IETF Logo Mail Archive

Re: [TLS] Renego Indication RI patch interaction with TLS major version interop

"Brian Smith" <brian@briansmith.org> Tue, 15 June 2010 16:46 UTC

Return-Path: <brian@briansmith.org>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9630A3A6B12 for <tls@core3.amsl.com>; Tue, 15 Jun 2010 09:46:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.001
X-Spam-Level:
X-Spam-Status: No, score=0.001 tagged_above=-999 required=5 tests=[BAYES_50=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4yliUxAEP1cn for <tls@core3.amsl.com>; Tue, 15 Jun 2010 09:46:16 -0700 (PDT)
Received: from mxout-08.mxes.net (mxout-08.mxes.net [216.86.168.183]) by core3.amsl.com (Postfix) with ESMTP id AFB023A6A2F for <tls@ietf.org>; Tue, 15 Jun 2010 09:46:16 -0700 (PDT)
Received: from T60 (unknown [70.245.69.20]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTPSA id 44FEB509E3; Tue, 15 Jun 2010 12:46:14 -0400 (EDT)
From: Brian Smith <brian@briansmith.org>
To: 'Marsh Ray' <marsh@extendedsubset.com>
References: <4C17AA89.8060904@extendedsubset.com>
In-Reply-To: <4C17AA89.8060904@extendedsubset.com>
Date: Tue, 15 Jun 2010 11:46:11 -0500
Message-ID: <005101cb0caa$46166ec0$d2434c40$@briansmith.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
thread-index: AQKzj5CA6erlZBussgMZ+rkdV5Xn+QHpETiT
Content-Language: en-us
Cc: tls@ietf.org
Subject: Re: [TLS] Renego Indication RI patch interaction with TLS major version interop
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Jun 2010 16:46:18 -0000

Marsh Ray wrote:
> Article from Yngve:
> http://my.opera.com/yngve/blog/2010/06/02/renego-patched-servers-a-long-
> term-interoperability-time-bomb-brewing
> 
> http://www.links.org/?p=943
> 
> I haven't finished reading the full article yet, but I thought others
would be
> interested:
> > In the past few weeks, as many as 80-90% of the newly patched servers
> > have refused to negotiate with our tester (the TLS Prober) when it
> > claimed to support the hypothetical v4.1 TLS protocol version (or, as
> > I call it, "TLS NG"). This is much higher than the 69% of all servers
> > that generally exhibit the same problem.

NSS has an explicit check that the first byte of every version number is
0x03. I imagine other implementations have a similar check. Version handling
in NSS will be revamped sometime before TLS 1.1 and TLS 1.2 support are
added to it, and  the patches for that work already remove the check for
0x03.

His test would probably be much more successful if he used 0x03FF as the
version number. I don't think it is a big deal; the main consequence is that
all TLS version numbers should continue to start with 0x03. 

Regards,
Brian

v2.23.0 | Report a Bug | By Email