Re: [TLS] draft-rescorla-tls-renegotiate.txt

Martin Rex <mrex@sap.com> Fri, 06 November 2009 19:59 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E51E53A69EF for <tls@core3.amsl.com>; Fri, 6 Nov 2009 11:59:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.096
X-Spam-Level:
X-Spam-Status: No, score=-6.096 tagged_above=-999 required=5 tests=[AWL=0.153, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y1IOH1DDPDtl for <tls@core3.amsl.com>; Fri, 6 Nov 2009 11:59:28 -0800 (PST)
Received: from smtpde03.sap-ag.de (smtpde03.sap-ag.de [155.56.68.140]) by core3.amsl.com (Postfix) with ESMTP id F05513A67B6 for <tls@ietf.org>; Fri, 6 Nov 2009 11:59:27 -0800 (PST)
Received: from mail.sap.corp by smtpde03.sap-ag.de (26) with ESMTP id nA6JxnLB017351 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 6 Nov 2009 20:59:49 +0100 (MET)
From: Martin Rex <mrex@sap.com>
Message-Id: <200911061959.nA6JxnnB001831@fs4113.wdf.sap.corp>
To: mike-list@pobox.com (Michael D'Errico)
Date: Fri, 6 Nov 2009 20:59:49 +0100 (MET)
In-Reply-To: <4AF47F1A.6080502@pobox.com> from "Michael D'Errico" at Nov 6, 9 11:55:06 am
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal05
X-SAP: out
Cc: tls@ietf.org
Subject: Re: [TLS] draft-rescorla-tls-renegotiate.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Nov 2009 19:59:29 -0000

Michael D'Errico wrote:
> 
> >    - to describe how to add/implement this fix to each and
> >      every affected protocol version of the SSL/TLS Family.
> > 
> >      I just noticed that SSLv3 does _NOT_ have a "no_renegotiate" alert!
> >      To me, it looks like the SSLv3 spec does not specify how to
> >      deny performing a renegotiate.  Which is slightly odd, since
> >      there are SSLv3 implementations that do not implement renegotiation...
> 
> Even more importantly, SSLv3 does not support extensions.

You're correct.  SSLv3 allows extensions in the ClientHello that
are to be ignored, but it does not support them in ServerHello.

Oooops.

Suggestions?


-Martin