Re: [TLS] Thoughts on Version Intolerance
Yuhong Bao <YuhongBao_386@hotmail.com> Sun, 24 July 2016 16:50 UTC
Return-Path: <YuhongBao_386@hotmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D6C4112D534 for <tls@ietfa.amsl.com>; Sun, 24 Jul 2016 09:50:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.037
X-Spam-Level:
X-Spam-Status: No, score=-3.037 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RP_MATCHES_RCVD=-1.287, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=hotmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ATzJwo4BoxYD for <tls@ietfa.amsl.com>; Sun, 24 Jul 2016 09:50:26 -0700 (PDT)
Received: from COL004-OMC2S14.hotmail.com (col004-omc2s14.hotmail.com [65.55.34.88]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E7B6E12D14A for <tls@ietf.org>; Sun, 24 Jul 2016 09:50:25 -0700 (PDT)
Received: from NAM01-BN3-obe.outbound.protection.outlook.com ([65.55.34.71]) by COL004-OMC2S14.hotmail.com over TLS secured channel with Microsoft SMTPSVC(7.5.7601.23008); Sun, 24 Jul 2016 09:50:25 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hotmail.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=k+bKnmbWclzSxJWkWzbrAGcDQhVzYCyWQtzZjrvVy3I=; b=jBoHdQlmz+GNMtc9v2l9nE2UMO92fDFsjOpigjQbcog9DNNVZT6HrjbI5if96lyqU48L0qQ+Im/9aqylzgVLWsla4MiYg7Z5U04ZNqg5PY42FS3+45AUHXyOSuB7qW2qoxMy2IjLBpdhaqq40JEm6qRAE94S2uA/qY4WoUVd6crL1dKhBaJWnvY3EfeY51iKt6RVQadA25NWMttIEYtf3rTU5G17OdZe+eD0JDLMDPYde+s2rHidIJWKj/r4UMOQG8T5P6Yprhsqa/OIOFStBTqfPgJfQbcAlUC0k3Q2Yr8RkRqDRGn7Pv1AvU4IStBTLzhapPueDzghbARXZA9lrQ==
Received: from BN3NAM01FT036.eop-nam01.prod.protection.outlook.com (10.152.66.54) by BN3NAM01HT148.eop-nam01.prod.protection.outlook.com (10.152.66.219) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.549.5; Sun, 24 Jul 2016 16:50:24 +0000
Received: from DM2PR07MB287.namprd07.prod.outlook.com (10.152.66.56) by BN3NAM01FT036.mail.protection.outlook.com (10.152.67.146) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.549.5 via Frontend Transport; Sun, 24 Jul 2016 16:50:22 +0000
Received: from DM2PR07MB287.namprd07.prod.outlook.com ([169.254.14.126]) by DM2PR07MB287.namprd07.prod.outlook.com ([169.254.14.126]) with mapi id 15.01.0528.029; Sun, 24 Jul 2016 16:50:21 +0000
From: Yuhong Bao <YuhongBao_386@hotmail.com>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Thoughts on Version Intolerance
Thread-Index: AQHR4OTJ0GaEVOOFWEy8xwOWQyWt9KAeKQuAgALlKQCAAAtcgIAAX5yAgAE3ywCAAvDtuoAB4poAgABQHYU=
Date: Sun, 24 Jul 2016 16:50:21 +0000
Message-ID: <DM2PR07MB28789A17ED05C5F954CFCC9C30C0@DM2PR07MB287.namprd07.prod.outlook.com>
References: <20160718130843.0320d43f@pc1> <1735315.hXCMA8agXV@pintsize.usersys.redhat.com> <2867948.pp4OFeU9TP@pintsize.usersys.redhat.com> <20160720120125.43f61155@pc1> <98ba8be3-54ca-636b-bca4-4b83682708f5@akamai.com>, <CAF8qwaAZ+c0th_n_MZtnBXUg64eaf58DPhoFaPcntST1kcPFZA@mail.gmail.com>, <DM2PR07MB287A1EB5E3238008ACAAF6DC30B0@DM2PR07MB287.namprd07.prod.outlook.com>, <9A043F3CF02CD34C8E74AC1594475C73F4CD30BD@uxcn10-5.UoA.auckland.ac.nz>
In-Reply-To: <9A043F3CF02CD34C8E74AC1594475C73F4CD30BD@uxcn10-5.UoA.auckland.ac.nz>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=softfail (sender IP is 10.152.66.56) smtp.mailfrom=hotmail.com; cs.auckland.ac.nz; dkim=none (message not signed) header.d=none;cs.auckland.ac.nz; dmarc=fail action=none header.from=hotmail.com;
received-spf: SoftFail (protection.outlook.com: domain of transitioning hotmail.com discourages use of 10.152.66.56 as permitted sender)
