Re: [TLS] Interaction between session resumption and negotiated protocol version

Martin Thomson <martin.thomson@gmail.com> Sat, 04 April 2015 00:37 UTC

Return-Path: <martin.thomson@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C91C01A8894 for <tls@ietfa.amsl.com>; Fri, 3 Apr 2015 17:37:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UDjL8hSWuws2 for <tls@ietfa.amsl.com>; Fri, 3 Apr 2015 17:37:07 -0700 (PDT)
Received: from mail-ob0-x22a.google.com (mail-ob0-x22a.google.com [IPv6:2607:f8b0:4003:c01::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BBD601A888B for <tls@ietf.org>; Fri, 3 Apr 2015 17:37:07 -0700 (PDT)
Received: by obbgh1 with SMTP id gh1so181135423obb.1 for <tls@ietf.org>; Fri, 03 Apr 2015 17:37:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=3IGN3svSjAue2Yfk02DnNeKOF/QvyDPH1FkLcxlxrz8=; b=Mor+gdr2gq1oqgNhydJymHAmB2q2yrxsi4UImwLwpnWvnI8FBAYT3T16HcgNpvz5uR b2O7ns+ImTM9mHbWVZgXC5Qg2cdlnKcdbBtimTqZlgiX80A1rvNZZBhT7PK2cFg9fJEY uj4uSi4s8kDhnp5Ck2KCXqywfM2+BX26dufDr4aYHM0+iLngAz3sqNgRMPOFoI+xu6ZT vhiqeXSukTtVOI1/pHphV+hHiItGHGW+b09EP/uAQmlMt5WW2ulUKpBm9ZOCDnJVk7Dd vFpeWAgIg6rQgXnoFKv4a6gjRYfcuYMuyZGqHnOS/hujF7Zd2reUx1iuJvuKx2gGCdT+ vNBQ==
MIME-Version: 1.0
X-Received: by 10.60.132.33 with SMTP id or1mr5846256oeb.82.1428107827280; Fri, 03 Apr 2015 17:37:07 -0700 (PDT)
Received: by 10.202.48.151 with HTTP; Fri, 3 Apr 2015 17:37:07 -0700 (PDT)
In-Reply-To: <CAF8qwaCBC8BT164n5x1pSYb_c-AnVYDin4_Q8cCLbJg6+cDgKA@mail.gmail.com>
References: <CANOyrg9BSVAtVC4y34jMi-OAbK5OHMFsTUOhxRJqgGKGzO41xQ@mail.gmail.com> <BLU177-W41FFC60C00F3D8BAFDC57DC3F10@phx.gbl> <CAF8qwaAqn8mYVP8E95HC_s9jK8dshm-PWALJLO76tBeA1qvZXQ@mail.gmail.com> <201504031933.31280.davemgarrett@gmail.com> <CAF8qwaCBC8BT164n5x1pSYb_c-AnVYDin4_Q8cCLbJg6+cDgKA@mail.gmail.com>
Date: Fri, 03 Apr 2015 17:37:07 -0700
Message-ID: <CABkgnnWbXgitXqkMbmZYUk0CkvUOhu99BCsHwo7LiRyW7SfwVA@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
To: David Benjamin <davidben@chromium.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/ZX8t-uGzfpXAVibAM7MSYWGnAiE>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Interaction between session resumption and negotiated protocol version
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 04 Apr 2015 00:37:08 -0000

On 3 April 2015 at 16:53, David Benjamin <davidben@chromium.org> wrote:
> That new version is also unwise and the entire text just be dropped. It
> means you get stuck at that version even if the server gets upgraded later.

Yep.  I recently landed a change in NSS that does exactly this.

That risks badness with servers that didn't do what Brian suggested
(your option 3), but our assessment (advised by telemetry) was that
the probability of that was low enough.