Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance

Martin Rex <mrex@sap.com> Mon, 09 November 2009 17:19 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 850773A6816 for <tls@core3.amsl.com>; Mon, 9 Nov 2009 09:19:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.139
X-Spam-Level:
X-Spam-Status: No, score=-6.139 tagged_above=-999 required=5 tests=[AWL=0.110, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DLyiJNbJvqzj for <tls@core3.amsl.com>; Mon, 9 Nov 2009 09:19:48 -0800 (PST)
Received: from smtpde01.sap-ag.de (smtpde01.sap-ag.de [155.56.68.171]) by core3.amsl.com (Postfix) with ESMTP id 7FEF13A676A for <tls@ietf.org>; Mon, 9 Nov 2009 09:19:48 -0800 (PST)
Received: from mail.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id nA9HKBgm015550 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 9 Nov 2009 18:20:11 +0100 (MET)
From: Martin Rex <mrex@sap.com>
Message-Id: <200911091720.nA9HKBC1010730@fs4113.wdf.sap.corp>
To: mrex@sap.com
Date: Mon, 09 Nov 2009 18:20:11 +0100
In-Reply-To: <200911091646.nA9GkW6n008821@fs4113.wdf.sap.corp> from "Martin Rex" at Nov 9, 9 05:46:32 pm
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal08
X-SAP: out
Cc: tls@ietf.org
Subject: Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Nov 2009 17:19:49 -0000

Hmmm, I think I can answer this myself:

Martin Rex wrote:
> 
> If you look at the TLSv1.0 spec (rfc2246) and TLSv1.1 spec (rfc4346),
> neither contains extension data in the ServerHello in the base spec.
> 
> Is there a reason why TLS extensions should _NOT_ be applicable
> to SSLv3 in just the same way they're applicable to TLSv1.0 and TLSv1.1 ?
> 
> 
> There may be SSLv3 servers out there that choke on extension data
> in the ClientHello.  But that doesn't mean that one could not
> upgrade SSLv3 servers to support TLS extensions.  The more interesting
> question is IMHO -- which TLS clients will choke when an SSLv3 server
> returns a ServerHello extension?  spec-wise, a ServerHello extension
> is as unusual to SSLv3 as it is to TLSv1.0.

Since such an SSLv3 server will only be returning extensions in
an extended ServerHello that the TLS client asserted, and in our
specific situation here, the new extension for secure renegotiation
that we're just defining, then the answer is:  Test the update
before shipping it, and all TLS clients with the secure renegotiation
update ought to interoperate smoothly with SSLv3 servers that implement
this TLS extension.

Adding support for other/existing TLS extensions might eventually
confuse or upset installed base TLS clients, so I wouldn't try those
this time. :) 

-Martin