IETF Logo Mail Archive

Re: [TLS] SSL 2 CLIENT-HELLO backwards compatibility compromise

Brian Smith <brian@briansmith.org> Thu, 12 February 2015 23:34 UTC

Return-Path: <brian@briansmith.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 472F01A00FF for <tls@ietfa.amsl.com>; Thu, 12 Feb 2015 15:34:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.979
X-Spam-Level:
X-Spam-Status: No, score=-1.979 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SaoGrkQd3-D9 for <tls@ietfa.amsl.com>; Thu, 12 Feb 2015 15:34:32 -0800 (PST)
Received: from mail-ob0-f175.google.com (mail-ob0-f175.google.com [209.85.214.175]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 694DA1A00D8 for <tls@ietf.org>; Thu, 12 Feb 2015 15:34:32 -0800 (PST)
Received: by mail-ob0-f175.google.com with SMTP id va2so14127461obc.6 for <tls@ietf.org>; Thu, 12 Feb 2015 15:34:32 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=/V5aWCyosI9/3s5ecKRBzfD6p3Rkhi3cAFdIFMTx0+0=; b=TFsvLHzR82ZjjLUZJABK+cRs5QvryxJwa25Q/XD29XD3Sipw57hm2TDXpKdvgUHEDO fVSv4/lU0DCPG3kNjoZpCqVR8/tamAEMFSYJO2/2gVzDKZ1YvAt9wfsjVeEZZkcnPFLD t4qPOVjOoUNy3+EhC2MPj/0PbILgjt4fRnkVHctjUP6/dk05VY+uBcGb84uI+aA9UfHn sIxTjVpCiKHqdvgu3wFb62CbNUNdpIXwcu5m38/CQPuJqQLKcp99LHxHl8Ne5P+tEqPS S1tVmr09o224EYmGZUhs2VDRdCSrfKYu/9cSfHmy+WuDXxU/hTQoQXWPffwph37LYluh f7yA==
X-Gm-Message-State: ALoCoQneVg+IFAozT395WKXLT7/CfJ4eGKkOu2FgVsJ3wY/BdcF2gi5ddbFqgx08CdytQZr8Yi5C
MIME-Version: 1.0
X-Received: by 10.182.246.69 with SMTP id xu5mr4541379obc.11.1423784071899; Thu, 12 Feb 2015 15:34:31 -0800 (PST)
Received: by 10.76.74.167 with HTTP; Thu, 12 Feb 2015 15:34:31 -0800 (PST)
In-Reply-To: <201502121727.24768.davemgarrett@gmail.com>
References: <201502121727.24768.davemgarrett@gmail.com>
Date: Thu, 12 Feb 2015 15:34:31 -0800
Message-ID: <CAFewVt77NnjKPR-FcaSDfPiHrotRutgwuM5D9e9GLOvoBrRECg@mail.gmail.com>
From: Brian Smith <brian@briansmith.org>
To: Dave Garrett <davemgarrett@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/fIZ14i-LHoYdPOSbFcNfIDpKZzg>
Cc: Florian Weimer <fweimer@redhat.com>, "TLS@ietf.org (tls@ietf.org)" <tls@ietf.org>
Subject: Re: [TLS] SSL 2 CLIENT-HELLO backwards compatibility compromise
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Feb 2015 23:34:34 -0000

Dave Garrett <davemgarrett@gmail.com> wrote:
> Option #0) Current draft
> v2 format MUST NOT be sent ever
> v2 format MUST NOT be used at all for TLS 1.3+
> v2 format NOT RECOMMENDED to accept for TLS 1.0-1.2

I think this is fine. We should move on to more important issues.

> Option #2) Restrict to TLS 1.0
> v2 format MUST NOT be sent ever
> v2 format MUST NOT be used at all for TLS 1.1+
> v2 format NOT RECOMMENDED to accept for TLS 1.0

How to negotiate TLS 1.0 and what is acceptable for TLS 1.0 is out of
scope for the TLS 1.3 specification. (More generally, what to do for
earlier versions is out of scope.)

Cheers,
Brian

v2.23.0 | Report a Bug | By Email