IETF Logo Mail Archive

Re: [TLS] Avoiding first use of RI in ClientHello

Robert Relyea <rrelyea@redhat.com> Wed, 25 November 2009 23:28 UTC

Return-Path: <rrelyea@redhat.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BC9073A6974 for <tls@core3.amsl.com>; Wed, 25 Nov 2009 15:28:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.599
X-Spam-Level:
X-Spam-Status: No, score=-106.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WAN-ElliTx9w for <tls@core3.amsl.com>; Wed, 25 Nov 2009 15:28:34 -0800 (PST)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by core3.amsl.com (Postfix) with ESMTP id D048F3A69C4 for <tls@ietf.org>; Wed, 25 Nov 2009 15:28:34 -0800 (PST)
Received: from int-mx04.intmail.prod.int.phx2.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.17]) by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id nAPNSTui007960 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for <tls@ietf.org>; Wed, 25 Nov 2009 18:28:29 -0500
Received: from [10.14.54.215] (dhcp-215.sjc.redhat.com [10.14.54.215]) by int-mx04.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id nAPNSSFu009089 for <tls@ietf.org>; Wed, 25 Nov 2009 18:28:28 -0500
Message-ID: <4B0DBD9C.1090703@REDHAT.COM>
Date: Wed, 25 Nov 2009 15:28:28 -0800
From: Robert Relyea <rrelyea@redhat.com>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.4pre) Gecko/20091014 Fedora/3.0-2.8.b4.fc11 Lightning/1.0pre Thunderbird/3.0b4
MIME-Version: 1.0
To: tls@ietf.org
References: <20091125223502.4265B6C3285@kilo.networkresonance.com>
In-Reply-To: <20091125223502.4265B6C3285@kilo.networkresonance.com>
X-Enigmail-Version: 0.97a
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="------------ms080701010805090403090009"
X-Scanned-By: MIMEDefang 2.67 on 10.5.11.17
Subject: Re: [TLS] Avoiding first use of RI in ClientHello
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Nov 2009 23:28:35 -0000

On 11/25/2009 02:35 PM, Eric Rescorla wrote:
> Folks,
>
> I wanted to try to resolve what I see as the major technical concern
> people have about draft-ietf-tls-renegotiation-00, namely that the
> client cannot offer secure renegotiation and be sure that it won't
> cause a connection failure with a downrev (extension noncompliant)
> server.
>
> There's been a lot of discussion of whether this is a serious problem,
> but it's clear that minimal risk of breaking things that currently
> work (which some folks think requires not using extensions in the
> initial ClientHello) is important for the timely deployment of the
> fix, and with the current draft, that may require fall-back to
> extension-less handshake.
>   
This is not an RI specific issue. TLS already defines a number of
extensions. This fallback policy was implemented not because extension
noncompliant servers were particularly important, but because
implementations needed to have minimal objections for moving forward and
actually using extensions. Today TLS clients regularly use extensions,
so adding one more to allow renegotiation should not be an issue.
>   
> It's unclear how often such fall-back logic would actually be needed,
> and I do find Nelson's "tough love" approach here sort of appealing,
> but it does seem to be a problem that you don't necessarily know for sure 
> whether you need it or not until you've actually shipped the product 
> with extensions, and possibly broken applications that currently work. 
> It's especially concerning that fall-back can't be implemented reliably
> inside the TLS library, e.g., if you just get a filehandle, so changes
> to the app logic are required.
>   
I think we already have a handle on this. Most modern browsers already
send extensions in their initial handshakes. This change has been
responsible for the final demise of SSLv2.

The whole idea that extensions are rare just doesn't match with today's
reality. Yes, there are some implementations that can't handle them.
That is a very small percentage compared to the number of
implementations that can't safely renegotiate (e.i. 100% of them). Those
implementations already have to deal with a world in which extensions
are real and common. They also have to deal with a world in which their
code will need to be patched in order to be safe anyway.

> The rest of this message describes a simple modification [*] to
> draft-ietf-tls-negotiation which I think addresses this compatibility
> issue without requiring fall-back.
>
> The idea is to use a magic cipher suite to signal that the client can
> securely renegotiate (as described in
> draft-mrex-tls-secure-renegotiation). 
I'm not excited about the magic cipher suite hack for SSLv3, but I can
live with it if I have to. I am strongly opposed to extending it to TLS.
In the TLS world extensions are expected, normal, and now common. There
is no reason to overload a field created specifically to determine a
compatible cipher suite with something that extensions are designed to do.

bob

v2.23.0 | Report a Bug | By Email