Re: [TLS] consensus on backwards compatibility changes

Dave Garrett <davemgarrett@gmail.com> Sun, 25 January 2015 23:14 UTC

Return-Path: <davemgarrett@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0B4D71A011B for <tls@ietfa.amsl.com>; Sun, 25 Jan 2015 15:14:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TrNRX2NW0isi for <tls@ietfa.amsl.com>; Sun, 25 Jan 2015 15:14:39 -0800 (PST)
Received: from mail-qg0-x22d.google.com (mail-qg0-x22d.google.com [IPv6:2607:f8b0:400d:c04::22d]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3B1AB1A00A3 for <tls@ietf.org>; Sun, 25 Jan 2015 15:14:39 -0800 (PST)
Received: by mail-qg0-f45.google.com with SMTP id q107so4786778qgd.4 for <tls@ietf.org>; Sun, 25 Jan 2015 15:14:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:subject:date:user-agent:cc:references:in-reply-to :mime-version:content-type:content-transfer-encoding:message-id; bh=gFc5/aObv5L+fWenRThnx50RtgGVz1baXszCMMDHDsg=; b=JcerUYQgASUf8ctUsfJPQS7FnHSTH5Ns+3RvUXmiPusvHYlR7yKQsXSciQdiyLSQmM A7SqRbfGAxJJKhmbIy3MTTl+x5MVSr2fWXelPeTDCAnCJRtw8sNKSxOS6W/RqjyhTIGK h0xJK5OKPiNahVRT/WDz9uICNSldYL4rM/g2b9n3HmqTeoNFsZZRnYKAPzAxeHjvRZLL ajud9N+Bau7qb34Wh6+nRApWl1VpjaZ4X+4idfJP+OJMJH7d7e8zEC5rmo3++dHu0Auq FAm2p5KWlJfldzRpDFIYtaYpgkHYyxFETUKscNs9Yan6RwTrrt8FK403f87BJelxiaEk 5xaw==
X-Received: by 10.140.19.139 with SMTP id 11mr35327254qgh.14.1422227678449; Sun, 25 Jan 2015 15:14:38 -0800 (PST)
Received: from dave-laptop.localnet ([96.245.56.59]) by mx.google.com with ESMTPSA id h34sm8316944qge.6.2015.01.25.15.14.37 (version=TLSv1 cipher=RC4-SHA bits=128/128); Sun, 25 Jan 2015 15:14:38 -0800 (PST)
From: Dave Garrett <davemgarrett@gmail.com>
To: Kurt Roeckx <kurt@roeckx.be>
Date: Sun, 25 Jan 2015 18:14:36 -0500
User-Agent: KMail/1.13.5 (Linux/2.6.32-70-generic-pae; KDE/4.4.5; i686; ; )
References: <201412300503.03923.davemgarrett@gmail.com> <20150125200326.GA27020@roeckx.be>
In-Reply-To: <20150125200326.GA27020@roeckx.be>
MIME-Version: 1.0
Content-Type: Text/Plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <201501251814.36985.davemgarrett@gmail.com>
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/ca0i6OZGO3PjcFAYdiIkGQeO6YM>
Cc: "TLS@ietf.org \(tls@ietf.org\)" <tls@ietf.org>
Subject: Re: [TLS] consensus on backwards compatibility changes
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 25 Jan 2015 23:14:41 -0000

On Sunday, January 25, 2015 03:03:27 pm Kurt Roeckx wrote:
> On Tue, Dec 30, 2014 at 05:03:03AM -0500, Dave Garrett wrote:
> > PR #105 remove SSL 2 backwards compatibility section & prohibit SSL negotiation
> > https://github.com/tlswg/tls13-spec/pull/105
> 
> Doesn't that "or accept" prevent the previous sentence?  And isn't
> the rest already covered by the first sentence?

The SSL2 CLIENT-HELLO format can be used with TLS 1.0 (version {3,1}).

Explaining each part:

> | Implementations MUST NOT send an SSL version 2.0 compatible CLIENT-HELLO.

Regardless of what versions are in play, the SSL2 format is not allowed to be sent.
It can optionally still be accepted by servers, however, only for backwards compatibility.

> | Implementations MUST NOT negotiate TLS 1.3 or later using an SSL version 2.0 compatible
> | CLIENT-HELLO. Implementations MAY accept an SSL version 2.0 compatible CLIENT-HELLO in
> | order to negotiate older versions of TLS, however this is not recommended.

The old format can be used to negotiate TLS 1.0-1.2, but not 1.3+ or SSL.
Servers are not required to support this and can ignore them if preferred.

> | Implementations MUST NOT send or accept any records with a version less than { 3, 0 }.

Nothing stating a version for SSL2 or any bogus versions below SSL3 are allowed.
A v2 format hello with a TLS 1.0 version is unfortunately permitted.
Dropping support for this is an open issue:
https://github.com/tlswg/tls13-spec/issues/113

The minimum version tolerated here is for SSL3 due to the requirement to accept
record layer versions of any {3,X} for backwards compatibility. Hello record layer
versions mean pretty much nothing in current practice.


Dave