x-tmn: [chr6eIJXPeLMw5+bZP40Evtpye4c6zar]
x-eopattributedmessage: 0
x-forefront-antispam-report: CIP:10.152.66.56; IPV:NLI; CTRY:; EFV:NLI; SFV:NSPM; SFS:(10019020)(98900003); DIR:OUT; SFP:1102; SCL:1; SRVR:BN3NAM01HT148; H:DM2PR07MB287.namprd07.prod.outlook.com; FPR:; SPF:None; LANG:en;
x-microsoft-exchange-diagnostics: 1; BN3NAM01HT148; 6:zp6BVbJP3j3Rqj4VfaPGv1c+jiR3dRa94vr9dae1d9RC66SOqfoIpQttVgrYGdAaYFGx87MMfpYU0b0cvuFOthvopN6c7lvB1X62k23RPAR54aKX2YzRRf9MYCN8JHZxAca/2yYfIGG1NgqKnvpmFfOlsRf/E4zihr8lO5em6SuEXPt9aAs6plNTZ8lswsvSXNa6vQPQ8UHcl9Eewwj6oxV7dhO+812tIBGkqmoyjNoZDQhaxKebpnWzxSQZJMJ7fmW9ekbxvDq51ZLvlca+VW/3rFrDYPcZRCyXfeVjLt4W9a8fyQThfqEdvUkSe0hI; 5:6+zOX88Bj3wkJyi4BOHEYBgskB3zVO/SCWGJr0eqqrJhxMO5q4FLEG+hfBKHPtAAEUBhZEC0bGitPOMtrM/sfIyk6bOY/5E+QiJ+mOXxoIutk/jjyuaDaTqSuUMJrNSvOZ2X12jFRjm+u34wc15Q/Q==; 24:I2+LAwWaZshstvb9I497SlkfAXcCY1AM6LDKL6RgQY/zSJTJw4gLxp1EU28cGUcKRTdgK+faTOIO7HU+l40FTlmFAqagk6+1XgaX/+T+i60=; 7:7yBHngcRVpXldtroreWhG/Im8zqURscjoIZm+gf4PCurXQLFdUHMSMS9LRFvgFzmgDxc8BwqPt7mJUKR9yt3yQjuW2lQrVwpqjyk5Nd79PaqxvHj1AZypyHkAwSBJCJbgQQ4rqZW0DZPW6JLqO22xpJUh0VGXL6QM1lqGvfj9eASwLj+vvroBBYVQYOpAwZYXtDDxNSdqiPSipK/SEqGs+3sdhW7hs2hpQAjhKIrAU/3rZk0h6J/X/iVn3GUqEC1
x-ms-office365-filtering-correlation-id: 440f8b36-f920-4c83-7673-08d3b3e29a1e
x-microsoft-antispam: UriScan:; BCL:1; PCL:0; RULEID:(1601124038)(1601125047); SRVR:BN3NAM01HT148;
x-exchange-antispam-report-cfa-test: BCL:1; PCL:0; RULEID:(432015012)(82015046); SRVR:BN3NAM01HT148; BCL:1; PCL:0; RULEID:; SRVR:BN3NAM01HT148;
x-forefront-prvs: 0013079544
spamdiagnosticoutput: 1:5
spamdiagnosticmetadata: :1
Content-Type: multipart/alternative; boundary="_000_DM2PR07MB28789A17ED05C5F954CFCC9C30C0DM2PR07MB287namprd_"
MIME-Version: 1.0
X-OriginatorOrg: hotmail.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Jul 2016 16:50:21.8040 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Internet
X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN3NAM01HT148
X-OriginalArrivalTime: 24 Jul 2016 16:50:25.0412 (UTC) FILETIME=[79BEBC40:01D1E5CB]
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/cgdpZ72ej3we7HVIDvlMLLliyxg>
Subject: Re: [TLS] Thoughts on Version Intolerance
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 24 Jul 2016 16:50:29 -0000
I don't have access unfortunately, but I wonder which companies on this mailing list are using the affected APC devices. ________________________________ From: Peter Gutmann <pgut001@cs.auckland.ac.nz> Sent: Sunday, July 24, 2016 5:01:42 AM To: Yuhong Bao Subject: RE: [TLS] Thoughts on Version Intolerance Do you have access to a device running that software, or are you just passing on the info? I'd like to run some test messages against it... Peter. ________________________________ From: TLS [tls-bounces@ietf.org] on behalf of Yuhong Bao [YuhongBao_386@hotmail.com] Sent: Saturday, 23 July 2016 19:16 To: David Benjamin; Benjamin Kaduk; Hanno Böck; tls@ietf.org Subject: Re: [TLS] Thoughts on Version Intolerance I should also mention the APC fiasco: http://www.apc.com/us/en/faqs/FA238115/ UPDATED MARCH-2016: Unable to access my APC Network Management Card (NMC) enabled device via HTTPS (SSL/TLS)<http://www.apc.com/us/en/faqs/FA238115/> www.apc.com UPDATED MARCH-2016: Unable to access my APC Network Management Card (NMC) enabled device via HTTPS (SSL/TLS) I wonder if anyone has tested the TLS 1.2 implementation they did later not only for version intolerance but also for other bugs like GCM nonce reuse. ________________________________ From: TLS <tls-bounces@ietf.org> on behalf of David Benjamin <davidben@chromium.org> Sent: Thursday, July 21, 2016 3:19:34 AM To: Benjamin Kaduk; Hanno Böck; tls@ietf.org Subject: Re: [TLS] Thoughts on Version Intolerance On Wed, Jul 20, 2016 at 5:43 PM Benjamin Kaduk <bkaduk@akamai.com<mailto:bkaduk@akamai.com>> wrote: On 07/20/2016 05:01 AM, Hanno Böck wrote: > On Wed, 20 Jul 2016 11:20:46 +0200 > Hubert Kario <hkario@redhat.com<mailto:hkario@redhat.com>> wrote: > >> so it looks to me like while we may gain a bit of compatibility by >> using extension based mechanism to indicate TLSv1.3, > Just quick: This was discussed yesterday, David Benjamin had an > interesting proposal, but it was largely met with resistance. So from I had some follow-up discussion with David and a few others later in the day. One point that I think was not clear during the WG session was whether the check for whether a server's version negotiation is futureproof could be done in the hot path, so that it is impossible to implement a server that works in a major browser and is (e.g., 1.4) version-intolerant. Right now, if a browser wants to probe for (e.g., 1.3) version intolerance, it essentially has to treat it as a data-collection step, either doing the fallback dance on failure or just doing the probe in parallel with a 1.2 clienthello that is actually used for the connection, since we know that 1.3-intolerance exists. With David's proposal (and potentially variants of the other ones), browsers could implement a check that sends nonexistent versions in their clienthello, so that once a server implements 1.3, it would not be 1.4-intolerant. If we just keep with the current version negotiation scheme, we'll always be stuck in the "data-collecting" mode and won't be able to strictly enforce the future-proofing, since there are existing servers that are intolerant to the current scheme, and the browsers will be blamed for breaking sites on those servers if the browsers try to introduce strict enforcement of version negotiation future-proofing. [Credit where credit is due, I was not the first to propose the version list. I don't know who was first, but Dave Garrett had proposed the same thing. The TLS 1.3 implementors effectively did so too with the draft version extension. Though I think the fake versions idea is new?] I should also add that, even if we ever got to our prerequisite quiet point, this scheme is still problematic. If we had a list, all clients could participate in this fuzzing and we have a shot at vaccinating the ecosystem. This one violates the specification, so only clients which can rapidly deploy changes can safely do it. (Some sort of field trial mechanism, for instance.) And it requires manual work to sustain: I would probably only do it for, say, 3 months at a time and manually extend so long as TLS 1.4 does not exist. I would not want to cause problems by forgetting to turn it off. And as Hubert notes, there may well be other intolerance triggers to clear through. 