Re: [TLS] FFDHE and SHOULDs on usage

Thijs van Dijk <> Sat, 18 April 2015 06:31 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 2BC881A0027 for <>; Fri, 17 Apr 2015 23:31:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.712
X-Spam-Status: No, score=-0.712 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_SOFTFAIL=0.665] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id DYEBBs7VK3B7 for <>; Fri, 17 Apr 2015 23:31:50 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:400c:c05::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 5D3811A0006 for <>; Fri, 17 Apr 2015 23:31:50 -0700 (PDT)
Received: by wiun10 with SMTP id n10so41049608wiu.1 for <>; Fri, 17 Apr 2015 23:31:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google-inurb; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=Kpr7cxcYN/Zjes09wDKZxfj3x5uk3bO2FGv6sm/DYU4=; b=rNc1T2gVFDk4FKhvqG5NL3zKhZKIS8A2PSc2GSE4pE80HNmuWbzkqx0fhbEPjWA6sd ZeqUcD55Fen8UTKMkTdaUXos9lbGOVdh/awSORd9rRBer7iICW85wuugqHb7AQ9FwEeI b2b73mfZzPCCFG5mqtWWT1OugfDsT81kdxIp4=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=Kpr7cxcYN/Zjes09wDKZxfj3x5uk3bO2FGv6sm/DYU4=; b=B8bt65BYxAYkwFrdY9IaPLWEfqCznxGjC4fM9yOn8jQWspQnWKAmslOMn1B+UnpgXX BpTI9MlSyfC/frIiUM6HB7LsvGYWiznO3EW2NCp+WUNgBElH9OzyEkG4isODIIPcV0D1 uICz/kzmVd300Hjc4YE+boQbUoyPRRPt2nftS/Tj1IZearXnwQdD/4W3YOMZ6RQ2llUP 1Vw5vVRHIcipsfA1goOyhDR4wVgLryM4R0Arq0f3O+/JK1UAubAmkAFsdl6sCsJ/VwP/ gb9gQZSMihydr5TOBlqNDnE1QfmPVjqPb/GLy4f36AUins2pDF8bVeLjnT/NQWtNpDfv ueWw==
X-Gm-Message-State: ALoCoQlHWWGeijcfSGSWK79xfpO7hSIHfY5SqYrFxYO/Tf/nOBZV+kcwmpffbU+bquu4u+/YBEtu
MIME-Version: 1.0
X-Received: by with SMTP id tb2mr7241978wic.64.1429338709103; Fri, 17 Apr 2015 23:31:49 -0700 (PDT)
Received: by with HTTP; Fri, 17 Apr 2015 23:31:49 -0700 (PDT)
In-Reply-To: <>
References: <> <>
Date: Sat, 18 Apr 2015 08:31:49 +0200
Message-ID: <>
From: Thijs van Dijk <>
Content-Type: multipart/alternative; boundary="001a113612bc05293a0513f9da14"
Archived-At: <>
Subject: Re: [TLS] FFDHE and SHOULDs on usage
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 18 Apr 2015 06:31:52 -0000

On 18 April 2015 at 05:10, Martin Rex <> wrote:

> Could we just scrap the "based on xxx preference" nonsense entirely?
> The sender of the list sends whatever it sees fit, and the receiver
> of the list has the privilege to pick what ever the receiver believes
> is most appropriate from the receivers point of view.
> I never understood why (a) such a silly suggestion was made for
> the ordering of cipher suites in ClientHello and (b) why any TLS server
> implementaion would care for the client's ordering rather than enforcing
> the server preference.  If the client does not want something, it must
> not offer it.  If the server does not want something, it must not pick it.

I still think it's a reasonable safeguard against lazy server
implementations (e.g. mine): The naive way of implementing cipher agreement
is to loop through the client's suggestions and pick the first one both
client and server suport. If that happens to be an EXPORT/RC4 combo you're
out of luck.

However if either the client or the server exhibits a preference, you're
almost guaranteed to do better than both sides' worst case.

Furthermore, I think that conceptually, dropping client preference would
equate to making server preference a requirement. The TLS1.3 spec should
reflect this in some way, so it's not very language-economic either.