Re: [TLS] Re: draft-ietf-tls-rfc4346-bis-01.txt
Bodo Moeller <bmoeller@acm.org> Tue, 04 July 2006 09:43 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FxhRA-00014l-Qh; Tue, 04 Jul 2006 05:43:20 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FxhR9-00014d-Pc for tls@ietf.org; Tue, 04 Jul 2006 05:43:19 -0400
Received: from stsc1260-eth-s1-s1p1-vip.va.neustar.com ([156.154.16.129] helo=chiedprmail1.ietf.org) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FxhR9-0008Ag-O4 for tls@ietf.org; Tue, 04 Jul 2006 05:43:19 -0400
Received: from moutng.kundenserver.de ([212.227.126.188]) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1FxhP6-0002y2-Ga for tls@ietf.org; Tue, 04 Jul 2006 05:41:14 -0400
Received: from [134.147.40.251] (helo=tau.invalid) by mrelayeu.kundenserver.de (node=mrelayeu0) with ESMTP (Nemesis), id 0MKwh2-1FxhP204NO-00064z; Tue, 04 Jul 2006 11:41:08 +0200
Received: by tau.invalid (Postfix, from userid 1000) id 2007C18961; Tue, 4 Jul 2006 11:41:06 +0200 (CEST)
Date: Tue, 04 Jul 2006 11:41:06 +0200
From: Bodo Moeller <bmoeller@acm.org>
To: Pasi.Eronen@nokia.com
Subject: Re: [TLS] Re: draft-ietf-tls-rfc4346-bis-01.txt
Message-ID: <20060704094106.GA22002@iota.site>
References: <200607031523.RAA09074@uw1048.wdf.sap.corp> <B356D8F434D20B40A8CEDAEC305A1F2402D9BF00@esebe105.NOE.Nokia.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <B356D8F434D20B40A8CEDAEC305A1F2402D9BF00@esebe105.NOE.Nokia.com>
User-Agent: Mutt/1.5.9i
X-Provags-ID: kundenserver.de abuse@kundenserver.de login:2100a517a32aea841b51dac1f7c5a318
X-Spam-Score: -2.6 (--)
X-Scan-Signature: 6e922792024732fb1bb6f346e63517e4
Cc: tls@ietf.org
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org
On Mon, Jul 03, 2006 at 07:14:15PM +0300, Pasi.Eronen@nokia.com wrote: > A quick and totally unscientific survey of what some widely used > SSL/TLS implementations do: > > - OpenSSL (0.9.8) > - When configured in "both SSLv3 and TLSv10 allowed" mode, > sends V2 ClientHello. This is the behavior of OpenSSL versions up to 0.9.7g. Versions 0.9.7h and later, including 0.9.8, will actually send a TLS/SSL3 format Client Hello message with version number {03,01} in both fields. How did you run the test? If you really used OpenSSL 0.9.8 and really disabled SSL 2.0, then the library shouldn't have used the V2 Client Hello message format. The code used by OpenSSL to create the TLS/SSL3 record header for the Client Hello message is as follows: /* fill in 5-byte record header */ d=buf; *(d++) = SSL3_RT_HANDSHAKE; *(d++) = version_major; *(d++) = version_minor; /* arguably we should send the *lowest* suported version here * (indicating, e.g., TLS 1.0 in "SSL 3.0 format") */ s2n((int)l,d); The specification specifically demands the "SSL 3.0 record format and client hello structure", which is essentially the same as the TLS 1.0 record format and client hello structure, with the notable exception of the version number field. So it's quite clear that you should put {03,00} into the record header version field, since this is the only way you can actually avoid the "TLS 1.0 record format" and use the "SSL 3.0 record format". On the other hand, this could trigger some bugs in thoughtlessly done server implementations, which are avoided by sending {03,01} in the record version field. In contrast, sending too large a minor version number (such as {03,01} for a record supposed to be in "SSL 3.0 record format") can be expected to work well with thoughfully done server implementations: If a server obtains a {03,xx} format Client Hello where the version number specified