Re: [TLS] consensus on backwards compatibility changes

mrex@sap.com (Martin Rex) Tue, 27 January 2015 19:20 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D5E4A1A8704 for <tls@ietfa.amsl.com>; Tue, 27 Jan 2015 11:20:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.551
X-Spam-Level:
X-Spam-Status: No, score=-6.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1jb6dQTHDtpH for <tls@ietfa.amsl.com>; Tue, 27 Jan 2015 11:20:41 -0800 (PST)
Received: from smtpde02.smtp.sap-ag.de (smtpde02.smtp.sap-ag.de [155.56.68.140]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 780BD1A86E9 for <tls@ietf.org>; Tue, 27 Jan 2015 11:20:41 -0800 (PST)
Received: from mail05.wdf.sap.corp (mail05.sap.corp [194.39.131.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtpde02.smtp.sap-ag.de (Postfix) with ESMTPS id 594BF3A26D; Tue, 27 Jan 2015 20:20:39 +0100 (CET)
Received: from ld9781.wdf.sap.corp (ld9781.wdf.sap.corp [10.21.82.193]) by mail05.wdf.sap.corp (Postfix) with ESMTP id 1A62D4297A; Tue, 27 Jan 2015 20:20:39 +0100 (CET)
Received: by ld9781.wdf.sap.corp (Postfix, from userid 10159) id 0FD2A1B12B; Tue, 27 Jan 2015 20:20:39 +0100 (CET)
In-Reply-To: <83CBC7E2-CDC9-4EDD-8648-8C80EE588343@ieca.com>
To: Sean Turner <turners@ieca.com>
Date: Tue, 27 Jan 2015 20:20:38 +0100 (CET)
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20150127192039.0FD2A1B12B@ld9781.wdf.sap.corp>
From: mrex@sap.com (Martin Rex)
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/n4CYGyD89XrDnfflyN7xwMxl5bE>
Cc: "TLS@ietf.org \(tls@ietf.org\)" <tls@ietf.org>
Subject: Re: [TLS] consensus on backwards compatibility changes
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Jan 2015 19:20:43 -0000

Sean Turner wrote:
> 
> 1) We'd like to make it crystal clear in the SSL3.0 text whether you're
> talking about the hello version or record version. We're pretty sure that
> 'protocol version' in the following is the hello version but we think
> that should be made clear.
> 
>  Implementations MUST NOT send a ClientHello or ServerHello with
>  the protocol version set to { 3, 0 } or less. Any endpoint receiving a
>  Hello message with the protocol version set to { 3, 0 } MUST respond
>  with a "protocol_version" alert message and close the connection.


A description similar to this caused the TLS version negotiation problems.
The structure members in the handshake message PDUs are called
ClientHello.client_version and ServerHello.server_version.

If the above paragraph is meant to apply to the structure members
(client_version, server_version) of the respective TLS handshake message PDUs
(ClientHello, ServerHello), then please use the names of these structure
members for disambiguation.


We really should retain the TLSv1.2 requirement that TLS v1.3 servers
MUST accept any version number (3,x) at the TLS record layer for TLS
records sent before ServerHello in a TLS handshake on a new connection.

The TLS record that carries ServerHello is the first TLS record where
the version of the protocol is well defined for the server, i.e. the sender
of the record(s) that carry ServerHello.  For the client (recipient
of the ServerHello), the version becomes known only after it has started
parsing the ServerHello handshake message.  It is still unknown to the
client when it is receiving the TLS record that carries ServerHello.


-Martin