Re: [TLS] RFC 6066 - Max fragment length negotiation
Peter Gutmann <pgut001@cs.auckland.ac.nz> Fri, 17 March 2017 00:22 UTC
Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 53385129A54 for <tls@ietfa.amsl.com>; Thu, 16 Mar 2017 17:22:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=auckland.ac.nz
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cv8J1V5r89IJ for <tls@ietfa.amsl.com>; Thu, 16 Mar 2017 17:22:33 -0700 (PDT)
Received: from mx4.auckland.ac.nz (mx4.auckland.ac.nz [130.216.125.248]) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6F0741296ED for <tls@ietf.org>; Thu, 16 Mar 2017 17:22:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=mail; t=1489710153; x=1521246153; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=dsP3/zh/sPAdK2jmpQZEWqCVlJfCpDmkcS3w/bRlSJQ=; b=GrAHSoCz+BzxoHuFHLiMYliO3R99WRu4YzzhMJr7y8U40u9NKOT2Ces0 cTiqAhHt5KWkk/orVPD7VoCansMirTtSvrKN4ITUSwUXiNI/dtJ9LMoc8 q7UdBiqYL7c8ywgbRtT6Z2BtLDf4iWDSjhXIr4Q33ohG0IrNSuw4sjW4h hC/8ZN9BKxXiBOFs8Op8qoqMw8Ke5pzjadwT2xDC7F7zgTyrPwJZS9lDI 9P52ztTseImX0OCuUqiiMAOF7IZgSSe4e3ZhL0+EuXd+hocl+ImasUK/c jTZoBENjHhEwexpZ4EDj5QD2jSrKZjQ6qEr4TRKS9KTqAX7meCsxjOw2z g==;
X-IronPort-AV: E=Sophos;i="5.36,174,1486378800"; d="scan'208";a="143239322"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 10.6.3.9 - Outgoing - Outgoing
Received: from uxcn13-tdc-e.uoa.auckland.ac.nz ([10.6.3.9]) by mx4-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 17 Mar 2017 13:22:31 +1300
Received: from uxcn13-ogg-d.UoA.auckland.ac.nz (10.6.2.5) by uxcn13-tdc-e.UoA.auckland.ac.nz (10.6.3.9) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Fri, 17 Mar 2017 13:22:30 +1300
Received: from uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.25]) by uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.25]) with mapi id 15.00.1178.000; Fri, 17 Mar 2017 13:22:30 +1300
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: Martin Thomson <martin.thomson@gmail.com>
CC: Nitin Shrivastav <nitin.shrivastav@broadcom.com>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] RFC 6066 - Max fragment length negotiation
Thread-Index: AQHSnpUB8UgZsR1fnUWlpN1q8vk4DKGYGe7w//8q+oCAANxgO///LA8AgADcRWw=
Date: Fri, 17 Mar 2017 00:22:30 +0000
Message-ID: <1489710142144.88978@cs.auckland.ac.nz>
References: <CAD8WAomJLs4hdaso9hT036=UORjT9=H5-oCHbdSofuv++n3rYg@mail.gmail.com> <1489706298995.98317@cs.auckland.ac.nz> <855C5079-FDA7-4E68-AE29-1E9605B495D7@broadcom.com> <1489707933992.42551@cs.auckland.ac.nz>, <CABkgnnVRZBwXHZ6w=gX9pykNpXp80OLP1pe-VMg-uO-C6O8yEQ@mail.gmail.com>
In-Reply-To: <CABkgnnVRZBwXHZ6w=gX9pykNpXp80OLP1pe-VMg-uO-C6O8yEQ@mail.gmail.com>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/tbnWtAt3K5iRr5S0mBhcREp4DAQ>
Subject: Re: [TLS] RFC 6066 - Max fragment length negotiation
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Mar 2017 00:22:35 -0000
Martin Thomson <martin.thomson@gmail.com> writes: >On 17 March 2017 at 10:45, Peter Gutmann <pgut001@cs.auckland.ac.nz> wrote: >> In which case it might be time to update the RFC, since there's no obvious >> reason why you can't send it from the server. Can any of the original authors >> provide a reason why it shouldn't be done by the server? > >Most clients will explode if the server sends an extension that the client >didn't offer. Is that from actually trying it with clients, or just assuming that implementations will do what the spec says? It's another one of those bits of TLS 1.2 that make no sense, so I've ignored the requirement in my code, you have to add a whole pile of code to perform the check (more attack surface) and the best possible outcome is that it has no effect, while the worst is that it breaks things if a buggy server drops in an extension the client wasn't expecting. In other words implementing it has negative utility. There's also the escape hatch of "server-oriented extensions", all you'd need to do is define one that tells the server that the client will accept any extensions the server cares to send, thus negating the "no server extensions" requirement. Given that this looks like an embedded-only sort of thing, I could even add it to -LTS, since a primary target of that is embdded/SCADA/etc. Peter.
- [TLS] RFC 6066 - Max fragment length negotiation Nitin Shrivastav
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Yoav Nir
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Yoav Nir
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Peter Gutmann
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Nitin Shrivastav
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Peter Gutmann
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Nitin Shrivastav
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Martin Thomson
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Peter Gutmann
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Martin Thomson
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Eric Rescorla
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Peter Gutmann
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Martin Thomson
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Martin Thomson
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Peter Gutmann
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Martin Thomson
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Peter Gutmann
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Thomas Pornin
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Ilari Liusvaara
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Ilari Liusvaara
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Hannes Tschofenig
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Hannes Tschofenig
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Hannes Tschofenig
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Thomas Pornin
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Ilari Liusvaara
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Peter Gutmann
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Peter Gutmann
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Peter Gutmann
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Joseph Birr-Pixton
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Peter Gutmann
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Joseph Birr-Pixton
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Martin Thomson
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Hannes Tschofenig
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Nitin Shrivastav
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Sheehe, Charles J. (GRC-LCA0)
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Thomas Pornin
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Peter Gutmann
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Nikos Mavrogiannopoulos
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Hannes Tschofenig
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Martin Thomson
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Martin Thomson
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Eric Rescorla
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Martin Thomson
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Eric Rescorla
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Martin Thomson
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Eric Rescorla
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Peter Gutmann
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Martin Rex
- Re: [TLS] RFC 6066 - Max fragment length negotiat… Peter Gutmann