[TLS] interop for TLS clients proposing TLSv1.1

Martin Rex <mrex@sap.com> Wed, 21 September 2011 20:46 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E80B71F0CDD for <tls@ietfa.amsl.com>; Wed, 21 Sep 2011 13:46:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.752
X-Spam-Level:
X-Spam-Status: No, score=-9.752 tagged_above=-999 required=5 tests=[AWL=-0.103, BAYES_00=-2.599, HELO_EQ_DE=0.35, J_CHICKENPOX_33=0.6, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ASXJLC5WBYPe for <tls@ietfa.amsl.com>; Wed, 21 Sep 2011 13:46:08 -0700 (PDT)
Received: from smtpde02.sap-ag.de (smtpde02.sap-ag.de [155.56.68.140]) by ietfa.amsl.com (Postfix) with ESMTP id E8E221F0CB1 for <tls@ietf.org>; Wed, 21 Sep 2011 13:46:07 -0700 (PDT)
Received: from mail.sap.corp by smtpde02.sap-ag.de (26) with ESMTP id p8LKmYPl024896 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for <tls@ietf.org>; Wed, 21 Sep 2011 22:48:34 +0200 (MEST)
From: Martin Rex <mrex@sap.com>
Message-Id: <201109212048.p8LKmXnH014242@fs4113.wdf.sap.corp>
To: tls@ietf.org
Date: Wed, 21 Sep 2011 22:48:33 +0200 (MEST)
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-SAP: out
Subject: [TLS] interop for TLS clients proposing TLSv1.1
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Sep 2011 20:46:09 -0000

Does anyone (SSL Labs, Opera, others) have any figures/stats about the
current "TLSv1.1 version (in)tolerance" for TLS servers on the public
internet?

A quick google search about the current client side situation for
proposing TLSv1.1 gave me (among others) to this information:

http://blogs.msdn.com/b/ieinternals/archive/2011/03/25/misbehaving-https-servers-impair-tls-1.1-and-tls-1.2.aspx


I am somewhat puzzled about the description of the reconnect fallback
described there for WinINET, and I believe that code/logic is wrong.

Quoting:

  If you examine the Encrypted Alert from the server, you will
  see that it contains the byte sequence 02 46, meaning
  Fatal Alert: Protocol Version.

  The server isn't supposed to behave this wayits instead expected
  to simply reply using the latest HTTPS protocol version it supports
  (e.g. "3.1 aka TLS 1.0). Now, had the server gracefully closed the
  connection at this point, it would be okay-- code in WinINET would
  fallback and retry the connection offering only TLS 1.0. The only
  downside would be performancethe extra roundtrips required for the
  new TLS 1.0 handshake will usually result in a penalty amounting
  to tens or hundreds of milliseconds.

  However, this server used a TCP/IP RST to abort the connection,
  which disables the fallback code in WinINET and causes the entire
  connection sequence to be abandoned, leaving the user with the
  Internet Explorer cannot display the webpage error message.

I believe that the Server's TCP/IP stack closing the connection
with RST is OK and perfectly permissible, and WinINET ought to
use a reconnect fallback here.

TCP RST with the meaning ("no one is listening") applies only
when an RST is received _instead_of_ SYN+ACK during TCP connection
establishment, with the effect of synchronous connect() failing with
an error or asynchrounous connect reporting an error on getsockopt()
after signalling writability.


In the above case, connect() had definitely successfully completed
-- they did send the ClientHello and even did receive an SSL Alert,
didn't they?)

But on top of that, the WinINET client seeing a fatal "protocol_version"
TLS alert is a "Blue's clue" on suggested retrying with TLSv1.0.


The TCP RST in the above situation, as described in Stevens' Network
Programming, Section 7.5, Socket Option SO_LINGER, only indicates the
specific SO_LINGER setting that the server had used for his side
of the connection / his socket (Fig. 7.10  close() l_onoff=1, l_linger=0)

The SO_LINGER setting for a socket is entirely at the discretion of each peer
and closing the socket immediately after sending a fatal alert is exactly
what the TLS spec suggests:

   http://tools.ietf.org/html/rfc2246#section-7.2.2

   7.2.2. Error alerts

   Error handling in the TLS Handshake protocol is very simple. When an
   error is detected, the detecting party sends a message to the other
   party. Upon transmission or receipt of an fatal alert message, both
   parties immediately close the connection. 

          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^!

I believe that the informtion in this blog is incorrect (about
what the server should do and about what WinINET should do) and
if my analysis is correct this information should be fixed or removed.

Likewise, if my analsis is correct and that Blog accurately describes
WinINETs behaviour, that WinINET behaviour should be fixed to allow
MSIE users on Win7 to enable TLSv1.1 with less risk of interop problems.


-Martin