by the client is larger than the highest protocol version supported by the server ({03,yy}, say), then the best the server can do is try its highest protocol version, and send an according Server Hello message. Either this will work since the client does support {03,yy}, too; or otherwise the protocol mismatch is unavoidable, and will be detected by the client. So if a TLS 1.0 or TLS 1.1 server receives a Client Hello contained in a record of protocol version number {03,2A} or whatever, it should just try to parse this in its own native format, and negotiate the protocol version accordingly. Things can't get worse than triggering a protocol_version alert from the client, and this is not very likely to happen. (If the *major* protocol version number is unknown, such as {04,00}, then it certainly makes sense to abort the handshake immediately.) > - When configured in "TLS10 only" mode, sends {03,01} in both fields > - Mozilla Firefox 1.5 > - Seems to send V2 ClientHello no matter what the settings?? > - MS Internet Explorer 6.0 > - When configured in "both SSLv3 and TLSv1.0 allowed" mode, > sends V3 ClientHello with {03,01} in both fields > - SunJSSE (JDK 1.4.2) > - When configured in "both SSLv3 and TLSv1.0 allowed" mode, > sends V3 ClientHello with {03,01} in both fields > - GnuTLS (10.0.20) > - When configured in "both SSLv3 and TLSv1.0 allowed" mode, > sends V3 ClientHello with {03,01} in both fields > - When configured in "SSLv3, TLSv1.0 and TLSv1.1 allowed" mode, > sends V3 ClientHello with {03,02} in both fields > > In other words: All these implementation seem to follow the > rule that TLSPlaintext.version==ClientHello.client_version, or > use V2 ClientHellos... > > Given that Yngve's interoperability draft suggests that some > servers incorrectly use the record layer version number for > negotiation, I think the safest clarification would be to > say that the two version numbers must be equal. The experiment that we'd really have to run is to test various servers out there with Client Hello messages where the record protocol version and the Client Hello protocol version differ, to see what protocol version the servers will negotiate: - Send a Client Hello with a client_version of {03,2A} (say) in a record with version {03,00} and see if the server picks SSL 3.0 ({03,00}) or some version of TLS. - Then, unless the server picked the highest protocol number defined at this time, try again using a uniform-version Client Hello naming a protocol version higher than the one from the first experiment. (E.g., if the server picked SSL 3.0 in the first test, check if it does support TLS 1.0 after all.) - Finally, send a Client Hello with both version field set to {03,2A} (say) to see if the server handles unknown protocol versions properly and gracefully falls back to an existing protocol version. _______________________________________________ TLS mailing list TLS@lists.ietf.org https://www1.ietf.org/mailman/listinfo/tls
- [TLS] Re: draft-ietf-tls-rfc4346-bis-01.txt Martin Rex
- RE: [TLS] Re: draft-ietf-tls-rfc4346-bis-01.txt Pasi.Eronen
- Re: [TLS] Re: draft-ietf-tls-rfc4346-bis-01.txt Martin Rex
- Re: [TLS] Re: draft-ietf-tls-rfc4346-bis-01.txt David Hopwood
- Re: [TLS] Re: draft-ietf-tls-rfc4346-bis-01.txt Bodo Moeller
- RE: [TLS] Re: draft-ietf-tls-rfc4346-bis-01.txt Pasi.Eronen
- Re: [TLS] Re: draft-ietf-tls-rfc4346-bis-01.txt Rob Dugal
- RE: [TLS] Re: draft-ietf-tls-rfc4346-bis-01.txt Pasi.Eronen
- Re: [TLS] Re: draft-ietf-tls-rfc4346-bis-01.txt Bodo Moeller
- RE: [TLS] Re: draft-ietf-tls-rfc4346-bis-01.txt Rob Dugal