Re: [TLS] TLSrenego - possibilities, suggestion for SSLv3

Marsh Ray <marsh@extendedsubset.com> Sun, 15 November 2009 19:30 UTC

Return-Path: <marsh@extendedsubset.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 101C43A68FF for <tls@core3.amsl.com>; Sun, 15 Nov 2009 11:30:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.001
X-Spam-Level:
X-Spam-Status: No, score=0.001 tagged_above=-999 required=5 tests=[BAYES_50=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ELHr6w1poRrW for <tls@core3.amsl.com>; Sun, 15 Nov 2009 11:30:47 -0800 (PST)
Received: from mho-01-ewr.mailhop.org (mho-01-ewr.mailhop.org [204.13.248.71]) by core3.amsl.com (Postfix) with ESMTP id D8FFE3A698A for <tls@ietf.org>; Sun, 15 Nov 2009 11:30:46 -0800 (PST)
Received: from xs01.extendedsubset.com ([69.164.193.58]) by mho-01-ewr.mailhop.org with esmtpa (Exim 4.68) (envelope-from <marsh@extendedsubset.com>) id 1N9ko9-000NDO-Uv for tls@ietf.org; Sun, 15 Nov 2009 19:30:46 +0000
Received: from [127.0.0.1] (localhost [127.0.0.1]) by xs01.extendedsubset.com (Postfix) with ESMTP id F40B1667C for <tls@ietf.org>; Sun, 15 Nov 2009 19:30:42 +0000 (UTC)
X-Mail-Handler: MailHop Outbound by DynDNS
X-Originating-IP: 69.164.193.58
X-Report-Abuse-To: abuse@dyndns.com (see http://www.dyndns.com/services/mailhop/outbound_abuse.html for abuse reporting information)
X-MHO-User: U2FsdGVkX18swH8XbhkYMOpx6Q80VYznB1VR8Uin7YU=
Message-ID: <4B0056E0.1000804@extendedsubset.com>
Date: Sun, 15 Nov 2009 13:30:40 -0600
From: Marsh Ray <marsh@extendedsubset.com>
User-Agent: Thunderbird 2.0.0.23 (Windows/20090812)
MIME-Version: 1.0
To: "tls@ietf.org" <tls@ietf.org>
References: <200911120512.nAC5CiIu019763@fs4113.wdf.sap.corp><82B3FF62-B9AE-45D0-AB6A-62ACACFC3F97@acm.org> <4B004A24.9080508@extendedsubset.com> <AC1CFD94F59A264488DC2BEC3E890DE5091A7626@xmb-sjc-225.amer.cisco.com>
In-Reply-To: <AC1CFD94F59A264488DC2BEC3E890DE5091A7626@xmb-sjc-225.amer.cisco.com>
X-Enigmail-Version: 0.96.0
OpenPGP: id=1E36DBF2
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Subject: Re: [TLS] TLSrenego - possibilities, suggestion for SSLv3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 15 Nov 2009 19:30:48 -0000

Joseph Salowey (jsalowey) wrote:
>  
> [Joe] The server is not allowed to send an extension if the client does
> not send it.  I don't see a spec problem here.  

I certainly see the logic in that. This is a very interesting point.

The SSLv3 spec says Client Hello can contain extra data. In theory, we
should be able to add client hello extensions and servers which don't
interpret them will ignore them. Servers which do interpret them may
respond with a Server Hello extension which is undefined by this spec,
but that's OK because it doesn't happen unless the client asked for it.

But there was no structure defined for that extra data and there were no
major implementations to put anything there. Even if a client did want
to use it, there was no type-length-value layout defined for it, so
there was no way to send more than one extension. This effectively shut
off that facility for experimental or vendor-specific use. The only
party who could safely put any data there was the IETF, and that didn't
seem to happen until RFC 3546 TLS Extensions (June 2003), which defined
five specific extensions (and only for TLS 1.0 not SSLv3).

Until then, there was no client implementation that sent extensions, and
it was not possible for implementors to add their own in an
interoperable way. Probably new development on SSLv3 had all but stopped
by then. This effectively meant that server implementations were not
tested to ignore extensions (or process them) until quite recently.

So in practice, in order for a protocol structure to be usable in the
future there has to have been some way to develop and test against it
from the beginning.

- Marsh