Re: [TLS] Proposal: a minimal TLS 1.3 for HTTP/2
Dave Garrett <davemgarrett@gmail.com> Thu, 06 November 2014 07:50 UTC
Return-Path: <davemgarrett@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 86D0B1A1A12 for <tls@ietfa.amsl.com>; Wed, 5 Nov 2014 23:50:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b9RwxeGT0E7f for <tls@ietfa.amsl.com>; Wed, 5 Nov 2014 23:50:13 -0800 (PST)
Received: from mail-qg0-x236.google.com (mail-qg0-x236.google.com [IPv6:2607:f8b0:400d:c04::236]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9E6041A1A0D for <tls@ietf.org>; Wed, 5 Nov 2014 23:50:13 -0800 (PST)
Received: by mail-qg0-f54.google.com with SMTP id q108so337699qgd.41 for <tls@ietf.org>; Wed, 05 Nov 2014 23:50:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:subject:date:user-agent:cc:references:in-reply-to :mime-version:content-type:content-transfer-encoding:message-id; bh=Iw5X+fgTziTGrQNo42y9/GiOapEUzvp0Y0DI2a3pP1M=; b=TSChqJxQVz19+1c+rOf/pW1g2Y61dO0cmAU11CEbhxghAS8V30axwI+13frC1oUOn4 cbzy9v6I4TBUM4VGnnNr5GXwe19GvsMkNCduVkXbC3Gr0WsqyjwtENZHZy0nwhrEiNW+ M/25tdCl45waUQo8nffXkOpFWvWFHCQ1pj8hUMv7yv8W0BpT9nioVn/CkqD+nFdvkeor /kA9vrQwPiFcafkJbUPPoCEyjLalrpxtAQsbOc/ZclQ75OBlpKY/2eriJyNJ6M5l8wGy C0aBFbvLLiVfB7yn95pQZEsYoFfRkzmT2YlOpWFJH3sYsYNElu7OYVh5tzuFjJ8N8+yM AdTw==
X-Received: by 10.229.139.195 with SMTP id f3mr4189366qcu.3.1415260212837; Wed, 05 Nov 2014 23:50:12 -0800 (PST)
Received: from dave-laptop.localnet (pool-72-78-212-218.phlapa.fios.verizon.net. [72.78.212.218]) by mx.google.com with ESMTPSA id h79sm5276784qgd.27.2014.11.05.23.50.12 for <multiple recipients> (version=TLSv1 cipher=RC4-SHA bits=128/128); Wed, 05 Nov 2014 23:50:12 -0800 (PST)
From: Dave Garrett <davemgarrett@gmail.com>
To: Yoav Nir <ynir.ietf@gmail.com>
Date: Thu, 06 Nov 2014 02:50:10 -0500
User-Agent: KMail/1.13.5 (Linux/2.6.32-66-generic-pae; KDE/4.4.5; i686; ; )
References: <201411031651.09896.davemgarrett@gmail.com> <CC2553CF-3928-42A3-93A2-EE679EE49D9F@gmail.com>
In-Reply-To: <CC2553CF-3928-42A3-93A2-EE679EE49D9F@gmail.com>
MIME-Version: 1.0
Content-Type: Text/Plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-Id: <201411060250.11408.davemgarrett@gmail.com>
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/W5oVTGfbq9obj0gOUSd-m0NmL7o
X-Mailman-Approved-At: Fri, 07 Nov 2014 04:57:44 -0800
Cc: "TLS@ietf.org (tls@ietf.org)" <tls@ietf.org>
Subject: Re: [TLS] Proposal: a minimal TLS 1.3 for HTTP/2
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Nov 2014 07:50:15 -0000
For clients wanting to attempt a fallback, yes, this might not be a perfect solution. It is, however, far better than the current state. Ciphers would not have to be assessed and implementation of the restrictions would be far more simple and clear. Moving the painpoint, as you say, would be a notable improvement. One simple check vs. a handful of possibly complex checks. At this point, Greg Wilkins' proposal looks to be the best available option getting any discussion: http://lists.w3.org/Archives/Public/ietf-http-wg/2014OctDec/0481.html An HTTP/2 handshake would not be able to include any legacy ciphers, and if this fails then the client could then fallback and retry with HTTP/1.1 instead. It gets a more robust handshake in exchange for a slightly slower fallback if the server does not support any modern ciphers. I should note that this is already something Mozilla is implementing with respect to RC4. The plan is to do the initial handshake without RC4 and only offer it as a possibility if the more ideal cipher set is rejected. (fallback order becomes: 1.2-RC4, 1.2+RC4, 1.1+RC4, 1.0+RC4) Dave On Thursday, November 06, 2014 02:21:02 am Yoav Nir wrote: > Hi, Dave > > I believe that ultimately this does not solve the issue raised about 9.2.2 > on the httpbis list. > > The issue there was that a client would propose AES-CBC and AES-GCM > (forgive me for shortening the grouping suites) with “h1” and “h2”, and > then it’s up to the server to know that the AES-CBC and “h2” combination > is prohibited by the HTTP/2 spec. This could be done either by the HTTP > layer checking on the TLS layer, or by adding callbacks and APIs for the > HTTP layer to make the choice of ciphersuite for the TLS layer, or by > incorporating some HTTP/2 specifications into the TLS layer. People > claimed that this was either ugly or hard to implement. > > The issue does not go away with your proposal. The reason servers support > “h1” at all is to support legacy clients, and the reason clients propose > “h1” and non-AEAD ciphersuites at all is to support legacy servers. What > your proposal does is move the pain point from ciphersuite selection to > version selection. A client would still propose TLS 1.0, TLS 1.1, TLS 1.2, > and if it’s updated, TLS 1.3. A server would still have to know that the > “h2” and TLS 1.2 combination is invalid, and the complexity remains. > > It’s true that the current requirement in HTTP/2 has this issue anyway, as > it prohibits TLS versions under TLS 1.2, but I’m in the “rip out 9.2.2 and > live with whatever the TLS layer negotiates” camp. > > Yoav
- [TLS] Proposal: a minimal TLS 1.3 for HTTP/2 Dave Garrett
- Re: [TLS] Proposal: a minimal TLS 1.3 for HTTP/2 Martin Thomson
- Re: [TLS] Proposal: a minimal TLS 1.3 for HTTP/2 Salz, Rich
- Re: [TLS] Proposal: a minimal TLS 1.3 for HTTP/2 Yoav Nir
- Re: [TLS] Proposal: a minimal TLS 1.3 for HTTP/2 Yoav Nir
- Re: [TLS] Proposal: a minimal TLS 1.3 for HTTP/2 Dave Garrett
- Re: [TLS] Proposal: a minimal TLS 1.3 for HTTP/2 Martin Thomson