0800 (PST)
Received: from mail.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id nACE1AwD018921 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 12 Nov 2009 15:01:10 +0100 (MET)
From: Martin Rex <mrex@sap.com>
Message-Id: <200911121401.nACE16Au020982@fs4113.wdf.sap.corp>
To: marsh@extendedsubset.com
Date: Thu, 12 Nov 2009 15:01:06 +0100
In-Reply-To: <4AFBBE35.4010306@extendedsubset.com> from "Marsh Ray" at Nov 12, 9 01:50:13 am
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal08
X-SAP: out
Cc: tls@ietf.org
Subject: Re: [TLS] History of extensions
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Nov 2009 14:00:45 -0000
Marsh Ray wrote: > > Martin Rex wrote: > > That is wrong. The SSLv3 spec has the exact same provisions for > > TLS extensions as the TLSv1.0 and TLSv1.1 specs. > > > > TLS extensions became a standard part of the protocol in TLSv1.2 only. > > > > Compare the specs and you will see. > > Very enlightening, it's even more complicated than you said. No wonder > these things don't interoperate quite so well. > > Here's what I find: > > SSL 3.0 draft-freier-ssl-version3-02.txt > > "In the interests of forward compatibility, it is > permitted for a client hello message to include > extra data after the compression methods." I would suggest the following document for SSLv3 from 18-Nov-1996: http://tools.ietf.org/html/draft-ietf-tls-ssl-version3-00 Forward compatibility note: In the interests of forward compatibility, it is permitted for a client hello message to include extra data after the compression methods. This data must be included in the handshake hashes, but must otherwise be ignored. > > RFC 2246 TLS 1.0 (Jan 1999) > > "In the interests of forward compatibility, it is permitted for a > client hello message to include extra data after the compression > methods. This data must be included in the handshake hashes, but > must otherwise be ignored. This is the only handshake message for > which this is legal; for all other messages, the amount of data > in the message must match the description of the message precisely." > > RFC 3546 TLS Extensions (June 2003) > Updates 2246 (TLS 1.0) > > "The extensions described in this document may be used by TLS 1.0 > clients and TLS 1.0 servers. The extensions are designed to be > backwards compatible - meaning that TLS 1.0 clients that support the > extensions can talk to TLS 1.0 servers that do not support the > extensions, and vice versa." > "Note that the extended server hello message is only sent in response > to an extended client hello message. This prevents the possibility > that the extended server hello message could "break" existing TLS 1.0 > clients" > "The extended server hello message format MAY be sent in place of the > server hello message when the client has requested extended > functionality via the extended client hello message" > > RFC 4346 TLS 1.1 (April 2006) > > "In the interests of forward > compatibility, it is permitted that a client hello message include > extra data after the compression methods. This data MUST be included > in the handshake hashes, but must otherwise be ignored. This is the > only handshake message for which this is legal; for all other > messages, the amount of data in the message MUST match the > description of the message precisely. > > RFC 4366 TLS Extensions (April 2006) > Updates 4346 (TLS 1.1) > "The document therefore updates TLS 1.0 [TLS] and TLS 1.1" > "The