Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 with DSA client cert and
Martin Rex <mrex@sap.com> Wed, 16 February 2011 23:34 UTC
Return-Path: <mrex@sap.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5B3393A6CE4 for <tls@core3.amsl.com>; Wed, 16 Feb 2011 15:34:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.224
X-Spam-Level:
X-Spam-Status: No, score=-10.224 tagged_above=-999 required=5 tests=[AWL=0.025, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fgYdq1vdv+3B for <tls@core3.amsl.com>; Wed, 16 Feb 2011 15:34:34 -0800 (PST)
Received: from smtpde02.sap-ag.de (smtpde02.sap-ag.de [155.56.68.140]) by core3.amsl.com (Postfix) with ESMTP id CB93E3A6AB9 for <tls@ietf.org>; Wed, 16 Feb 2011 15:34:33 -0800 (PST)
Received: from mail.sap.corp by smtpde02.sap-ag.de (26) with ESMTP id p1GNZ1Ug019194 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 17 Feb 2011 00:35:01 +0100 (MET)
From: Martin Rex <mrex@sap.com>
Message-Id: <201102162335.p1GNZ0Yd009478@fs4113.wdf.sap.corp>
To: mike-list@pobox.com
Date: Thu, 17 Feb 2011 00:35:00 +0100
In-Reply-To: <4D59B8FE.6010908@pobox.com> from "Michael D'Errico" at Feb 14, 11 03:21:34 pm
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-SAP: out
Cc: tls@ietf.org
Subject: Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 with DSA client cert and
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Feb 2011 23:34:36 -0000
Michael D'Errico wrote: > > > It is extremely rare for TLS clients and servers to actually negotiate > > TLSv1.2, and I currently do not expect this to change significantly > > during the next couple of years. > > > > There seem to be two reasons for this: > > > > - at least one vendor sees a performance problem with enabling > > TLSv1.2 for the server by default > > This is not a problem with TLS 1.2 itself, but of that vendor's > implementation of it. My server shows virtually no difference in > throughput for any SSL/TLS version, though SSL3 is a tiny bit > slower than the rest. This could be explained by the slightly > more complicated MAC computation in SSLv3 vs HMAC in TLS. The more I think about it, the more I believe it is, in fact, a design flaw in TLSv1.2 responsible for a handshake performance issue (at least when a client certificate is requested). While the PRF was changed from SSLv3->TLSv1.0, there was no change to the CertificateVerify handshake message. So for creating and verifying a CertificateVerify handshake message, two hashes must be maintained over all handshake messages: MD5 + SHA1. With TLSv1.2, if a server does not want to artificially limit the signature algorithms on acceptable client certificates, it must send a long list of acceptable combinations (sha1,rsa), (sha1,dsa), (sha256,rsa), (sha384,rsa), (sha512,rsa), (sha224,dsa), (sha256,dsa), ... So unless both, server and client must either hold on to all handshake messages up to CertificateVerify or carry along hash contexts for all of the possible algorithms. Compare: SSLv3, TLSv1.0/1.1 md5 + sha1 TLSv1.2 md5 + sha1 + sha224 + sha256 + sha384 + sha512 If you look at this list, look at how TLS uses hashes for digital signatures and think about the algorithmic relationships between sha224&sha256 and between sha384&sha52, then sha224 and sha384 are utterly useless fifth and sixth wheel on the TLS cart. For TLS itself, sha256 -- or maybe even sha256 alone would have been PERFECTLY sufficent, and a LOT less work. What I also don't understand is the idea behind "default signature algorithms". For implementing TLSv1.2, SHA-256 _must_ be supported, but unless explicitly negotiated with the TLS SignatureAlgorithm extension, SHA-256 appears not allowed to be used for CertificateVerify. That would mean, when TLSv1.2 is negotiated, but no SignatureAlgorithms extension exchanged, the resulting signature with an RSA client cert in CertificateVerify no longer uses MD5+SHA-1 as in TLS up to v1.1, but _only_ SHA-1 (which slightly weakens that signature compared to prior protocol versions...). The use of SHA-256 is prohibited!??! Weird, really. -Martin
- [TLS] TLSv1.2 with DSA client cert and key size >… Martin Rex
- Re: [TLS] TLSv1.2 with DSA client cert and key si… Wan-Teh Chang
- Re: [TLS] TLSv1.2 with DSA client cert and key si… Martin Rex
- [TLS] TLS v1.2 performance (was Re: TLSv1.2 with … Michael D'Errico
- Re: [TLS] TLSv1.2 with DSA client cert and key si… Nikos Mavrogiannopoulos
- Re: [TLS] TLSv1.2 with DSA client cert and key si… Dr Stephen Henson
- Re: [TLS] TLSv1.2 with DSA client cert and key si… Martin Rex
- Re: [TLS] TLSv1.2 with DSA client cert and key si… Dr Stephen Henson
- Re: [TLS] TLSv1.2 with DSA client cert and key si… Martin Rex
- Re: [TLS] TLSv1.2 with DSA client cert and key si… Kemp, David P.
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Martin Rex
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Michael D'Errico
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Wan-Teh Chang
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Yoav Nir
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Nikos Mavrogiannopoulos
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Eric Rescorla
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Nikos Mavrogiannopoulos
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Eric Rescorla
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Nikos Mavrogiannopoulos
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Michael D'Errico
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Eric Rescorla
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Nikos Mavrogiannopoulos
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Martin Rex
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Juho Vähä-Herttua
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Michael D'Errico
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Peter Gutmann
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Peter Gutmann
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Martin Rex
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Marsh Ray
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Peter Gutmann
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Juho Vähä-Herttua
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Nikos Mavrogiannopoulos
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Nikos Mavrogiannopoulos
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Juho Vähä-Herttua
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Kyle Hamilton
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Nikos Mavrogiannopoulos
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Matt DeMoss
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Michael D'Errico
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Martin Rex
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Geoffrey Keating
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Martin Rex
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Geoffrey Keating
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Peter Gutmann
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Michael D'Errico
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Martin Rex
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Peter Gutmann
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Matt DeMoss
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Geoffrey Keating
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Martin Rex
- Re: [TLS] TLS v1.2 performance (was Re: TLSv1.2 w… Sean Turner
- Re: [TLS] TLSv1.2 with DSA client cert and key si… Martin Rex