IETF Logo Mail Archive

Re: [TLS] New TLS version negotiation mechanism extension

Dave Garrett <davemgarrett@gmail.com> Sat, 28 March 2015 02:53 UTC

Return-Path: <davemgarrett@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8EDA01A1B6D for <tls@ietfa.amsl.com>; Fri, 27 Mar 2015 19:53:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g0_bYcWEJVDN for <tls@ietfa.amsl.com>; Fri, 27 Mar 2015 19:53:33 -0700 (PDT)
Received: from mail-qg0-x233.google.com (mail-qg0-x233.google.com [IPv6:2607:f8b0:400d:c04::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6E5991A1B69 for <tls@ietf.org>; Fri, 27 Mar 2015 19:53:33 -0700 (PDT)
Received: by qgf60 with SMTP id 60so131486568qgf.3 for <tls@ietf.org>; Fri, 27 Mar 2015 19:53:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:subject:date:user-agent:cc:references:in-reply-to :mime-version:content-type:content-transfer-encoding:message-id; bh=1S52AmwwbgOMYejhF4jJ0+yqZR0dBpf4+Guj7Lcf4vA=; b=sth8hRiEsCAOtUp+9uSlyYX/or09qJVHSIRAr7uNdSKuD6+LG1SVrX96I+y+KB96Df 1GdV79rUYnU+gppBxZnxsnncHe+D8Ls84IHwd+t5p3opZ3eNYm2vBp+KhByTA8oIoJuP n8a4UrEpHS6GR55l8cHLfNVoQenjZ8/HGF/MQP6wU5xlfnswiRvYcGa5bgRYbi/4S7oM rC9Bq5JtJsMqPWiN4uXdXcG6UI7IJ5W8OtSN1z57zgra1TBwuRM5m4nptcHNstObAHJ2 z/qdZQZu5X8Tb8sfz4mqgxtux2PtmzSf0YEX8d3kPqclV78CtfJET6TCsgayh+KCkd2f AVsA==
X-Received: by 10.140.132.197 with SMTP id 188mr29520055qhe.24.1427511212775; Fri, 27 Mar 2015 19:53:32 -0700 (PDT)
Received: from dave-laptop.localnet (pool-96-245-254-195.phlapa.fios.verizon.net. [96.245.254.195]) by mx.google.com with ESMTPSA id 78sm1568033qks.47.2015.03.27.19.53.31 (version=TLSv1 cipher=RC4-SHA bits=128/128); Fri, 27 Mar 2015 19:53:32 -0700 (PDT)
From: Dave Garrett <davemgarrett@gmail.com>
To: Xiaoyin Liu <xiaoyin.l@outlook.com>, Brian Smith <brian@briansmith.org>
Date: Fri, 27 Mar 2015 22:53:30 -0400
User-Agent: KMail/1.13.5 (Linux/2.6.32-71-generic-pae; KDE/4.4.5; i686; ; )
References: <201503260330.43588.davemgarrett@gmail.com> <201503271153.34569.davemgarrett@gmail.com> <BAY180-W16CB11289DEAA0E2A2681BFF090@phx.gbl>
In-Reply-To: <BAY180-W16CB11289DEAA0E2A2681BFF090@phx.gbl>
MIME-Version: 1.0
Content-Type: Text/Plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-Id: <201503272253.30495.davemgarrett@gmail.com>
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/bWkACopGODK1CmrFWbXZVZp4tJU>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] New TLS version negotiation mechanism extension
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 28 Mar 2015 02:53:35 -0000

On Sunday, March 08, 2015 01:39:47 pm Dave Garrett wrote:
> A basic proposal for a new TLS version negotiation mechanism for TLS 1.3+. It'll be needed to handle draft implementations, if desired, and I think it might just be wanted for all negotiation. TLS 1.3 version intolerance is currently surveyed to be in the ~1.5% range [1]. The simplest method is to do so via a new mandatory extension, as has been suggested by people before.

On Tuesday, March 10, 2015 10:08:27 am Brian Smith wrote:
> I agree that that seems like the best way forward.
[...]
> Anyway, I support your proposal, if it is simplified.

On Friday, March 27, 2015 03:46:05 pm Xiaoyin Liu wrote:
> I support this version negotiation proposal, but I prefer the old one, i.e. listing all supported TLS versions.

Ok, I've written out the bulk of main changes that would be needed to do both potential new methods:
#1: an extension providing full lists of version support which the server find the highest common value of
#2: an extension using basically the same method as previously, but bumping the value to the extension

For others on the mailing list, the reasons for this are the irritatingly high rate of TLS 1.3+ version intolerance that would seriously hamper adoption of a new version, as well as the desire to negotiate draft versions to get widespread testing (similar to how HTTP/2 did things).

My initial idea was for method #1, however upon scrutiny by Brian and myself, I decided to work on fleshing out #2. The potential complexity did sound like a larger risk. After doing so, I think that whilst #2 ~sounds~ simpler because it's very similar to the current negotiation method, in reality, #1 is far more straightforward and has fewer potential pitfalls in implementing.

I have two WIP branches, one for each method:
#1: https://github.com/davegarrett/tls13-spec/compare/patch-3...davegarrett:EVN
#2: https://github.com/davegarrett/tls13-spec/compare/patch-3...davegarrett:NVN

(compare links because patch-3/PR#107 is approved, but not yet merged into trunk)

Comparing between the two branches, the main difference is that whilst the list method has more info for the server to deal with, it's simpler to handle and explain in fewer words more clearly. With the simple proposed value, the server has to pick the highest version it supports less than the proposed version. When throwing draft versions into the mix, a server needs to make sure not to offer an draft version if the client did not offer support for one. (alternatively we could have another extension for drafts, but that's more complicated overall and I really want a single method that gets properly tested prior to release) In enumerating the pitfalls I see, the errors that need to checked for in the list method can be explained more simply. I can lay out the entire list based algorithm in a handful of lines of pseudocode, whereas for the simple proposed value method it's a sprinkling of "MUST" instructions throughout the spec. This completely new method also ensures that nobody just uses whatever old algorithm they had with potentially problematic changes to handle the new. Note, that while I say "completely new", I mean new to TLS versioning. It's similar to ALPN in concept.

Note that in the current version of #2 (NVN branch) I'm recycling the hello version to use as a min_version to add the ability for servers to never even offer to downgrade further than the client wants. This could be dropped to simplify things, though I don't think it's worth it. The draft of #1 (EVN branch) does not need anything like that to have the server pick a viable version every time (if one exists), and can also handle non-continuous supported version lists easily. (e.g. support 1.2 and 1.4 but not 1.3, and have a 1.4 server negotiate 1.2 instead of offer 1.3 and fail) In that case, the hello version is frozen. Both branches rename the ServerHello version to negotiated_version to make it clear what it actually means. (with PR #107, the record layer version is also frozen)

So, now I think #1 is the way forward, after giving #2 a shot. Still a WIP, but any feedback would be greatly appreciated.


Dave

v2.23.0 | Report a Bug | By Email