extended server hello message format MAY be sent in place of the > server hello message when the client has requested extended > functionality via the extended client hello message" > > RFC 5246 TLS 1.2 > > "Clients MAY request extended functionality from servers by sending > data in the extensions field. The actual "Extension" format is > defined in Section 7.4.1.4." > "[server] A list of extensions. Note that only extensions offered > by the client can appear in the server's list." > > ------ > My interpretation: > > SSL 3.0 Allows room at the end of Client Hello for extra data. > Is silent on extra data after Server Hello. > No standard defines anything to be passed here. > > TLS 1.0 Allows room at the end of Client Hello for extra data > Forbids extra data after Server Hello. > Possibly went four years with no extensions defined, > so early implementations were untested in this. > > June 2003 > > RFC 3546 Uses room defined in TLS 1.0 to grow ClientHello into > ExtendedClientHello. > Defines a new ExtendedServerHello message without assigning > it a new HandshakeType. This is probably OK. SSL proxying > and monitoring may have been confused by this contradiction > of the spec with no version number bump. > > TLS 1.1 Reiterates that only ClientHello can have extra data. > No provision for ExtendedServerHello. > > RFC 4366 Updates TLS 1.0 and 1.1 to re-allow extensions. > This was simultaneous to 1.1 spec, so just an update. > > TLS 1.2 Defines extensions as part of the main TLS spec. > > ------ > Conclusions: > > Nothing defines extensions for SSL 3.0, how such servers will react when > sent extra ClientHello data is somewhat unpredictable. > > Perfectly-conforming implmentations since spec of Jan 1999 should, in > theory, not be broken. > > In practice, TLS server implementations designed before about 2004 > probably had no compliant clients with which to test that would send any > data after the traditional ClientHello. Such systems probably shipped > for quite some time afterwards. For example, all pre-Vista Windows OS's > may be in this category based on design date. > > There are a large number of TLS implementations that are not currently > extension-aware which will have to retrofit at least primitive support > in order to benefit from this security fix. I think it is OK to encourage interoperability with ExtendenClientHello and ExtendendServerHello in order to implement Eric's proposal for the TLS extension Renegotiation_Info. ClientHello extensibility has been in the spec for very long, and really is not that much to implement. I would appreciate if Eric's draft would precisely describe what exact elements of TLS extension (rfc4366 or what got integrated into rfc5246) is necessary to implement this draft. (ExtendenClientHello, ExtendendServerHello, correct hashing of handshake message, creation and parsing of extension_data). -Martin
- Re: [TLS] TLSrenego - possibilities, suggestion f… Marsh Ray
- Re: [TLS] TLSrenego - current summary of semantic… Pasi.Eronen
- [TLS] assert TLSext in renego-ServerHello instead… Martin Rex
- Re: [TLS] assert TLSext in renego-ServerHello ins… Marsh Ray
- Re: [TLS] assert TLSext in renego-ServerHello ins… Martin Rex
- Re: [TLS] assert TLSext in renego-ServerHello ins… Martin Rex
- Re: [TLS] assert TLSext in renego-ServerHello ins… Eric Rescorla
- Re: [TLS] assert TLSext in renego-ServerHello ins… David-Sarah Hopwood
