Re: [TLS] simplistic renego protection

[Eric Rescorla <ekr@networkresonance.com>]

At Tue, 17 Nov 2009 21:43:16 -0800,
Michael D'Errico wrote:
> You forgot to mention:
> 
> 4.3.  SSLv3
> 
>     SSLv3 does not support extensions and thus it is not possible to
>     securely renegotiate with SSLv3.  Deployments wishing to renegotiate
>     securely will need to upgrade to at least TLS 1.0.
> 
> Is there some secret agenda to kill off SSLv3? What is the point
> of that? 

Well, I don't think it's a secret that many feel that it would
be good for people to upgrade from SSLv3 to TLS. TLS includes
a number of useful security fixes and extended functionality.
So, it's not clear it's great to go out of our way to preserve
its use indefinitely.

With that said, I think that the quoted sentence is probably slightly
too strong.  There's no reason why extensions cannot be used with
SSLv3, it's just that the IETF has no change control on SSLv3 and so
it's kind of a matter of extrapolating 4366 to apply to the SSLv3
drafts. This is straightforward but undocumented.


> SSLv3 accounts for more than one-in-five connections as
> reported to this list.

Well, I've seen this claimed, but I haven't seen a citation for where
the data comes from. I'd be interested in seeing such a cite. The data
I've seen (and posted) suggests that servers support TLS very widely,
and certainly every piece of SSL/TLS-based software built on any even
remotely modern stack includes support for TLS, whatever it chooses to
negotiate.


>  There is an alternate proposal that does not
> have this limitation, and is better in many other respects.  Why do
> you keep pushing this one?

Because I feel that those other proposals are inferior in many
other respects? I'm not sure why this is so hard for you to
understand.

-Ekr