[TLS] interop for TLS clients proposing TLSv1.1
Martin Rex <mrex@sap.com> Wed, 21 September 2011 20:46 UTC
Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E80B71F0CDD for <tls@ietfa.amsl.com>; Wed, 21 Sep 2011 13:46:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.752
X-Spam-Level:
X-Spam-Status: No, score=-9.752 tagged_above=-999 required=5 tests=[AWL=-0.103, BAYES_00=-2.599, HELO_EQ_DE=0.35, J_CHICKENPOX_33=0.6, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ASXJLC5WBYPe for <tls@ietfa.amsl.com>; Wed, 21 Sep 2011 13:46:08 -0700 (PDT)
Received: from smtpde02.sap-ag.de (smtpde02.sap-ag.de [155.56.68.140]) by ietfa.amsl.com (Postfix) with ESMTP id E8E221F0CB1 for <tls@ietf.org>; Wed, 21 Sep 2011 13:46:07 -0700 (PDT)
Received: from mail.sap.corp by smtpde02.sap-ag.de (26) with ESMTP id p8LKmYPl024896 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for <tls@ietf.org>; Wed, 21 Sep 2011 22:48:34 +0200 (MEST)
From: Martin Rex <mrex@sap.com>
Message-Id: <201109212048.p8LKmXnH014242@fs4113.wdf.sap.corp>
To: tls@ietf.org
Date: Wed, 21 Sep 2011 22:48:33 +0200
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-SAP: out
Subject: [TLS] interop for TLS clients proposing TLSv1.1
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Sep 2011 20:46:09 -0000
Does anyone (SSL Labs, Opera, others) have any figures/stats about the current "TLSv1.1 version (in)tolerance" for TLS servers on the public internet? A quick google search about the current client side situation for proposing TLSv1.1 gave me (among others) to this information: http://blogs.msdn.com/b/ieinternals/archive/2011/03/25/misbehaving-https-servers-impair-tls-1.1-and-tls-1.2.aspx I am somewhat puzzled about the description of the reconnect fallback described there for WinINET, and I believe that code/logic is wrong. Quoting: If you examine the Encrypted Alert from the server, you will see that it contains the byte sequence 02 46, meaning Fatal Alert: Protocol Version. The server isn't supposed to behave this wayits instead expected to simply reply using the latest HTTPS protocol version it supports (e.g. "3.1 aka TLS 1.0). Now, had the server gracefully closed the connection at this point, it would be okay-- code in WinINET would fallback and retry the connection offering only TLS 1.0. The only downside would be performancethe extra roundtrips required for the new TLS 1.0 handshake will usually result in a penalty amounting to tens or hundreds of milliseconds. However, this server used a TCP/IP RST to abort the connection, which disables the fallback code in WinINET and causes the entire connection sequence to be abandoned, leaving the user with the Internet Explorer cannot display the webpage error message. I believe that the Server's TCP/IP stack closing the connection with RST is OK and perfectly permissible, and WinINET ought to use a reconnect fallback here. TCP RST with the meaning ("no one is listening") applies only when an RST is received _instead_of_ SYN+ACK during TCP connection establishment, with the effect of synchronous connect() failing with an error or asynchrounous connect reporting an error on getsockopt() after signalling writability. In the above case, connect() had definitely successfully completed -- they did send the ClientHello and even did receive an SSL Alert, didn't they?) But on top of that, the WinINET client seeing a fatal "protocol_version" TLS alert is a "Blue's clue" on suggested retrying with TLSv1.0. The TCP RST in the above situation, as described in Stevens' Network Programming, Section 7.5, Socket Option SO_LINGER, only indicates the specific SO_LINGER setting that the server had used for his side of the connection / his socket (Fig. 7.10 close() l_onoff=1, l_linger=0) The SO_LINGER setting for a socket is entirely at the discretion of each peer and closing the socket immediately after sending a fatal alert is exactly what the TLS spec suggests: http://tools.ietf.org/html/rfc2246#section-7.2.2 7.2.2. Error alerts Error handling in the TLS Handshake protocol is very simple. When an error is detected, the detecting party sends a message to the other party. Upon transmission or receipt of an fatal alert message, both parties immediately close the connection. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^! I believe that the informtion in this blog is incorrect (about what the server should do and about what WinINET should do) and if my analysis is correct this information should be fixed or removed. Likewise, if my analsis is correct and that Blog accurately describes WinINETs behaviour, that WinINET behaviour should be fixed to allow MSIE users on Win7 to enable TLSv1.1 with less risk of interop problems. -Martin
- [TLS] interop for TLS clients proposing TLSv1.1 Martin Rex
- Re: [TLS] interop for TLS clients proposing TLSv1… Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [TLS] interop for TLS clients proposing TLSv1… Yoav Nir
- Re: [TLS] interop for TLS clients proposing TLSv1… Martin Rex
- Re: [TLS] interop for TLS clients proposing TLSv1… Martin Rex
- Re: [TLS] interop for TLS clients proposing TLSv1… Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [TLS] interop for TLS clients proposing TLSv1… Geoffrey Keating
- Re: [TLS] interop for TLS clients proposing TLSv1… Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [TLS] interop for TLS clients proposing TLSv1… Martin Rex
- Re: [TLS] interop for TLS clients proposing TLSv1… Martin Rex
- Re: [TLS] interop for TLS clients proposing TLSv1… Geoffrey Keating
- Re: [TLS] interop for TLS clients proposing TLSv1… Peter Gutmann
- Re: [TLS] interop for TLS clients proposing TLSv1… Florian Weimer
- Re: [TLS] interop for TLS clients proposing TLSv1… Martin Rex
- Re: [TLS] interop for TLS clients proposing TLSv1… Yngve N. Pettersen
- Re: [TLS] interop for TLS clients proposing TLSv1… Bill Frantz
- Re: [TLS] interop for TLS clients proposing TLSv1… Martin Rex
- Re: [TLS] interop for TLS clients proposing TLSv1… Nikos Mavrogiannopoulos
- Re: [TLS] interop for TLS clients proposing TLSv1… Juho Vähä-Herttua