- Re: [TLS] assert TLSext in renego-ServerHello ins… Michael D'Errico
- Re: [TLS] assert TLSext in renego-ServerHello ins… David-Sarah Hopwood
- Re: [TLS] assert TLSext in renego-ServerHello ins… David-Sarah Hopwood
- Re: [TLS] assert TLSext in renego-ServerHello ins… Michael D'Errico
- Re: [TLS] assert TLSext in renego-ServerHello ins… David-Sarah Hopwood
- Re: [TLS] assert TLSext in renego-ServerHello ins… David-Sarah Hopwood
- Re: [TLS] assert TLSext in renego-ServerHello ins… Eric Rescorla
- Re: [TLS] assert TLSext in renego-ServerHello ins… Eric Rescorla
- Re: [TLS] assert TLSext in renego-ServerHello ins… Michael D'Errico
- [TLS] TLSrenego - current summary of semantics an… Martin Rex
- Re: [TLS] TLSrenego - current summary of semantic… Steve Dispensa
- Re: [TLS] TLSrenego - current summary of semantic… Nicolas Williams
- Re: [TLS] TLSrenego - current summary of semantic… Yair Elharrar
- Re: [TLS] TLSrenego - current summary of semantic… Michael D'Errico
- Re: [TLS] TLSrenego - current summary of semantic… Marsh Ray
- Re: [TLS] TLSrenego - current summary of semantic… Nicolas Williams
- Re: [TLS] TLSrenego - current summary of semantic… Martin Rex
- Re: [TLS] TLSrenego - current summary of semantic… Michael D'Errico
- Re: [TLS] TLSrenego - current summary of semantic… Martin Rex
- Re: [TLS] TLSrenego - current summary of semantic… Michael D'Errico
- Re: [TLS] TLSrenego - possibilities, suggestion f… Martin Rex
- Re: [TLS] TLSrenego - possibilities, suggestion f… Yair Elharrar
- Re: [TLS] TLSrenego - possibilities, suggestion f… Marsh Ray
- Re: [TLS] TLSrenego - possibilities, suggestion f… Martin Rex
- Re: [TLS] TLSrenego - possibilities, suggestion f… Yair Elharrar
- Re: [TLS] TLSrenego - possibilities, suggestion f… Martin Rex
- Re: [TLS] TLSrenego - possibilities, suggestion f… Rob P Williams
- Re: [TLS] TLSrenego - possibilities, suggestion f… Yoav Nir
- Re: [TLS] TLSrenego - possibilities, suggestion f… Marsh Ray
- Re: [TLS] TLSrenego - possibilities, suggestion f… Marsh Ray
- Re: [TLS] TLSrenego - possibilities, suggestion f… Rob P Williams
- Re: [TLS] TLSrenego - possibilities, suggestion f… Michael D'Errico
- Re: [TLS] TLSrenego - possibilities, suggestion f… Peter Gutmann
- Re: [TLS] TLSrenego - possibilities, suggestion f… Yoav Nir
- Re: [TLS] TLSrenego - possibilities, suggestion f… Peter Gutmann
- Re: [TLS] TLSrenego - possibilities, suggestion f… Martin Rex
- Re: [TLS] assert TLSext in renego-ServerHello ins… Eric Rescorla
- Re: [TLS] History of extensions Marsh Ray
- Re: [TLS] History of extensions Martin Rex
- Re: [TLS] assert TLSext in renego-ServerHello ins… Michael D'Errico
- Re: [TLS] assert TLSext in renego-ServerHello ins… Marsh Ray
- Re: [TLS] History of extensions Nicolas Williams
- Re: [TLS] History of extensions Martin Rex
- Re: [TLS] History of extensions Nicolas Williams
- Re: [TLS] assert TLSext in renego-ServerHello ins… Eric Rescorla
- Re: [TLS] History of extensions Eric Rescorla
- [TLS] Protected Renegotiation -- refined proposal Martin Rex
- Re: [TLS] assert TLSext in renego-ServerHello ins… Michael D'Errico
- Re: [TLS] assert TLSext in renego-ServerHello ins… Marsh Ray
- Re: [TLS] Protected Renegotiation -- refined prop… Martin Rex
- Re: [TLS] History of extensions Nicolas Williams
- Re: [TLS] TLSrenego - possibilities, suggestion f… Martin Rex
- Re: [TLS] assert TLSext in renego-ServerHello ins… Yoav Nir
- Re: [TLS] assert TLSext in renego-ServerHello ins… Dr Stephen Henson
