Re: [TLS] Renego Indication RI patch interaction with TLS major version interop
Simon Josefsson <simon@josefsson.org> Tue, 15 June 2010 21:53 UTC
Return-Path: <simon@josefsson.org>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 32ABE3A6946 for <tls@core3.amsl.com>; Tue, 15 Jun 2010 14:53:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.19
X-Spam-Level:
X-Spam-Status: No, score=-2.19 tagged_above=-999 required=5 tests=[AWL=0.409, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iWmccoTbbsT8 for <tls@core3.amsl.com>; Tue, 15 Jun 2010 14:53:43 -0700 (PDT)
Received: from yxa-v.extundo.com (yxa-v.extundo.com [83.241.177.39]) by core3.amsl.com (Postfix) with ESMTP id F14DA3A6922 for <TLS@ietf.org>; Tue, 15 Jun 2010 14:53:42 -0700 (PDT)
Received: from mocca (c80-216-29-48.bredband.comhem.se [80.216.29.48]) (authenticated bits=0) by yxa-v.extundo.com (8.14.3/8.14.3/Debian-5+lenny1) with ESMTP id o5FLrNvi032644 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Tue, 15 Jun 2010 23:53:26 +0200
From: Simon Josefsson <simon@josefsson.org>
To: Adam Langley <agl@google.com>
References: <4C17AA89.8060904@extendedsubset.com> <4C17B2FE.7080604@pobox.com> <87d3vs574u.fsf@mocca.josefsson.org> <AANLkTimsd145GswXqoHbkh9ejwYuhe4mL7w4wtVkSmeI@mail.gmail.com>
OpenPGP: id=B565716F; url=http://josefsson.org/key.txt
X-Hashcash: 1:22:100615:tls@ietf.org::6ApIrsYe+CM99unk:CCVy
X-Hashcash: 1:22:100615:agl@google.com::dR2lqUDieD9Cueeg:P1iE
Date: Tue, 15 Jun 2010 23:53:22 +0200
In-Reply-To: <AANLkTimsd145GswXqoHbkh9ejwYuhe4mL7w4wtVkSmeI@mail.gmail.com> (Adam Langley's message of "Tue, 15 Jun 2010 17:31:58 -0400")
Message-ID: <87zkyw2ca5.fsf@mocca.josefsson.org>
User-Agent: Gnus/5.110011 (No Gnus v0.11) Emacs/23.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
X-Virus-Scanned: clamav-milter 0.96.1 at yxa-v
X-Virus-Status: Clean
Cc: TLS@ietf.org
Subject: Re: [TLS] Renego Indication RI patch interaction with TLS major version interop
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Jun 2010 21:53:44 -0000
Adam Langley <agl@google.com> writes: F> On Tue, Jun 15, 2010 at 5:16 PM, Simon Josefsson <simon@josefsson.org> wrote: >> jas@mocca:~$ gnutls-cli -p 443 www.paypal.com >> Resolving 'www.paypal.com'... >> Connecting to '64.4.241.49:443'... >> *** Fatal error: A TLS packet with unexpected length was received. >> *** Handshake has failed >> GNUTLS ERROR: A TLS packet with unexpected length was received. >> jas@mocca:~$ > > Although I can confirm the brain damage exhibited by www.microsoft.com > and www.ibm.com, www.paypal.com doesn't have an issue with a > ClientHello advertising TLS version 1.2. It might have other problems, > but see the attached handshake. After some debugging, I can confirm that TLS 1.1/1.2 is not the problem. The aspect causing problems with www.paypal.com is record padding, because this works: gnutls-cli -p 443 www.paypal.com --priority NORMAL:%COMPAT Random record padding has been part of TLS since a long time. Alas, GnuTLS appears to be the only implementation making use of this. It has to be supported, though, even RFC 2246 contained this wording: padding Padding that is added to force the length of the plaintext to be an integral multiple of the block cipher's block length. The padding may be any length up to 255 bytes long, as long as it results in the TLSCiphertext.length being an integral multiple of the block length. Lengths longer than necessary might be desirable to frustrate attacks on a protocol based on analysis of the lengths of exchanged messages. Each uint8 in the padding data vector must be filled with the padding length value. We've seen many implementations that barf on random record padding. /Simon
- [TLS] Renego Indication RI patch interaction with… Marsh Ray
- Re: [TLS] Renego Indication RI patch interaction … Brian Smith
- Re: [TLS] Renego Indication RI patch interaction … Michael D'Errico
- Re: [TLS] Renego Indication RI patch interaction … Marsh Ray
- Re: [TLS] Renego Indication RI patch interaction … Simon Josefsson
- Re: [TLS] Renego Indication RI patch interaction … Adam Langley
- Re: [TLS] Renego Indication RI patch interaction … Simon Josefsson
- Re: [TLS] Renego Indication RI patch interaction … Brian Smith
- Re: [TLS] Renego Indication RI patch interaction … Marsh Ray
- Re: [TLS] Renego Indication RI patch interaction … Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [TLS] Renego Indication RI patch interaction … Martin Rex
- Re: [TLS] Renego Indication RI patch interaction … Michael D'Errico
- Re: [TLS] Renego Indication RI patch interaction … Martin Rex
- Re: [TLS] Renego Indication RI patch interaction … Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [TLS] Renego Indication RI patch interaction … Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [TLS] Renego Indication RI patch interaction … Ivan Ristic
- Re: [TLS] Renego Indication RI patch interaction … Peter Gutmann
- Re: [TLS] Renego Indication RI patch interaction … Peter Gutmann
- Re: [TLS] Version (in)tolerance Marsh Ray
- Re: [TLS] Version (in)tolerance Peter Gutmann
- Re: [TLS] Version (in)tolerance Marsh Ray
- Re: [TLS] Version (in)tolerance Martin Rex
- Re: [TLS] Version (in)tolerance Marsh Ray