IETF Logo Mail Archive

Re: [TLS] The risk of misconfiguration

Viktor Dukhovni <viktor1dane@dukhovni.org> Mon, 12 May 2014 03:17 UTC

Return-Path: <viktor1dane@dukhovni.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 08D3E1A03DF for <tls@ietfa.amsl.com>; Sun, 11 May 2014 20:17:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.9
X-Spam-Level:
X-Spam-Status: No, score=-101.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, USER_IN_WHITELIST=-100] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I2hinJqe9mt9 for <tls@ietfa.amsl.com>; Sun, 11 May 2014 20:17:01 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) by ietfa.amsl.com (Postfix) with ESMTP id 829951A03D8 for <tls@ietf.org>; Sun, 11 May 2014 20:17:01 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 781D12AB0F7; Mon, 12 May 2014 03:16:54 +0000 (UTC)
Date: Mon, 12 May 2014 03:16:54 +0000
From: Viktor Dukhovni <viktor1dane@dukhovni.org>
To: tls@ietf.org
Message-ID: <20140512031652.GS27883@mournblade.imrryr.org>
References: <r422Ps-1075i-86F090E8F0F24995ADF1E9A36C4EC216@Williams-MacBook-Pro.local> <53703A23.4000304@pobox.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <53703A23.4000304@pobox.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/g6ZiD1NjQjQOwkGb8llWKXGzfkk
Subject: Re: [TLS] The risk of misconfiguration
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tls@ietf.org
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 May 2014 03:17:06 -0000

On Sun, May 11, 2014 at 08:04:03PM -0700, Michael D'Errico wrote:

> Bill Frantz wrote:
> >
> >Now I recognize that there is a significant footgun in having NULL cypher
> >suites in a mix of protocols offered by a client. One way to reduce the
> >risk is to say, "The server MUST reject any connection attempt where the
> >offered cypher suites include both suites providing encryption and those
> >which have NULL encryption.
> 
> Why not have the server choose a non-NULL cipher suite if both types
> are offered instead of rejecting the connection?

I am not convined that any special action should be taken on the
server side.  My original suggestion was that client implementations
could by default attempt to catch some configuration errors (user
interface improvement).  Server-side enforcement (effectively a
protocol change) is likely unnecessary complexity.

There may even be use-cases in which the client prefers authenticated
NULL ciphers, but if the choice is between a handshake failure or
being forced to encrypt, is willing to encrypt.  I expect this to
be quite rare, but there is no compelling reason to rule this out.

Clients that offer NULL ciphers to servers not a-priori known to
support them will almost always find their offer declined.

So on balance I don't think it would be appropriate to *require*
any particular server behaviour here, however implementations MAY
implement optional features that enforce sensible policies at either
end.

-- 
	Viktor.

v2.23.0 | Report a Bug | By Email