IETF Logo Mail Archive

Re: [TLS] Ignoring unrecognized extensions

Martin Rex <mrex@sap.com> Tue, 22 June 2010 19:09 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BFDB63A6858 for <tls@core3.amsl.com>; Tue, 22 Jun 2010 12:09:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.793
X-Spam-Level:
X-Spam-Status: No, score=-7.793 tagged_above=-999 required=5 tests=[AWL=0.042, BAYES_40=-0.185, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XpSUnBaqR69a for <tls@core3.amsl.com>; Tue, 22 Jun 2010 12:09:24 -0700 (PDT)
Received: from smtpde01.sap-ag.de (smtpde01.sap-ag.de [155.56.68.170]) by core3.amsl.com (Postfix) with ESMTP id 983543A69A8 for <tls@ietf.org>; Tue, 22 Jun 2010 12:09:24 -0700 (PDT)
Received: from mail.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id o5MJ9PtF024113 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 22 Jun 2010 21:09:30 +0200 (MEST)
From: Martin Rex <mrex@sap.com>
Message-Id: <201006221909.o5MJ9OKU018244@fs4113.wdf.sap.corp>
To: matt@mattmccutchen.net
Date: Tue, 22 Jun 2010 21:09:24 +0200
In-Reply-To: <1277227659.1945.60.camel@mattlaptop2.local> from "Matt McCutchen" at Jun 22, 10 01:27:39 pm
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal05
X-SAP: out
Cc: tls@ietf.org
Subject: Re: [TLS] Ignoring unrecognized extensions
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Jun 2010 19:09:25 -0000

Matt McCutchen wrote:
> 
> I think it is the intent of RFC 5246 that a TLS server, in addition to
> tolerating an "extensions" field in the ClientHello that is nonempty as
> a whole, MUST ignore individual extensions that it does not recognize.
> However, I cannot find this stated anywhere in RFC 5246.  Am I missing
> something?  Would this be worthy of an erratum?

My copy of rfc-5746, section 3.6 says this in the second last paragraph:

http://tools.ietf.org/html/rfc5746#section-3.6

   TLS servers implementing this specification MUST ignore any unknown
   extensions offered by the client and they MUST accept version numbers
   higher than their highest version number and negotiate the highest
   common version.  These two requirements reiterate preexisting
   requirements in RFC 5246 and are merely stated here in the interest
   of forward compatibility.

-Martin

v2.23.0 | Report a Bug | By Email