Re: [TLS] TLS and KCI vulnerable handshakes
Viktor Dukhovni <ietf-dane@dukhovni.org> Mon, 17 August 2015 15:36 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5FF971AC41F for <tls@ietfa.amsl.com>; Mon, 17 Aug 2015 08:36:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vvss_wgv9AZW for <tls@ietfa.amsl.com>; Mon, 17 Aug 2015 08:36:47 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4E3A71AC417 for <tls@ietf.org>; Mon, 17 Aug 2015 08:36:46 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 8AF0F284D92; Mon, 17 Aug 2015 15:36:45 +0000 (UTC)
Date: Mon, 17 Aug 2015 15:36:45 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: tls@ietf.org
Message-ID: <20150817153645.GF24426@mournblade.imrryr.org>
References: <55C8CD7A.7030309@rise-world.com> <9A043F3CF02CD34C8E74AC1594475C73F4AD80F3@uxcn10-5.UoA.auckland.ac.nz> <55CA821B.9090101@rise-world.com> <9A043F3CF02CD34C8E74AC1594475C73F4ADDD17@uxcn10-5.UoA.auckland.ac.nz> <20150817151814.GE24426@mournblade.imrryr.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20150817151814.GE24426@mournblade.imrryr.org>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/shA9WKZrQp12PjD2IvpFJk-staY>
Subject: Re: [TLS] TLS and KCI vulnerable handshakes
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tls@ietf.org
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Aug 2015 15:36:48 -0000
On Mon, Aug 17, 2015 at 03:18:14PM +0000, Viktor Dukhovni wrote: > The relevant code was added to the 1.0.2 dev branch in Apr of 2012, > backporting said code from the "master" branch where fixed DH > support was enabled in January of 2012. > > On a related note, for what it's worth ECDSA certs are constrained > by keyUsage if the extension is present. My thoughts on these from the openssl-team list (non-public) from May of 2015: * Remove. Frankly, I think all the static DH ciphers (even non-export) are useless bloat. Nobody uses them, and they lead to large client HELLO messages, and interop issues. I'd like to see them all deprecated, that'd be 42 fewer useless ciphersuites. * > Oh - except DH only. I think we need to keep static ECDH. I've been told > there are some servers out there that are configured to do static ECDH > with their ECDSA cert. Whatever for? Why go to all that trouble to defeat forward secrecy? And now there are additional reasons to drop support for these from "master". Making incompatible changes in 1.0.2 patch releases is perhaps not an option (unless removal of DHr/DHd/ECDHr/ECDHe can be reasonably positioned as a bug fix). -- Viktor.
- [TLS] TLS and KCI vulnerable handshakes Clemens Hlauschek
- Re: [TLS] TLS and KCI vulnerable handshakes Peter Gutmann
- Re: [TLS] TLS and KCI vulnerable handshakes Karthikeyan Bhargavan
- Re: [TLS] TLS and KCI vulnerable handshakes Martin Thomson
- Re: [TLS] TLS and KCI vulnerable handshakes Ilari Liusvaara
- Re: [TLS] TLS and KCI vulnerable handshakes Martin Thomson
- Re: [TLS] TLS and KCI vulnerable handshakes Clemens Hlauschek
- Re: [TLS] TLS and KCI vulnerable handshakes Martin Thomson
- Re: [TLS] TLS and KCI vulnerable handshakes Daniel Kahn Gillmor
- Re: [TLS] TLS and KCI vulnerable handshakes Clemens Hlauschek
- Re: [TLS] TLS and KCI vulnerable handshakes Clemens Hlauschek
- Re: [TLS] TLS and KCI vulnerable handshakes Peter Gutmann
- Re: [TLS] TLS and KCI vulnerable handshakes Peter Gutmann
- Re: [TLS] TLS and KCI vulnerable handshakes Viktor Dukhovni
- Re: [TLS] TLS and KCI vulnerable handshakes Viktor Dukhovni
- Re: [TLS] TLS and KCI vulnerable handshakes Peter Gutmann
- Re: [TLS] TLS and KCI vulnerable handshakes Salz, Rich
- Re: [TLS] TLS and KCI vulnerable handshakes Viktor Dukhovni
- Re: [TLS] TLS and KCI vulnerable handshakes Clemens Hlauschek
- Re: [TLS] TLS and KCI vulnerable handshakes Watson Ladd