Re: [TLS] Redefine Finished message for TLS 1.3 ?

Martin Rex <mrex@sap.com> Sun, 15 November 2009 03:49 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 07DD43A67F9 for <tls@core3.amsl.com>; Sat, 14 Nov 2009 19:49:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.18
X-Spam-Level:
X-Spam-Status: No, score=-6.18 tagged_above=-999 required=5 tests=[AWL=0.069, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pPncldZ5Ux-O for <tls@core3.amsl.com>; Sat, 14 Nov 2009 19:49:10 -0800 (PST)
Received: from smtpde03.sap-ag.de (smtpde03.sap-ag.de [155.56.68.140]) by core3.amsl.com (Postfix) with ESMTP id E4B3A3A67E2 for <tls@ietf.org>; Sat, 14 Nov 2009 19:49:09 -0800 (PST)
Received: from mail.sap.corp by smtpde03.sap-ag.de (26) with ESMTP id nAF3ndgE025513 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 15 Nov 2009 04:49:40 +0100 (MET)
From: Martin Rex <mrex@sap.com>
Message-Id: <200911150349.nAF3ndet024229@fs4113.wdf.sap.corp>
To: mike-list@pobox.com
Date: Sun, 15 Nov 2009 04:49:39 +0100
In-Reply-To: <4AFF6EFA.6080508@pobox.com> from "Michael D'Errico" at Nov 14, 9 07:01:14 pm
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal05
X-SAP: out
Cc: tls@ietf.org
Subject: Re: [TLS] Redefine Finished message for TLS 1.3 ?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 15 Nov 2009 03:49:11 -0000

Michael D'Errico wrote:
> 
> > The more I think about it, the more I'm opposed to using
> > TLS extensions to wrap this fix.  It's just to urgent and serious
> > to spend such an amount of time on a fancy wrapping.
> 
> I'm OK with whatever the fix becomes, but just want to point out
> that changing the Finished message calculation for renegotiations
> does not protect a patched client when talking to an unpatched
> server.

The negotiation (=signaling C->S and more importantly S->C) in
ClientHello and ServerHello is what clients can use to protect
themselves.  They can warn or decide to not talk to servers
that are not patched at some point in the future.

An warning popup is a suitable method to apply market pressure.

A lack of interoperability is not a suitable method,
it is rather a sign of poor engineering.


All Browsers that added newer TLS versions and the TLS extension SNI
also had to add an app-level reconnect fallback because of the
resulting interop problems.


If we wrap this fix into a TLS extension, then every recipient of that
fix will encounter the very same interop problems as the Browser
vendors/implementors.

This will result in annoyed customers, many support calls,
some apps will be enhanced to also add re-connect fallbacks,
but overall it will significantly slow down the adoption of
the patch -- instead, the workaround to take countermeasures
to TLS renegotiation will then effectively kill renegotiation.


I think it is neither reasonable nor justified to cause so much
pain when it is possible to fix the problem with significantly
less resulting interop problems by _NOT_ using a TLS extension.



Side note: I do think we should add 1 page of guidance to
implementors in the final document outlining what implementors
should really check and fix when they touch code in order to
implement the fix for TLS renegotiation.

  - how to correctly process a ClientHello with additional data
    (all protocol version SSLv3->TLSv1.2)

  - how to correctly process the protocol version fields in
    the handshake messages and record protocol.

(but really only 1 page).

-Martin