Re: [TLS] RFC8446 backward compatibility question
Eric Rescorla <ekr@rtfm.com> Thu, 05 August 2021 22:57 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 822913A0F13 for <tls@ietfa.amsl.com>; Thu, 5 Aug 2021 15:57:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hzMv3s_R3-Pr for <tls@ietfa.amsl.com>; Thu, 5 Aug 2021 15:57:46 -0700 (PDT)
Received: from mail-il1-x136.google.com (mail-il1-x136.google.com [IPv6:2607:f8b0:4864:20::136]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E79FE3A0F0C for <tls@ietf.org>; Thu, 5 Aug 2021 15:57:45 -0700 (PDT)
Received: by mail-il1-x136.google.com with SMTP id r5so6797217ilc.13 for <tls@ietf.org>; Thu, 05 Aug 2021 15:57:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=6j4DVV+/Vk/xIKb1vnTxubplT+iW+P3VkRgzEV6bNhQ=; b=kqWpRmFnDuzwqv8WFpE0mtEQdsB53JbFQiW/1IaGY86v6MGL/bHHvbSY94VrmpjpX/ Ba8674ELIYKDwQ8w9+qhIFq99Y/Vi6f0ESNa95QCsDz9tyDHLpQoNJDHEDV4Hcy44i9M HXMCv1OsfzBa0yf4hGLApDPHoela3rUNouZBAQp5MXkYK2t4ZTM+mruTbbNkl8dQwIsn cL8hqHcveOXdK5Emv5X8Lv/mc9SoI122JROjKFHcIKysj+D3sN0jV7ZZyM25ICjk2Lop /5ufaQhTKb4BsbA+RYoGCkI0e2MF0Vb6EktKu6KJIr80hSTVzTQdmhqKcPHmsYHYqbqJ GBow==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=6j4DVV+/Vk/xIKb1vnTxubplT+iW+P3VkRgzEV6bNhQ=; b=npRC03CuvHTxBJebj/oMfWX+OHuUmbEUV9JXWk6Qw/xC2pB/2r34CZGvPaeRjSbV9g s286hVv1q2IJNZyk51XEm7HUiJyk5ILJjIZyNx4OCoThIlZj6lMe9h4t1gpfH7VxKgQS BK75ltgSx69JMegLXvmoMF2DaG9XbAQ26g0iU57pY8g5WTgj0vBJFuQMbxzCPDRofZmv hMsB8jwHjKSyCXdPJd+Pj/p96r06pcKaKnsgH8+bD8ZAraql9xTw4atVXtQLL0X0e2aq oky7e4lBx1Qy3Mv47zr2vW0OMdw6YnfYl4EolZWjSXx7uFJ/75cVPmoP6LBGZ7y+UomO lccA==
X-Gm-Message-State: AOAM530AlaL3PkaYBZMyDKaRaJlUp5FHXvE31AYanTBeACLB6vhFs/35 /5iYNDmuUwHkY2DjeuO69y4n7elO053Z+mKTo2p3Mg==
X-Google-Smtp-Source: ABdhPJylFz3vkqvzWoOvroLxbKZC2GXgoJDTg1TsAttkrY9UT6Asj/1TBiAnQFGzAAMjxfEWhc+NVt37D1G6mWampcQ=
X-Received: by 2002:a92:d741:: with SMTP id e1mr120926ilq.18.1628204263794; Thu, 05 Aug 2021 15:57:43 -0700 (PDT)
MIME-Version: 1.0
References: <20210805204355.GB57091@faui48e.informatik.uni-erlangen.de> <491413A8-E420-49AA-AA0D-1494C29F20C8@akamai.com> <20210805213523.GD57091@faui48e.informatik.uni-erlangen.de> <CABcZeBMENb1bvgtWG7o180NM2Pm43qkFBNe9kRv3F4A49k21tg@mail.gmail.com> <20210805225244.GE57091@faui48e.informatik.uni-erlangen.de>
In-Reply-To: <20210805225244.GE57091@faui48e.informatik.uni-erlangen.de>
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 05 Aug 2021 15:57:07 -0700
Message-ID: <CABcZeBMbfQdKi2cOFip5o4CFfGEtFKDSKJM=Zvt6=0cZWXqb4w@mail.gmail.com>
To: Toerless Eckert <tte@cs.fau.de>
Cc: "Salz, Rich" <rsalz@akamai.com>, "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000c403f705c8d7d8f9"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/qmX6IkOzz1tyLdYayZApsTWOk28>
Subject: Re: [TLS] RFC8446 backward compatibility question
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Aug 2021 22:57:51 -0000
On Thu, Aug 5, 2021 at 3:52 PM Toerless Eckert <tte@cs.fau.de> wrote: > > Another way to educate what you may consider to be "non-core" readership, > is maybe some form of "TLS operational considerations". Your prior answer > about that TLS server cluster consideration would also nicely fit into > something like that. Maybe something for opsec wg.. > This is in the next section: https://tools.ietf.org/rfcmarkup?doc=8446#appendix-D.3 -Ekr > Cheers > Toerless > > (*) Not sure about the number. Could have been egyption or chinese history > ;-) > > > On Thu, Aug 05, 2021 at 03:23:42PM -0700, Eric Rescorla wrote: > > On Thu, Aug 5, 2021 at 2:37 PM Toerless Eckert <tte@cs.fau.de> wrote: > > > > > Thanks for the explanation. > > > > > > My main concern was just to understand clearly what requirements > > > have to be written into RFC when one wants to ensure that TLS 1.2 needs > > > to be supported as the fallback in a particular solution. > > > > > > With TLS 1.3 not mandating support for TLS 1.2, in such cases one > > > still needs to write MUST support TLS 1.2 > > > > > > That's correct. > > > > when one thought > > > a MUST TLS 1.3 might have sufficed (assuming it included TLS 1.2 > > > support). A bit more explanatory text in 8446 might have