Re: [TLS] Keeping TLS extension points working

Hubert Kario <hkario@redhat.com> Thu, 28 July 2016 10:29 UTC

Return-Path: <hkario@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1392512DD98 for <tls@ietfa.amsl.com>; Thu, 28 Jul 2016 03:29:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.209
X-Spam-Level:
X-Spam-Status: No, score=-8.209 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-1.287, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fuhohXN4RNea for <tls@ietfa.amsl.com>; Thu, 28 Jul 2016 03:29:02 -0700 (PDT)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C20F212DE84 for <tls@ietf.org>; Thu, 28 Jul 2016 03:29:00 -0700 (PDT)
Received: from int-mx11.intmail.prod.int.phx2.redhat.com (int-mx11.intmail.prod.int.phx2.redhat.com [10.5.11.24]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 0C06B3919A0; Thu, 28 Jul 2016 10:29:00 +0000 (UTC)
Received: from pintsize.usersys.redhat.com (dhcp-0-107.brq.redhat.com [10.34.0.107]) by int-mx11.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id u6SASwM0027314 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 28 Jul 2016 06:28:59 -0400
From: Hubert Kario <hkario@redhat.com>
To: tls@ietf.org
Date: Thu, 28 Jul 2016 12:28:52 +0200
Message-ID: <1484484.N0J803EhZs@pintsize.usersys.redhat.com>
User-Agent: KMail/5.2.3 (Linux/4.6.4-301.fc24.x86_64; KDE/5.24.0; x86_64; ; )
In-Reply-To: <CALTJjxHukROs-mrMUCmX1GjmfNAHhcmcVbykJnQ7UPDDiZHUJg@mail.gmail.com>
References: <CAF8qwaCaW2Q+z_JoDqzQZaGCWJ2aqUiyK8_J8_CO4Ck_cqtaSA@mail.gmail.com> <CAF8qwaARvrFKhBUi10rEEUWpito3n4OWXuK5JH0ZO4gU6rzK5w@mail.gmail.com> <CALTJjxHukROs-mrMUCmX1GjmfNAHhcmcVbykJnQ7UPDDiZHUJg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="nextPart25788663.7R4STH9poa"; micalg="pgp-sha512"; protocol="application/pgp-signature"
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.24
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.29]); Thu, 28 Jul 2016 10:29:00 +0000 (UTC)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/ZiKE5hHuQCoHNF3sc7vcAxy6gVI>
Subject: Re: [TLS] Keeping TLS extension points working
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Jul 2016 10:29:05 -0000

On Wednesday, 27 July 2016 09:50:18 CEST Wan-Teh Chang wrote:
> On Mon, Jul 25, 2016 at 3:32 PM, David Benjamin <davidben@chromium.org> 
wrote:
> > Hi folks,
> > 
> > I'm not sure how this process usually works, but I would like to reserve a
> > bunch of values in the TLS registries to as part of an idea to keep our
> > extension points working. Here's an I-D:
> > https://tools.ietf.org/html/draft-davidben-tls-grease-00
> > 
> > (The name GREASE is in honor of AGL's rusted vs. well-oiled joints analogy
> > from https://www.imperialviolet.org/2016/05/16/agility.html )
> > 
> > One problem we repeatedly run into is servers failing to implement TLS's
> > various extension points correctly. The most obvious being version
> > intolerance. When we deployed X25519 in Chrome, we discovered an
> > intolerant
> > implementation. (Thankfully it was rare enough to not warrant a fallback
> > or
> > revert!) It appears that signature algorithms maybe also be gathering
> > rust.
> > Ciphers and extensions seem to have held up, but I would like to ensure
> > they stay that way.
> > 
> > The root problem here is these broken servers interoperate fine with
> > clients at the time they are deployed. It is only after new values get
> > defined do we notice, by which time it is too late.
> > 
> > I would like to fix this by reserving a few values in our registries so
> > that clients may advertise random ones and regularly exercise these
> > codepaths in servers. If enough of the client base does this, we can turn
> > a large class of tomorrow's interop failures into today's interop
> > failures. This is important because an bug will not thrive in the
> > ecosystem if it does not work against the current deployment.
> 
> Hi David,
> 
> In general I like your idea. Thank you for writing up a proposal.
> 
> Another source of interop failures is the firewall devices that do
> anomaly detection. Some of them will abort TLS handshakes if they see
> unknown TLS protocol versions or extensions in ClientHello. (They all
> seem to allow unknown cipher suite values.) I suspect they will treat
> the GREASE cipher suite, extension, and named group values as "normal"
> and continue to abort the handshake if they see truly new values. I
> can only hope that these network security devices are updated
> regularly.

how about adding a section that explicitly says what they are allowed to do, 
and what they should not do?

i.e. it is acceptable for them to reject messages that are malformed (data in 
client hello past extensions field, odd sizes for arrays that contain just 
double-byte values, etc.) but not "undefined" extensions or "undefined" values 
in them

in other words, how they can still provide added value without breaking TLS in 
the future
-- 
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purky┼łova 99/71, 612 45, Brno, Czech Republic