Re: [TLS] draft-ietf-tls-tls13-24 supported_versions complexity
Nikos Mavrogiannopoulos <nmav@redhat.com> Fri, 02 March 2018 08:21 UTC
Return-Path: <nmav@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CBBE012422F for <tls@ietfa.amsl.com>; Fri, 2 Mar 2018 00:21:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.921
X-Spam-Level:
X-Spam-Status: No, score=-1.921 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id stsHJdKZdtUS for <tls@ietfa.amsl.com>; Fri, 2 Mar 2018 00:21:54 -0800 (PST)
Received: from mail-wm0-f45.google.com (mail-wm0-f45.google.com [74.125.82.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 753491241F8 for <tls@ietf.org>; Fri, 2 Mar 2018 00:21:53 -0800 (PST)
Received: by mail-wm0-f45.google.com with SMTP id 188so1500499wme.1 for <tls@ietf.org>; Fri, 02 Mar 2018 00:21:53 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:message-id:subject:from:to:date:in-reply-to :references:mime-version:content-transfer-encoding; bh=CFJcDtP3BE+805BT2NfLQ8+WGHM6hRutw1pbpDBLQoA=; b=DPEPcMUk7cXT0ev5UfSTw2ULHSN7xj2m+kvVvhDIp0GcBgVm3SK9+J6Fu0KAKispQo KQA6atSEwJyGip+U4ku0Oidhn+SXr0ePS1mQ2/Ib0RjCeCAUQ94NwapSAtolpqEcMLRu iCMKw4Vng/aqSsUtntJskfU3BA0KQSi6zRLU5qeBvZlqKFdEZqI4sA+6qrb9r8xGGGex 9oXF7tqUQ03S47vbXfFPaofJp3/YTK4UywlOvHJHuZcELiCf2fvmG7j6+cvocqlKGK5D kBhRwMs5JKmpHcHLxpEQJszRYFjneAPKwhBK79gFVVMPnZPVvxSMz5pNhJ437H1tS6m/ fvYA==
X-Gm-Message-State: AElRT7H02Byuh6vOZRF6J+jDGHnBhKof8u+TRGt86wYNc5t9IvIz32Gw u43sTiG7qABwqzEaN52dHB6n6g==
X-Google-Smtp-Source: AG47ELuwjXIHdtx0YYwxW2Y0IzTd2204CxxMwp7Debj+TFp3GUOVYLpc4Z/Bzjg+aQrRNQEdK3Jlgg==
X-Received: by 10.28.34.4 with SMTP id i4mr839423wmi.157.1519978912316; Fri, 02 Mar 2018 00:21:52 -0800 (PST)
Received: from dhcp-10-40-1-102.brq.redhat.com (nat-pool-brq-t.redhat.com. [213.175.37.10]) by smtp.gmail.com with ESMTPSA id w29sm5729248wra.84.2018.03.02.00.21.51 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Fri, 02 Mar 2018 00:21:51 -0800 (PST)
Message-ID: <1519978911.514.6.camel@redhat.com>
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
To: "David A. Cooper" <david.cooper@nist.gov>, "tls@ietf.org" <tls@ietf.org>
Date: Fri, 02 Mar 2018 09:21:51 +0100
In-Reply-To: <9233569e-fc21-e6dd-b84c-6a98e29a4f02@nist.gov>
References: <9233569e-fc21-e6dd-b84c-6a98e29a4f02@nist.gov>
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.26.5 (3.26.5-1.fc27)
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/eGS7RBYLNkCcaaKHiv8RjRjhQjM>
Subject: Re: [TLS] draft-ietf-tls-tls13-24 supported_versions complexity
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Mar 2018 08:21:57 -0000
On Thu, 2018-03-01 at 10:49 -0500, David A. Cooper wrote: > > I believe you are misinterpreting the text, but agree that it could > be > made more clear. > > Suppose that the ClientHello includes a supported_versions > extensions > that contains two values, TLS 1.4 and TLS 1.0, and the server > supports > TLS 1.3 and below. My interpretation of the current draft is that > the > server MUST use the supported_versions extension to determine the > client's preference, but then once deciding to use TLS 1.0 for the > connection sends a normal TLS 1.0 ServerHello, with version field set > to > 0x0300 and no supported_versions extension. Note that Section 4.2.1 > says > that > > A server which negotiates TLS 1.3 MUST respond by sending a > "supported_versions" extension containing the selected version > value (0x0304). > > It says nothing about a server that negotiates an earlier version. > > If my understanding is correct, then I believe the text in Section > 4.1.3 > could be made more clear. Draft -21 said that the version field of > ServerHello "contains the version of TLS negotiated for this > connection." (this is similar to what RFC 5246 said). The current > draft > says: > > In TLS 1.3, the TLS server indicates its version using the > "supported_versions" extension (Section 4.2.1), and the > legacy_version field MUST be set to 0x0303, which is the > version number for TLS 1.2. > > To be consistent with RFC 5246 and earlier, it seems like the text > should say something like: > > For a TLS 1.3 ServerHello the TLS server indicates its version > using the "supported_versions" extension (Section 4.2.1), and > the legacy_version field MUST be set to 0x0303, which is the > version number for TLS 1.2. For a TLS 1.2 and earlier > ServerHello > the legacy_version field contains the version of TLS > negotiated > for this connection. I understand that this is an interpretation that makes more sense and aligns with the -21 behavior, but I do not think that this is what this text literally says. Both Eric in his previous email and another engineer I've discussed the issue seem to agree that the intention is to use the new mechanism for all negotiations. You disagree on that, and it thus apparent that this text needs clarification. The text was written for -21 version which didn't have the server-side part of the extension, and the flow was natural for pre-TLS1.3 versions. When the change was done in -22 to include the server-side of the extension, this ambiguity (in your view) and complicated side- effect (in my view) was introduced. regards, Nikos
- [TLS] draft-ietf-tls-tls13-24 supported_versions … Nikos Mavrogiannopoulos
- Re: [TLS] draft-ietf-tls-tls13-24 supported_versi… Eric Rescorla
- Re: [TLS] draft-ietf-tls-tls13-24 supported_versi… David A. Cooper
- Re: [TLS] draft-ietf-tls-tls13-24 supported_versi… David Benjamin
- Re: [TLS] draft-ietf-tls-tls13-24 supported_versi… Yuhong Bao
- Re: [TLS] draft-ietf-tls-tls13-24 supported_versi… Eric Rescorla
- Re: [TLS] draft-ietf-tls-tls13-24 supported_versi… Nikos Mavrogiannopoulos
- Re: [TLS] draft-ietf-tls-tls13-24 supported_versi… Eric Rescorla