helped. > > > > > > > TBH, I think this is pretty clear in the document. We don't generally > expect > > that support for version X includes support for version X-1. Moreover, > there > > is text in the document which doesn't make much sense if you couldn't > > just have a TLS 1.3 stack: > > > > This document defines TLS version 1.3. While TLS 1.3 is not directly > > compatible with previous versions, all versions of TLS incorporate a > > versioning mechanism which allows clients and servers to > > interoperably negotiate a common version if one is supported by both > > peers. > > > > > > Or > > > > TLS 1.2 and prior supported an "Extended Master Secret" [RFC7627 > > <https://tools.ietf.org/rfcmarkup?rfc=7627>] > > extension which digested large parts of the handshake transcript into > > the master secret. Because TLS 1.3 always hashes in the transcript > > up to the server Finished, implementations which support both TLS 1.3 > > and earlier versions SHOULD indicate the use of the Extended Master > > Secret extension in their APIs whenever TLS 1.3 is used. > > > > -Ekr > > > > > > > > > > > > > Also, the immediate status change of "obsoleted by 8446" may > > > make readers think that TLS 1.3 can take care of migration > > > from TLS 1.2 all by itself, when indeed it can not unless you > > > still also mandate implementing TLS 1.2. Of course we do not > > > have a better keyword vocabulary. Something like "Sunset by: 8446". > > > > > > Cheers > > > Toerless > > > > > > On Thu, Aug 05, 2021 at 09:16:37PM +0000, Salz, Rich wrote: > > > > > I am trying to figure out if every implementation compliant with > > > > RFC8446 is also necessarily interoperable with an RFC5246 peer, > or > > > if this > > > > is just a likely common, but still completely optional > > > implementation choice. > > > > > > > > It is possible to have a single stack that implements TLS.[123]. > > > OpenSSL, among many others does this. Some have implemented ONLY TLS > 1.3; > > > that code tends to be cleaner (in a nerd esthetic sense) than code that > > > implements multiple protocols. Some servers even "hand off" pre-1.3 > > > protocols to separate implementations (libraries); FB and Amazon used > to do > > > that. > > > > > > > > The wire protocol for TLS 1.3 uses some deliberately-reserved > extension > > > fields so that a server which doesn't do 1.3 can fail cleanly, and a > server > > > that DOES will work. And also the other way, a 1.3 client can work fine > > > with both a 1.3 server and a 1.[12] server. > > > > > > > > It's easy to rationale 1.3-only for clients. It is harder to > rationalize > > > 1.3-only for servers if you are intending those servers to be generally > > > accessible on the public Internet. > > > > > > > > > > > > > > -- > > > --- > > > tte@cs.fau.de > > > > > > _______________________________________________ > > > TLS mailing list > > > TLS@ietf.org > > > https://www.ietf.org/mailman/listinfo/tls > > > > > -- > --- > tte@cs.fau.de >
- Re: [TLS] RFC8446 backward compatibility question Salz, Rich
- [TLS] RFC8446 backward compatibility question Toerless Eckert
- Re: [TLS] RFC8446 backward compatibility question Nick Harper
- Re: [TLS] RFC8446 backward compatibility question Richard Barnes
- Re: [TLS] RFC8446 backward compatibility question Eric Rescorla
- Re: [TLS] RFC8446 backward compatibility question Toerless Eckert
- Re: [TLS] RFC8446 backward compatibility question Eric Rescorla
- Re: [TLS] RFC8446 backward compatibility question Toerless Eckert
- Re: [TLS] RFC8446 backward compatibility question Eric Rescorla
- Re: [TLS] RFC8446 backward compatibility question Toerless Eckert
- Re: [TLS] RFC8446 backward compatibility question Richard Barnes
- Re: [TLS] RFC8446 backward compatibility question Toerless Eckert
- Re: [TLS] RFC8446 backward compatibility question Christian Huitema
- Re: [TLS] RFC8446 backward compatibility question Toerless Eckert
- Re: [TLS] RFC8446 backward compatibility question Christian Huitema
- Re: [TLS] RFC8446 backward compatibility question Toerless Eckert
- Re: [TLS] RFC8446 backward compatibility question Valery Smyslov