IETF Logo Mail Archive

Re: [TLS] TLS and KCI vulnerable handshakes

Viktor Dukhovni <ietf-dane@dukhovni.org> Mon, 17 August 2015 15:36 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5FF971AC41F for <tls@ietfa.amsl.com>; Mon, 17 Aug 2015 08:36:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vvss_wgv9AZW for <tls@ietfa.amsl.com>; Mon, 17 Aug 2015 08:36:47 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4E3A71AC417 for <tls@ietf.org>; Mon, 17 Aug 2015 08:36:46 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 8AF0F284D92; Mon, 17 Aug 2015 15:36:45 +0000 (UTC)
Date: Mon, 17 Aug 2015 15:36:45 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: tls@ietf.org
Message-ID: <20150817153645.GF24426@mournblade.imrryr.org>
References: <55C8CD7A.7030309@rise-world.com> <9A043F3CF02CD34C8E74AC1594475C73F4AD80F3@uxcn10-5.UoA.auckland.ac.nz> <55CA821B.9090101@rise-world.com> <9A043F3CF02CD34C8E74AC1594475C73F4ADDD17@uxcn10-5.UoA.auckland.ac.nz> <20150817151814.GE24426@mournblade.imrryr.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20150817151814.GE24426@mournblade.imrryr.org>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/shA9WKZrQp12PjD2IvpFJk-staY>
Subject: Re: [TLS] TLS and KCI vulnerable handshakes
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tls@ietf.org
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Aug 2015 15:36:48 -0000

On Mon, Aug 17, 2015 at 03:18:14PM +0000, Viktor Dukhovni wrote:

> The relevant code was added to the 1.0.2 dev branch in Apr of 2012,
> backporting said code from the "master" branch where fixed DH
> support was enabled in January of 2012.
> 
> On a related note, for what it's worth ECDSA certs are constrained
> by keyUsage if the extension is present.

My thoughts on these from the openssl-team list (non-public) from
May of 2015:

  * Remove.  Frankly, I think all the static DH ciphers (even non-export)
    are useless bloat.  Nobody uses them, and they lead to large client
    HELLO messages, and interop issues.

    I'd like to see them all deprecated, that'd be 42 fewer useless
    ciphersuites.

  * > Oh - except DH only. I think we need to keep static ECDH. I've been told
    > there are some servers out there that are configured to do static ECDH
    > with their ECDSA cert.

    Whatever for?  Why go to all that trouble to defeat forward secrecy?

And now there are additional reasons to drop support for these from
"master".  Making incompatible changes in 1.0.2 patch releases is
perhaps not an option (unless removal of DHr/DHd/ECDHr/ECDHe can
be reasonably positioned as a bug fix).

-- 
	Viktor.

v2.23.0 | Report a Bug | By Email