Re: [TLS] ALPN concerns

Andrei Popov <Andrei.Popov@microsoft.com> Wed, 06 November 2013 20:51 UTC

Return-Path: <Andrei.Popov@microsoft.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 45C2011E8101 for <tls@ietfa.amsl.com>; Wed, 6 Nov 2013 12:51:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.71
X-Spam-Level:
X-Spam-Status: No, score=-6.71 tagged_above=-999 required=5 tests=[AWL=-3.111, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ahhEZMvGUk7R for <tls@ietfa.amsl.com>; Wed, 6 Nov 2013 12:51:22 -0800 (PST)
Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2lp0240.outbound.protection.outlook.com [207.46.163.240]) by ietfa.amsl.com (Postfix) with ESMTP id C171721E8193 for <tls@ietf.org>; Wed, 6 Nov 2013 12:51:21 -0800 (PST)
Received: from BL2PR03MB194.namprd03.prod.outlook.com (10.255.230.142) by BL2PR03MB194.namprd03.prod.outlook.com (10.255.230.142) with Microsoft SMTP Server (TLS) id 15.0.785.10; Wed, 6 Nov 2013 20:51:20 +0000
Received: from BL2PR03MB194.namprd03.prod.outlook.com ([169.254.14.243]) by BL2PR03MB194.namprd03.prod.outlook.com ([169.254.14.5]) with mapi id 15.00.0785.001; Wed, 6 Nov 2013 20:51:20 +0000
From: Andrei Popov <Andrei.Popov@microsoft.com>
To: Yoav Nir <ynir@checkpoint.com>, "tls@ietf.org list" <tls@ietf.org>
Thread-Topic: [TLS] ALPN concerns
Thread-Index: AQHO2nVrEJNfUuzvrkqBLee9/27ncJoXaOmAgAADJoCAAUFqQA==
Date: Wed, 6 Nov 2013 20:51:19 +0000
Message-ID: <4ff5300276984a0f883475b05b621f76@BL2PR03MB194.namprd03.prod.outlook.com>
References: <CAFewVt7-+e-e82LA3iPWOuoudRqCCk23uyf0w5+aXSFsAv64GA@mail.gmail.com> <CABkgnnXgUo_g-w=kefQUnFWLtcfdTByCWtSaxJHvLx-gtzZP_A@mail.gmail.com> <C98EE823-C8BD-4ED3-894A-5F562BE329EE@checkpoint.com>
In-Reply-To: <C98EE823-C8BD-4ED3-894A-5F562BE329EE@checkpoint.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [2001:4898:80e0:ee43::2]
x-forefront-prvs: 0022134A87
x-forefront-antispam-report: SFV:NSPM; SFS:(13464003)(377454003)(189002)(199002)(47976001)(50986001)(33646001)(76576001)(4396001)(76796001)(49866001)(54356001)(31966008)(15975445006)(56816003)(79102001)(85306002)(74316001)(74502001)(76786001)(19580405001)(74876001)(74662001)(83322001)(87266001)(76482001)(47736001)(19580395003)(74706001)(77096001)(81686001)(47446002)(81816001)(53806001)(51856001)(83072001)(74366001)(81542001)(77982001)(80976001)(56776001)(54316002)(69226001)(46102001)(80022001)(65816001)(59766001)(81342001)(63696002)(2656002)(87936001)(3826001)(24736002); DIR:OUT; SFP:; SCL:1; SRVR:BL2PR03MB194; H:BL2PR03MB194.namprd03.prod.outlook.com; CLIP:2001:4898:80e0:ee43::2; FPR:; RD:InfoNoRecords; MX:1; A:1; LANG:en;
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: DuplicateDomain-a84fc36a-4ed7-4e57-ab1c-3e967bcbad48.microsoft.com
Subject: Re: [TLS] ALPN concerns
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Nov 2013 20:51:26 -0000

ALPN support in IE11 does not usually trigger the issue with unpatched F5 devices. The combination of cipher suites, TLS extensions, and ALPN protocol IDs that IE11 advertises is such that the ClientHello is typically shorter than 256 bytes. Longer server names passed via SNI can of course still push IE's ClientHello over the unpatched F5 device's limit.

-----Original Message-----
From: tls-bounces@ietf.org [mailto:tls-bounces@ietf.org] On Behalf Of Yoav Nir
Sent: Tuesday, November 5, 2013 5:36 PM
To: tls@ietf.org list
Subject: Re: [TLS] ALPN concerns

One other thing: Microsoft has released IE 11 that has ALPN. So if ALPN makes TLS fail, then those 2.3% of websites are now inaccessible by Internet Explorer. That is one big reason to upgrade their BigIP box.

_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls