Re: [TLS] assert TLSext in renego-ServerHello instead of disable renego

Dr Stephen Henson <lists@drh-consultancy.demon.co.uk> Fri, 13 November 2009 22:58 UTC

Return-Path: <lists@drh-consultancy.demon.co.uk>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 980353A67AA for <tls@core3.amsl.com>; Fri, 13 Nov 2009 14:58:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vwIWKmChRR0C for <tls@core3.amsl.com>; Fri, 13 Nov 2009 14:58:36 -0800 (PST)
Received: from claranet-outbound-smtp05.uk.clara.net (claranet-outbound-smtp05.uk.clara.net [195.8.89.38]) by core3.amsl.com (Postfix) with ESMTP id 609493A659C for <tls@ietf.org>; Fri, 13 Nov 2009 14:58:36 -0800 (PST)
Received: from drh-consultancy.demon.co.uk ([80.177.30.10]:49865 helo=[192.168.7.8]) by relay05.mail.eu.clara.net (relay.clara.net [213.253.3.45]:10587) with esmtpa (authdaemon_plain:drh) id 1N956d-00076D-Ig (Exim 4.69) for tls@ietf.org (return-path <lists@drh-consultancy.demon.co.uk>); Fri, 13 Nov 2009 22:59:04 +0000
Message-ID: <4AFDE4C0.9090007@drh-consultancy.demon.co.uk>
Date: Fri, 13 Nov 2009 22:59:12 +0000
From: Dr Stephen Henson <lists@drh-consultancy.demon.co.uk>
User-Agent: Thunderbird 2.0.0.23 (Windows/20090812)
MIME-Version: 1.0
To: "tls@ietf.org" <tls@ietf.org>
References: <200911092035.nA9KZviE026489@fs4113.wdf.sap.corp> <4AF8EF8F.3090100@jacaranda.org> <4AF8F7B4.7020101@pobox.com> <4AF8FDBD.4080003@jacaranda.org> <4AF9070E.4050305@jacaranda.org> <4AF99E04.3060604@pobox.com> <20091112055910.58D2369EF16@kilo.networkresonance.com> <4AFC46D8.9050905@pobox.com> <20091113060004.55DC569F31E@kilo.networkresonance.com>, <4AFD850C.7010704@pobox.com> <006FEB08D9C6444AB014105C9AEB133FB36A4EC024@il-ex01.ad.checkpoint.com>
In-Reply-To: <006FEB08D9C6444AB014105C9AEB133FB36A4EC024@il-ex01.ad.checkpoint.com>
X-Enigmail-Version: 0.96.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Subject: Re: [TLS] assert TLSext in renego-ServerHello instead of disable renego
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Nov 2009 22:58:37 -0000

Yoav Nir wrote:
> Actually, there have been messages suggesting that clients sending this (or any other) extension, may have their session terminated, especially if using SSLv3 and even with some TLS 1.0 servers. If that is true for even a small minority of servers (say, 1%) we can't realistically expect browser vendors to add this, except buried deeply in some advanced menu.
> 
> I wish we had some hard data on this, but if this is true, we may need to find other ways for the client to signal support, or to signal re-negotiation.

After OpenSSL enabled TLS extensions by default it initially included them in
SSLv3 client hello's too. We did have quite a few reports of problems so this
was disabled in the latest snapshots. Anything using an SSLv3 compatible client
hello (i.e. says it supports TLSv1 or later but will also accept SSLv3) has the
same potential problem and the deprecated SSLv2 compatible client hello is of
course a non-starter.

Not sure if this has been mentioned before but a dummy ciphersuite should be
acceptable to any server. That is we allocate one unused ciphersuite to have the
special meaning of "client supports renegotiation extension". Those so inclined
could include it in an SSLv2 compatible client hello too.

How a server signals support then becomes a problem. You can't send back an
extension in the server hello without violating the protocol rules as they
currently stand.

Steve.
-- 
Dr Stephen N. Henson.
Core developer of the   OpenSSL project: http://www.openssl.org/
Freelance consultant see: http://www.drh-consultancy.co.uk/
Email: shenson@drh-consultancy.co.uk, PGP key: via homepage.