Re: [TLS] ClientHello record header version
David Benjamin <davidben@chromium.org> Fri, 02 February 2018 18:49 UTC
Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E3DB612DB72 for <tls@ietfa.amsl.com>; Fri, 2 Feb 2018 10:49:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.709
X-Spam-Level:
X-Spam-Status: No, score=-2.709 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YXPlsGoLGH8C for <tls@ietfa.amsl.com>; Fri, 2 Feb 2018 10:48:59 -0800 (PST)
Received: from mail-qk0-x233.google.com (mail-qk0-x233.google.com [IPv6:2607:f8b0:400d:c09::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 956351252BA for <tls@ietf.org>; Fri, 2 Feb 2018 10:48:59 -0800 (PST)
Received: by mail-qk0-x233.google.com with SMTP id z12so25139840qkf.12 for <tls@ietf.org>; Fri, 02 Feb 2018 10:48:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=YG9P1TbqM5RwTgjO98xVq4GzuteSc/+B4+I0KVT2gQo=; b=Bw9hOx3Zv2NTCHeOBuqTmyzBkhPmdHdBCqOOXQxgvLo6YlF0jvGgJ7Fdi10LCqaj+h +Js39+CGm8kC5myFcyyqadmqRRBsg8YgWOmVmzr1+JVAiH1au8qAoKQPDA97ABJI4jtw HGgTQI1QLA0WMDucPT0sT5uMMS/OLIplQu1GM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=YG9P1TbqM5RwTgjO98xVq4GzuteSc/+B4+I0KVT2gQo=; b=ds8v83WFYkfgWFj0vHTlnYnC/jxaP48Zr7wmpCadQ4EZJzxa+LiXB60kma9KF0HtDv CVMUdS1DpfZY9VndT/VPS27l/W7Wr9k5sz8a1CxcFoOvGUkHQGpPDEuHT39thNDK7E6N 4fxWSEtXNdaTbhi6k354pHz6ybQZzPp49+WFW7al7JkWL/fQ+bXMqs0oBEcvSs1jC6+0 J7IaAA9WHVO+lRRECq+bflwOdheVKqM0b1Mfxo45A7zexQAHXS82h8Qxn1fwxSnxSx1Q A5xQmLtO+B939kxIPyMkx+hDRB6+6NjRlB1jGd+nu/kg88h6FXqxVWZX29oDixv0gTV2 bMxg==
X-Gm-Message-State: AKwxyteB4NS8h4PnJQvz6jGKQSqkUR+GWWR12JcIs3+lWy6kzZhcslRN Hps1Hq2FpebtFX66Az0kYqeqW5kC7TDT+gl8t6CMQ+0=
X-Google-Smtp-Source: AH8x224gVrl4WZTI6FEnQnJ00517t0ZYVk4skAzeMzOxVvfXreoaTMxC6GlTVBvro8hiDgn636L/HFDzPfaBoHX4kNY=
X-Received: by 10.55.16.196 with SMTP id 65mr63880835qkq.110.1517597338434; Fri, 02 Feb 2018 10:48:58 -0800 (PST)
MIME-Version: 1.0
References: <389CDA50-B152-473B-84BA-CCE226F1EF40@nerd.ninja>
In-Reply-To: <389CDA50-B152-473B-84BA-CCE226F1EF40@nerd.ninja>
From: David Benjamin <davidben@chromium.org>
Date: Fri, 02 Feb 2018 18:48:46 +0000
Message-ID: <CAF8qwaA+f=EH_qux-HgAe9-xcejXHzPpNaJi7VN7KQB6u8Xi9g@mail.gmail.com>
To: R du Toit <r@nerd.ninja>
Cc: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="001a1146f31a457e3c05643f2a4b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/u1o5IEfWwUMtOpJR6YKwROFWJkY>
Subject: Re: [TLS] ClientHello record header version
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Feb 2018 18:49:02 -0000
What implementation are you working on? Section 5.1 says that, in TLSPlaintext, the legacy_record_version "MUST be ignored for all purposes". And, of course, any pre-1.3 middleboxes which hit this case are non-compliant. That would imply they assume they can parse messages following a ClientHello they did not produce, which is invalid. I agree it would probably be prudent for the second ClientHello to say 0x0303, though. That's what our implementation does. We can fix the spec by replacing some "ClientHello"s with "first ClientHello"s. We did indeed come across a buggy non-compliant middlebox which paid attention to the record-layer version for messages after a ClientHello it did not produce. We didn't test subsequent client messages specifically, so it's possible they only care about the server ones. That one was actually a TLS-terminating middlebox, but their strategy for deciding when to terminate involves sniffing the server response. (This is, of course, non-compliant behavior. It is, again, invalid to assume that you can parse anything following a ClientHello you did not produce. This middlebox did not implement TLS 1.2 correctly.) David On Fri, Feb 2, 2018 at 1:22 PM R du Toit <r@nerd.ninja> wrote: > In the process of testing my TLS 1.3 draft-23 implementation against > OpenSSL (openssl.git:50ea9d2b3521467a11559be41dcf05ee05feabd6) I ran into > an interoperability issue: the retry ClientHello record header version is > set at 0x0301, while the ServerHello (HRR) and fake CCS records arriving > from the server have record header version 0x0303. I know this is > according to the letter of the spec, specifically this sentence from > Section 5.1: > > > > *In order to maximize backwards compatibility, records containing the > ClientHello MUST have version 0x0301 and records containing the ServerHello > MUST have version 0x0303, reflecting TLS 1.0 and TLS 1.2 respectively.* > > > > In diagram format: > > 0x0301:CH --> > > <-- 0x0303:SH(HRR) > > <-- 0x0303:CCS > > *0x0301*:CH(retry) --> > > <-- 0x0303:SH > > etc > > > > .. but I do think it will cause more issues down the line due to the > record header version toggling between 0x0301 and 0x0303. At the point in > the handshake where the retry ClientHello is sent the "compatibility mode" > changes have already served its purpose. I believe some interop issues > could be avoided by sending the retry ClientHello with record header > version 0x0303. > > > > --Roelof > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- [TLS] ClientHello record header version R du Toit
- Re: [TLS] ClientHello record header version David Benjamin
- Re: [TLS] ClientHello record header version R du Toit