1.3 has a larger ClientHello. We have also never added a new signature algorithm before. But I think that just means we have more rusted protocol joints fix rather than just the one. Fortunately, most of our other joints admit this kind of fuzzing. It's just the versioning scheme (fixable with a list), and large ClientHellos. I don't have a good answer to the second one, but I would be very happy if it were our only problem. It's much easier to understand. The version one is surprisingly difficult. The conversations usually go like this: "Hi, your server software appears to have a bug where you reject TLS 1.2 ClientHellos rather than implementing the version negotiation right." "Okay, we will deploy TLS 1.2." "No, please don't fix this with 1.2. That's a different problem." "You don't want us to add 1.2?" "No no no. Please do switch to 1.2. I mean... oh, nevermind. I'll just email you later for 1.3." I am obviously exaggerating for humor, but it's a very common confusion and I think is part of why version intolerance keeps on existing. If you implement the latest version of TLS but are intolerant to N+1, even if no clients did fallbacks, your bug will not be noticed and you'll thrive in the ecosystem. Then when we go to deploy N+1, we have problems. We want, as much as possible, turn tomorrow's interop failures into today's interop failures so the bugs are caught before software ships. David -Ben > the WG discussion yesterday I had the impression that we will most > likely stay with the existing clienthello version mechanism. While that > will cause us more trouble, it's probably the cleaner option anyway. So > we definitely should continue investigating version intolerance and > tell people to fix their stuff. > _______________________________________________ TLS mailing list TLS@ietf.org<mailto:TLS@ietf.org> https://www.ietf.org/mailman/listinfo/tls
- [TLS] Client Hello size intolerance Was: Re: Thou… Hubert Kario
- Re: [TLS] Thoughts on Version Intolerance Yuhong Bao
- Re: [TLS] Thoughts on Version Intolerance Hubert Kario
- Re: [TLS] Thoughts on Version Intolerance Hubert Kario
- Re: [TLS] Thoughts on Version Intolerance Ivan Ristić
- Re: [TLS] Thoughts on Version Intolerance Yuhong Bao
- Re: [TLS] Thoughts on Version Intolerance Yuhong Bao
- Re: [TLS] Thoughts on Version Intolerance David Benjamin
- Re: [TLS] Thoughts on Version Intolerance Brian Smith
- Re: [TLS] Thoughts on Version Intolerance Hubert Kario
- Re: [TLS] Thoughts on Version Intolerance Hubert Kario
- Re: [TLS] Thoughts on Version Intolerance Peter Gutmann
- Re: [TLS] Thoughts on Version Intolerance Ilari Liusvaara
- Re: [TLS] Thoughts on Version Intolerance Hubert Kario
- Re: [TLS] Thoughts on Version Intolerance David Benjamin
- Re: [TLS] Thoughts on Version Intolerance Watson Ladd
- Re: [TLS] Thoughts on Version Intolerance Martin Rex
- Re: [TLS] Thoughts on Version Intolerance Benjamin Kaduk
- Re: [TLS] Thoughts on Version Intolerance Hubert Kario
- Re: [TLS] Thoughts on Version Intolerance Watson Ladd
- Re: [TLS] Thoughts on Version Intolerance Hubert Kario
- Re: [TLS] Thoughts on Version Intolerance Kyle Rose
- Re: [TLS] Thoughts on Version Intolerance Hubert Kario
- Re: [TLS] Thoughts on Version Intolerance Hubert Kario
- Re: [TLS] Thoughts on Version Intolerance Martin Rex
- Re: [TLS] Thoughts on Version Intolerance Hanno Böck
- Re: [TLS] Thoughts on Version Intolerance Hubert Kario
- Re: [TLS] Thoughts on Version Intolerance David Benjamin
- Re: [TLS] Thoughts on Version Intolerance Ilari Liusvaara
- Re: [TLS] Thoughts on Version Intolerance Hubert Kario
- [TLS] Thoughts on Version Intolerance Hanno Böck
- Re: [TLS] Client Hello size intolerance Was: Re: … David Benjamin
- Re: [TLS] Client Hello size intolerance Was: Re: … Hubert Kario
- Re: [TLS] Client Hello size intolerance Was: Re: … Brian Smith
- Re: [TLS] Thoughts on Version Intolerance Dave Garrett
- Re: [TLS] Thoughts on Version Intolerance Ilari Liusvaara