[TLS] Fwd: New Version Notification for draft-pettersen-tls-version-rollback-removal-00.txt

"Yngve N. Pettersen (Developer Opera Software ASA)" <yngve@opera.com> Tue, 03 July 2012 16:37 UTC

Return-Path: <yngve@opera.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id D1A5E21F8786 for <tls@ietfa.amsl.com>; Tue, 3 Jul 2012 09:37:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.074
X-Spam-Status: No, score=-6.074 tagged_above=-999 required=5 tests=[AWL=-0.525, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, SARE_TOWRITE=1.05]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id BjDEZ-9rwfGw for <tls@ietfa.amsl.com>; Tue, 3 Jul 2012 09:37:28 -0700 (PDT)
Received: from smtp.opera.com (smtp.opera.com []) by ietfa.amsl.com (Postfix) with ESMTP id 9D16521F86D3 for <tls@ietf.org>; Tue, 3 Jul 2012 09:37:27 -0700 (PDT)
Received: from acorna.invalid.invalid (pat-tdc.opera.com []) (authenticated bits=0) by smtp.opera.com (8.14.3/8.14.3/Debian-5+lenny1) with ESMTP id q63GbWH8031306 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for <tls@ietf.org>; Tue, 3 Jul 2012 16:37:33 GMT
Content-Type: text/plain; charset=iso-8859-15; format=flowed; delsp=yes
References: <20120703074954.1553.31285.idtracker@ietfa.amsl.com>
Date: Tue, 03 Jul 2012 18:37:36 +0200
To: "tls@ietf.org" <tls@ietf.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: "Yngve N. Pettersen (Developer Opera Software ASA)" <yngve@opera.com>
Organization: Opera Software AS
Message-ID: <op.wgvpsyt0qrq7tp@acorna.invalid.invalid>
In-Reply-To: <20120703074954.1553.31285.idtracker@ietfa.amsl.com>
User-Agent: Opera Mail/11.64 (Win32)
Subject: [TLS] Fwd: New Version Notification for draft-pettersen-tls-version-rollback-removal-00.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Jul 2012 16:37:28 -0000

Hello all,

In light of the recent discussion about using SCSVs to protect against  
version rollbacks, I decided to write up my own proposal, which is already  
used in Opera.

This method uses the Renego Information (RI) extension as an indication  
that the server is version and extension intolerant, and require the  
client to only connect to the server using its highest supported TLS  
version and extensions when the RI extension is encountered, if necessary  
restarting the connection to do so.

This approach should, according to my testing, work with  more than 99.86%  
of Renego patched servers, using just one connection to establish the  
connection. Currently, 70% of servers are Renego patched.

With respect to the steps in the procedure, under normal conditions the  
client will be able to establish a connection on the first try with 95% of  
servers that are not patched for Renego, for the remaining servers (about  
1.5% of all servers), one or more attempts using older protocol versions  
will be needed.

If implemented, this method will naturally be obsoleted when clients  
change to only accept connections with Renego patched servers and  
remove/disable all code for performing version rollbacks.

------- Forwarded message -------
Subject: New Version Notification for  
Date: Tue, 03 Jul 2012 09:49:54 +0200

A new version of I-D, draft-pettersen-tls-version-rollback-removal-00.txt
has been successfully submitted by Yngve N. Pettersen and posted to the
IETF repository.

Filename:	 draft-pettersen-tls-version-rollback-removal
Revision:	 00
Title:		 Managing and removing automatic version rollback in TLS Clients
Creation date:	 2012-07-03
WG ID:		 Individual Submission
Number of pages: 6

     Ever since vendors started deploying TLS 1.0 clients, these clients
     have had to handle server implementations that do not tolerate the
     TLS version supported by the client, usually by automatically
     signaling an older supported version instead.  Such version rollbacks
     represent a potential security hazard, if the older version should
     become vulnerable to attacks.  The same history repeated when TLS
     Extensions were introduced, as some servers would not negotiate with
     clients that sent these protocol extensions, forcing clients to
     reduce protocol functionality in order to maintain interoperability.

     This document outlines a procedure to help clients decide when they
     may use version rollback to maintain interoperability with legacy
     servers, under what conditions the clients should not allow version
     rollbacks, such as when the server has indicated support for the TLS
     Renegotiation Information extension.  The intention of this procedure
     is to limit the use of automatic version rollback to legacy servers
     and eventually eliminate its use.

Yngve N. Pettersen
Senior Developer		     Email: yngve@opera.com
Opera Software ASA                   http://www.opera.com/
Phone:  +47 23 69 32 60              Fax:    +47 23 69 24 01