Re: [TLS] What's the right version number in the PreMasterSecret for renegotiation
Michael D'Errico <mike-list@pobox.com> Tue, 10 August 2010 23:02 UTC
Return-Path: <mike-list@pobox.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id AB19C3A68A7 for <tls@core3.amsl.com>; Tue, 10 Aug 2010 16:02:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LGcpZ4NXDGut for <tls@core3.amsl.com>; Tue, 10 Aug 2010 16:02:14 -0700 (PDT)
Received: from sasl.smtp.pobox.com (a-pb-sasl-quonix.pobox.com [208.72.237.25]) by core3.amsl.com (Postfix) with ESMTP id 04D343A6842 for <tls@ietf.org>; Tue, 10 Aug 2010 16:02:11 -0700 (PDT)
Received: from sasl.smtp.pobox.com (unknown [127.0.0.1]) by a-pb-sasl-quonix.pobox.com (Postfix) with ESMTP id 0CE2ECCE55; Tue, 10 Aug 2010 19:02:47 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=message-id :date:from:mime-version:to:cc:subject:references:in-reply-to :content-type:content-transfer-encoding; s=sasl; bh=tK754UCqh6r5 +8A/g629cU+kPIM=; b=tqZI6W88fz9gDU0ojpUbHPt5CIJW0rpTowsdIUKvzQvq aENboAOVDqSCPxh6Xz/E++cp7LR9Z4L/WiZYltcGxXp1pEjlQ8PXyhHs9bd6bInc SgZTgaMkpaJ3D69aCWy0T8Wh9uL2+pz0OQaPYG1p6BtU67vrqK76k4mrBPY7unM=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=pobox.com; h=message-id:date :from:mime-version:to:cc:subject:references:in-reply-to :content-type:content-transfer-encoding; q=dns; s=sasl; b=umjkeU y6UkSNk3/GVllwud1mQC37nfF4tmGuFWr2YS7IGbJt7juYcgWdkwGQJjY57LOWWI Fl0PMH91oaVTOabt0KLx5rGobV4oJE7mWu9pMLTOwgfIkasuhnbw5w6jDq3Cbdce WoE4QP26eTOFoIHndjdgc92UmsQTJlqQRfwB0=
Received: from a-pb-sasl-quonix. (unknown [127.0.0.1]) by a-pb-sasl-quonix.pobox.com (Postfix) with ESMTP id CC393CCE54; Tue, 10 Aug 2010 19:02:45 -0400 (EDT)
Received: from iMac.local (unknown [24.234.114.35]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by a-pb-sasl-quonix.pobox.com (Postfix) with ESMTPSA id 17759CCE52; Tue, 10 Aug 2010 19:02:43 -0400 (EDT)
Message-ID: <4C61DA92.2010702@pobox.com>
Date: Tue, 10 Aug 2010 16:02:42 -0700
From: Michael D'Errico <mike-list@pobox.com>
User-Agent: Thunderbird 2.0.0.21 (Macintosh/20090302)
MIME-Version: 1.0
To: Kyle Hamilton <aerowolf@gmail.com>
References: <4C60B98B.6000004@Sun.COM> <gcpbxpjp2odftlprasjezwJv4X.penango@mail.gmail.com>
In-Reply-To: <gcpbxpjp2odftlprasjezwJv4X.penango@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Pobox-Relay-ID: 637525A8-A4D3-11DF-AFBF-9056EE7EF46B-38729857!a-pb-sasl-quonix.pobox.com
Cc: tls@ietf.org
Subject: Re: [TLS] What's the right version number in the PreMasterSecret for renegotiation
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Aug 2010 23:02:15 -0000
Kyle Hamilton wrote:
> Can you please explain how and why you came to this conclusion? (Please
> don't take offense, I'm not disputing the conclusion, I simply wish to
> be more informed as to why?)
The problematic handshake is:
---->ClientHello v1.1----> (ask for an abbreviated handshake)
<---ServerHello V1.1<--- (not resumable, new session)
...
