IETF Logo Mail Archive

Re: [TLS] Avoiding first use of RI in ClientHello

Eric Rescorla <ekr@networkresonance.com> Thu, 26 November 2009 00:05 UTC

Return-Path: <ekr@networkresonance.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A4CEA3A6819 for <tls@core3.amsl.com>; Wed, 25 Nov 2009 16:05:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.142
X-Spam-Level:
X-Spam-Status: No, score=0.142 tagged_above=-999 required=5 tests=[AWL=0.124, BAYES_00=-2.599, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, HELO_MISMATCH_COM=0.553, HOST_MISMATCH_NET=0.311, RDNS_DYNAMIC=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hRDmxphIdY1H for <tls@core3.amsl.com>; Wed, 25 Nov 2009 16:05:23 -0800 (PST)
Received: from kilo.networkresonance.com (74-95-2-169-SFBA.hfc.comcastbusiness.net [74.95.2.169]) by core3.amsl.com (Postfix) with ESMTP id D2C863A6835 for <tls@ietf.org>; Wed, 25 Nov 2009 16:05:23 -0800 (PST)
Received: from kilo.local (localhost [127.0.0.1]) by kilo.networkresonance.com (Postfix) with ESMTP id 46FD16C32C9; Wed, 25 Nov 2009 16:05:53 -0800 (PST)
Date: Wed, 25 Nov 2009 16:05:53 -0800
From: Eric Rescorla <ekr@networkresonance.com>
To: Robert Relyea <rrelyea@redhat.com>
In-Reply-To: <4B0DBD9C.1090703@REDHAT.COM>
References: <20091125223502.4265B6C3285@kilo.networkresonance.com> <4B0DBD9C.1090703@REDHAT.COM>
User-Agent: Wanderlust/2.15.5 (Almost Unreal) Emacs/22.3 Mule/5.0 (SAKAKI)
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20091126000553.46FD16C32C9@kilo.networkresonance.com>
Cc: tls@ietf.org
Subject: Re: [TLS] Avoiding first use of RI in ClientHello
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Nov 2009 00:05:24 -0000

At Wed, 25 Nov 2009 15:28:28 -0800,
Robert Relyea wrote:
> > It's unclear how often such fall-back logic would actually be needed,
> > and I do find Nelson's "tough love" approach here sort of appealing,
> > but it does seem to be a problem that you don't necessarily know for sure 
> > whether you need it or not until you've actually shipped the product 
> > with extensions, and possibly broken applications that currently work. 
> > It's especially concerning that fall-back can't be implemented reliably
> > inside the TLS library, e.g., if you just get a filehandle, so changes
> > to the app logic are required.
> >   
> I think we already have a handle on this. Most modern browsers already
> send extensions in their initial handshakes. This change has been
> responsible for the final demise of SSLv2.
> 
> The whole idea that extensions are rare just doesn't match with today's
> reality. Yes, there are some implementations that can't handle them.
> That is a very small percentage compared to the number of
> implementations that can't safely renegotiate (e.i. 100% of them). Those
> implementations already have to deal with a world in which extensions
> are real and common. They also have to deal with a world in which their
> code will need to be patched in order to be safe anyway.
>
> > The rest of this message describes a simple modification [*] to
> > draft-ietf-tls-negotiation which I think addresses this compatibility
> > issue without requiring fall-back.
> >
> > The idea is to use a magic cipher suite to signal that the client can
> > securely renegotiate (as described in
> > draft-mrex-tls-secure-renegotiation). 
> I'm not excited about the magic cipher suite hack for SSLv3, but I can
> live with it if I have to. I am strongly opposed to extending it to TLS.
> In the TLS world extensions are expected, normal, and now common. There
> is no reason to overload a field created specifically to determine a
> compatible cipher suite with something that extensions are designed to do.

I'd be very interested in seeing data on what fraction of existing
servers can't handle extensions. Is there any chance that you have
measurements?

Thanks,
-Ekr

v2.23.0 | Report a Bug | By Email