IETF Logo Mail Archive

Re: [TLS] Black hole was Re: Analysis of Interop scenarios TLS

Martin Rex <mrex@sap.com> Wed, 16 December 2009 03:53 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 15C4B3A6974 for <tls@core3.amsl.com>; Tue, 15 Dec 2009 19:53:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.894
X-Spam-Level:
X-Spam-Status: No, score=-5.894 tagged_above=-999 required=5 tests=[AWL=-0.245, BAYES_00=-2.599, HELO_EQ_DE=0.35, J_CHICKENPOX_35=0.6, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0JYtDcWwnwEg for <tls@core3.amsl.com>; Tue, 15 Dec 2009 19:53:31 -0800 (PST)
Received: from smtpde01.sap-ag.de (smtpde01.sap-ag.de [155.56.68.171]) by core3.amsl.com (Postfix) with ESMTP id ED1553A695C for <tls@ietf.org>; Tue, 15 Dec 2009 19:53:30 -0800 (PST)
Received: from mail.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id nBG3rEma011738 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 16 Dec 2009 04:53:14 +0100 (MET)
From: Martin Rex <mrex@sap.com>
Message-Id: <200912160353.nBG3rDS5015172@fs4113.wdf.sap.corp>
To: Pasi.Eronen@nokia.com
Date: Wed, 16 Dec 2009 04:53:13 +0100
In-Reply-To: <808FD6E27AD4884E94820BC333B2DB774F31F16ADE@NOK-EUMSG-01.mgdnok.nokia.com> from "Pasi.Eronen@nokia.com" at Dec 15, 9 11:41:18 am
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal08
X-SAP: out
Cc: tls@ietf.org
Subject: Re: [TLS] Black hole was Re: Analysis of Interop scenarios TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Dec 2009 03:53:32 -0000

Pasi.Eronen@nokia.com wrote:
> 
> Martin Rex wrote:
> > tom.petch wrote:
> > >
> > > There is a solution.  We should require, as part of this patch,
> > > that upgraded stacks treat a version number that is greater than
> > > some specified value as also being a signal that the peer is
> > > upgraded.  Then we will be able to drop the MCSV and/or RI as a
> > > signal from the '3.7' ClientHello. But we do need to include this
> > > now.
> > 
> > In theory, you are correct.
> > 
> > This would, however, require us to effectively standarize the secure
> > TLS renegotiation for TLSv1.3 (or some specific TLS version in the
> > future) ahead of time.
> 
> I don't think this is what Tom was proposing. I understood his
> proposal to be something like
> 
>   if negotiated_version <= 1.2 then:
>      if (CH has MSCV) or (CH has RI) or (CH.proposed_version>1.2):
>          client_supports_secure_renegotiation = True
>          include RI in ServerHello
>      else:
>          client_supports_secure_renegotiation = False
>   else:
>      # do what the future spec says -- we don't know yet 
>    
> Or in other words: including a version >1.2 in ClientHello would mean
> the same thing as MSCV or empty RI _when_ the negotiated version is
> <=1.2. (But we wouldn't have to specify the behavior for negotiated
> version >=1.3 at this time.)
> 
> I agree with Tom that if we want to drop MCSV and RI from the
> ClientHello some day, we would need to specify this behavior now.

That would only help to drop the signaling on the initial ClientHello,
but for the renegotiation ClientHello, the TLS extension RI band-aid
will going to be with us for more than 20 years (considering that
SSLv3 is still around after 14 years, and >90% of the installed
base is at TLSv1.0 (close to 100% of the servers) today, almost
10 years after TLSv1.0.

MCSV from draft-mrex-tls-secure-renegotiation-03 could start
disappearing from _ALL_ ClientHellos with the deployment of
TLSv1.3 capable Clients.


>
> But today it would be just more code (and unused code) on the server
> + an extra test case or two.... so there are both pros and cons.

Since such an option can not be covered in "regular" interop testing
at the moment, I tend to agree that it is not worth trying, given
the (lack of) interoperability track record of untested TLS protocol
features.

-Martin

v2.23.0 | Report a Bug | By Email