--->PreMasterSecret (v1.2)---> (**)
The version encoded within the PreMasterSecret is not the version
that was used in the ClientHello. That's a violation of the spec.
The fact that the client does actually support version 1.2 is
immaterial. A server is not expected to have logic that keeps track
of the highest version the client has ever offered in the past.
Mike
> On Mon, Aug 9, 2010 at 8:20 PM, Michael D'Errico <mike-list@pobox.com>
> wrote:
>> Based on the scenarios below, it looks like Opera is doing the right
>> thing during the renegotiation while IE 8 is not.
>>
>> Mike
>>
>>
>>
>> Xuelei Fan wrote:
>>>
>>> In RFC4346/5246, the specification for client_version in the
>>> PreMasterSecret is described as:
>>> ---------------
>>> struct {
>>> ProtocolVersion client_version;
>>> opaque random[46];
>>> } PreMasterSecret;
>>>
>>> client_version The latest (newest) version supported by the
>>> client. This is used to detect version roll-back attacks.
>>> Upon receiving the premaster secret, the server SHOULD check
>>> that this value matches the value transmitted by the client in
>>> the client hello message.
>>>
>>> ....
>>>
>>> Note: The version number in the PreMasterSecret MUST be the version
>>> offered by the client in the ClientHello, not the version
>>> negotiated for the connection. This feature is designed to
>>> prevent rollback attacks.
>>> ---------------
>>>
>>> The spec is clear for initial handshaking. But while testing
>>> renegotiation, we get two different interpretations of the version
>>> number in the PreMasterSecret. We noticed Opera (10.50) uses the version
>>> number offered by the renegotiation ClientHello, while Microsoft IE 8
>>> (IE 8 at Windows 7) uses the version number offered by the ClientHello
>>> in the initial handshaking.
>>>
>>> For Opera, the scenario looks like:
>>>
>>> Opera <--------------> TLS server
>>> --->ClientHello V1.2--->
>>> <---ServerHello V1.1<---
>>> ...
>>> --->PreMasterSecret (v1.2)---> (as expected)
>>> ...
>>> <---HelloRequest<----
>>> ---->ClientHello v1.1----> (ask for an abbreviated handshake)
>>> <---ServerHello V1.1<--- (not resumable, new session)
>>> ...
>>> --->PreMasterSecret (v1.1)---> (*)
>>>
>>>
>>> For IE 8, the scenario looks like:
>>>
>>> IE 8<--------------> TLS server
>>> --->ClientHello V1.2--->
>>> <---ServerHello V1.1<---
>>> ...
>>> --->PreMasterSecret (v1.2)---> (as expected)
>>> ...
>>> <---HelloRequest<----
>>> ---->ClientHello v1.1----> (ask for an abbreviated handshake)
>>> <---ServerHello V1.1<--- (not resumable, new session)
>>> ...
>>> --->PreMasterSecret (v1.2)---> (**)
>>>
>>> (*) Opera uses the version number offered by the ClientHello in the
>>> renegotiation handshaking.
>>> (**) IE 8 uses the version number offered by the ClientHello in the
>>> initial handshaking.
>>>
>>> Please help to clarify what's the correct version number choice for
>>> renegotiation.
>>>
>>> Thanks,
>>> Xuelei (Andrew) Fan
>>
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/tls
>>
>
- [TLS] What's the right version number in the PreM… Xuelei Fan
- Re: [TLS] What's the right version number in the … Michael D'Errico
- Re: [TLS] What's the right version number in the … Martin Rex
- Re: [TLS] What's the right version number in the … Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [TLS] What's the right version number in the … Kyle Hamilton
- Re: [TLS] What's the right version number in the … Michael D'Errico
- Re: [TLS] What's the right version number in the … Xuelei Fan
- Re: [TLS] What's the right version number in the … Martin Rex
- Re: [TLS] What's the right version number in the … Andrei Popov
- Re: [TLS] What's the right version number in the … Michael D'Errico
- [TLS] [Fwd: Re: What's the right version number i… Michael D'Errico