[TLS] Antw: Re: Antw: Re: Suspicious behaviour of TLS server implementations

"Andreas Walz" <andreas.walz@hs-offenburg.de> Thu, 22 September 2016 12:30 UTC

Return-Path: <andreas.walz@hs-offenburg.de>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2464412DA14 for <tls@ietfa.amsl.com>; Thu, 22 Sep 2016 05:30:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.315
X-Spam-Level:
X-Spam-Status: No, score=-4.315 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-2.316] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=hs-offenburg.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id paMxHTVte3AO for <tls@ietfa.amsl.com>; Thu, 22 Sep 2016 05:30:04 -0700 (PDT)
Received: from mx.hs-offenburg.de (mx.hs-offenburg.de [141.79.11.25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 38E2A12DC2D for <tls@ietf.org>; Thu, 22 Sep 2016 05:18:15 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mx.hs-offenburg.de (Postfix) with ESMTP id 8AE2FE910C5 for <tls@ietf.org>; Thu, 22 Sep 2016 14:18:12 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=hs-offenburg.de; h=content-type:content-type:mime-version:in-reply-to:references :subject:subject:from:from:date:date:x-mailer:message-id :received:received:received; s=default; t=1474546692; x= 1475410693; bh=U8AkgF/2TIT8cuHpM53dPZA2yNK0EWFHfvuKBUM5zgs=; b=W muc9Qv1qgr1b4+1COxriQ0U5BJlHPLvUHJYo3Z0HTTKjUXy54rR7pJb4ze8DiJii Q+Mx7hGIraD3Sf1111hFu0fcQAKLxRoOezzwPxR/cFlw/X0PidRKyenGZI+Wzhcf SAHQnHo01ZaCkaqrlT2Knc4z2Hn1tnz2FTYkBHPHqE=
X-Virus-Scanned: amavisd-new at hs-offenburg.de
Received: from mx.hs-offenburg.de ([127.0.0.1]) by localhost (mx.hs-offenburg.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Yc6kdP8oGsaO for <tls@ietf.org>; Thu, 22 Sep 2016 14:18:12 +0200 (CEST)
Received: from gwia2.rz.hs-offenburg.de (gwia2.rz.hs-offenburg.de [141.79.10.30]) by mx.hs-offenburg.de (Postfix) with ESMTPS id C602EE910B3 for <tls@ietf.org>; Thu, 22 Sep 2016 14:18:09 +0200 (CEST)
Received: from gw_dom-gwia2-MTA by gwia2.rz.hs-offenburg.de with Novell_GroupWise; Thu, 22 Sep 2016 14:18:09 +0200
Message-Id: <57E3E821020000AC0011C0DC@gwia2.rz.hs-offenburg.de>
X-Mailer: Novell GroupWise Internet Agent 14.2.1
Date: Thu, 22 Sep 2016 14:18:09 +0200
From: "Andreas Walz" <andreas.walz@hs-offenburg.de>
To: <pgut001@cs.auckland.ac.nz>
References: <57D2E218020000AC0011B17E@gwia2.rz.hs-offenburg.de> <20160909152901.9008C1A552@ld9781.wdf.sap.corp> <1473853106532.3256@cs.auckland.ac.nz> <57D96E34020000AC0011B73F@gwia2.rz.hs-offenburg.de> <57E25106020000AC0011BF3A@gwia2.rz.hs-offenburg.de> <CABkgnnX7X+21wjChxkW-uhd8WXAMyp5f1F74H5ja=1mui4POiQ@mail.gmail.com>, <57E272CB020000AC0011BF63@gwia2.rz.hs-offenburg.de> <1474473207998.35647@cs.auckland.ac.nz>, <57E2E068020000AC0011BFD4@gwia2.rz.hs-offenburg.de> <1474520407230.85774@cs.auckland.ac.nz>
In-Reply-To: <1474520407230.85774@cs.auckland.ac.nz>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="=__Part0137B811.4__="
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/ix0TA0zps-fxOREdXrtk53voECI>
Cc: tls@ietf.org
Subject: [TLS] Antw: Re: Antw: Re: Suspicious behaviour of TLS server implementations
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Sep 2016 12:30:07 -0000

>>> Peter Gutmann <pgut001@cs.auckland.ac.nz>; 22.09.16 7.00 Uhr >>>


> Nope.  There's a big difference between "I can't continue" and "I can 
> continue without any problems but don't want to".  The example I gave of
> "Couldn't connect to Amazon because no suitable encryption was available"
> would be the error message to display in the case of a decode error that
> garbled the cipher suites, an "I can't continue" condition.  The current
> thread starter was a case of "I can continue without any problems but don't
> want to", which pretty much any user of the product will perceive as a buggy
> product, meaning they'll drop it and switch to something that works.

> Peter.


I see your point here. However, where would you draw the line between "I can't" and "I don't want to"? Think of a cipher suites list with 3 bytes in a ClientHello. You can still find one cipher suite that could be ok to work with. However, how can you trust the first two bytes if you find that third byte telling you something's abnormal?


Andi