- Re: [TLS] History of extensions Eric Rescorla
- Re: [TLS] TLSrenego - possibilities, suggestion f… Martin Rex
- Re: [TLS] Protected Renegotiation -- refined prop… Eric Rescorla
- Re: [TLS] History of extensions Nicolas Williams
- Re: [TLS] History of extensions Eric Rescorla
- Re: [TLS] History of extensions Nicolas Williams
- Re: [TLS] TLSrenego - possibilities, suggestion f… Nasko Oskov
- Re: [TLS] History of extensions Eric Rescorla
- [TLS] Redefine Finished message for TLS 1.3 ? Nelson B Bolyard
- Re: [TLS] Redefine Finished message for TLS 1.3 ? Nicolas Williams
- Re: [TLS] Redefine Finished message for TLS 1.3 ? Nelson B Bolyard
- Re: [TLS] Redefine Finished message for TLS 1.3 ? David-Sarah Hopwood
- Re: [TLS] History of extensions Martin Rex
- Re: [TLS] Protected Renegotiation -- refined prop… Martin Rex
- Re: [TLS] Redefine Finished message for TLS 1.3 ? Nicolas Williams
- Re: [TLS] History of extensions Martin Rex
- Re: [TLS] History of extensions David-Sarah Hopwood
- Re: [TLS] Redefine Finished message for TLS 1.3 ? Martin Rex
- Re: [TLS] Redefine Finished message for TLS 1.3 ? Michael D'Errico
- Re: [TLS] Redefine Finished message for TLS 1.3 ? Marsh Ray
- Re: [TLS] Redefine Finished message for TLS 1.3 ? Martin Rex
- Re: [TLS] Redefine Finished message for TLS 1.3 ? David-Sarah Hopwood
- Re: [TLS] Redefine Finished message for TLS 1.3 ? Marsh Ray
- Re: [TLS] Redefine Finished message for TLS 1.3 ? Martin Rex
- [TLS] A crazy idea Michael D'Errico
- Re: [TLS] A crazy idea Marsh Ray
- Re: [TLS] Redefine Finished message for TLS 1.3 ? Nelson B Bolyard
- Re: [TLS] A crazy idea Michael D'Errico
- Re: [TLS] Protected Renegotiation -- refined prop… Yoav Nir
- Re: [TLS] A crazy idea Nicolas Williams
- Re: [TLS] TLSrenego - possibilities, suggestion f… Bodo Moeller
- Re: [TLS] TLSrenego - possibilities, suggestion f… Marsh Ray
- Re: [TLS] TLSrenego - possibilities, suggestion f… Joseph Salowey (jsalowey)
- Re: [TLS] A not-so crazy idea Michael D'Errico
- Re: [TLS] TLSrenego - possibilities, suggestion f… Bodo Moeller
- Re: [TLS] Redefine Finished message for TLS 1.3 ? Bodo Moeller
- Re: [TLS] TLSrenego - possibilities, suggestion f… Marsh Ray
- Re: [TLS] Redefine Finished message for TLS 1.3 ? Martin Rex
- Re: [TLS] assert TLSext in renego-ServerHello ins… Bodo Moeller
- Re: [TLS] Redefine Finished message for TLS 1.3 ? Bodo Moeller
- Re: [TLS] assert TLSext in renego-ServerHello ins… Marsh Ray
- Re: [TLS] A not-so crazy idea Nicolas Williams
- Re: [TLS] Redefine Finished message for TLS 1.3 ? Martin Rex
- Re: [TLS] assert TLSext in renego-ServerHello ins… Bodo Moeller
- Re: [TLS] assert TLSext in renego-ServerHello ins… Marsh Ray
- Re: [TLS] assert TLSext in renego-ServerHello ins… Bodo Moeller
- Re: [TLS] A not-so crazy idea Yair Elharrar
- Re: [TLS] assert TLSext in renego-ServerHello ins… Marsh Ray
- Re: [TLS] assert TLSext in renego-ServerHello ins… Martin Rex
- Re: [TLS] assert TLSext in renego-ServerHello ins… Marsh Ray
- Re: [TLS] A not-so crazy idea Yoav Nir
- Re: [TLS] assert TLSext in renego-ServerHello ins… Nelson B Bolyard
- Re: [TLS] assert TLSext in renego-ServerHello ins… Bodo Moeller
- Re: [TLS] assert TLSext in renego-ServerHello ins… Eric Rescorla
- Re: [TLS] assert TLSext in renego-ServerHello ins… Martin Rex
- Re: [TLS] assert TLSext in renego-ServerHello ins… Bodo Moeller
- Re: [TLS] Redefine Finished message for TLS 1.3 ? Nelson Bolyard