IETF Logo Mail Archive

Re: [TLS] consensus on backwards compatibility changes

Michael Clark <michael@metaparadigm.com> Fri, 13 February 2015 02:24 UTC

Return-Path: <michael@metaparadigm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5E9331A005A for <tls@ietfa.amsl.com>; Thu, 12 Feb 2015 18:24:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.457
X-Spam-Level:
X-Spam-Status: No, score=-1.457 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, HTML_MESSAGE=0.001, IP_NOT_FRIENDLY=0.334, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_DKIM_INVALID=0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7x_VjZFLyfJk for <tls@ietfa.amsl.com>; Thu, 12 Feb 2015 18:24:52 -0800 (PST)
Received: from tlsx.org (tlsx.org [67.207.128.90]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 475661A038F for <tls@ietf.org>; Thu, 12 Feb 2015 18:24:52 -0800 (PST)
Received: from monty.local (unknown.maxonline.com.sg [58.182.168.20] (may be forged)) (authenticated bits=0) by tlsx.org (8.14.4/8.14.4/Debian-4) with ESMTP id t1D2lHBw006174 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Fri, 13 Feb 2015 02:47:21 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=metaparadigm.com; s=klaatu; t=1423795644; bh=c+OJukfgl3BXH4hOE44Un43u8KnvcnfysjdO/xEYipI=; h=Date:From:To:Subject:References:In-Reply-To:From; b=tXKoppNB1VXeTM85wRkZX56FVK0ZwocyFvKJcjyf/Wi/L4i26vMcTJC9/xynYxlJ8 7RCwcrCpfXbDRN5zxMD81C+kxuhFhc3haGaLXLJeRjmGxK03jlnGwb8GLDWMvnXQ2Z KAaW7aWp2Kmf39Hda3AN7X7sfPsXlUbsd04exIws=
Message-ID: <54DD6065.8000205@metaparadigm.com>
Date: Fri, 13 Feb 2015 10:24:37 +0800
From: Michael Clark <michael@metaparadigm.com>
Organization: Metaparadigm
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
To: Dave Garrett <davemgarrett@gmail.com>, "TLS@ietf.org (tls@ietf.org)" <tls@ietf.org>
References: <201412300503.03923.davemgarrett@gmail.com> <83CBC7E2-CDC9-4EDD-8648-8C80EE588343@ieca.com> <CABcZeBPzkPgUa2vB4N_peBUeKsypvp_bOUr+9bvW8SfmML7zNw@mail.gmail.com> <201502121714.54235.davemgarrett@gmail.com>
In-Reply-To: <201502121714.54235.davemgarrett@gmail.com>
Content-Type: multipart/alternative; boundary="------------000701060305000104090406"
X-Virus-Scanned: clamav-milter 0.98.5 at klaatu.tlsx.org
X-Virus-Status: Clean
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/w4LFMeTBa2vr384qwuONvqGFRo8>
Subject: Re: [TLS] consensus on backwards compatibility changes
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Feb 2015 02:24:55 -0000

On 13/2/15 6:14 am, Dave Garrett wrote:
> PR#107 rebased. I believe all comments have all been addressed.
>
> https://github.com/tlswg/tls13-spec/pull/107/files
>
> To recap the changes:
> * ClientHello record layer version fixed to {3,1}
> * other record layer versions explicitly required to be negotiated version
> * note some security considerations & other suggestions from Brian
> * some editorial fixups
> * cite RC4 prohibition draft in backwards compatibility
> * explicitly forbid ciphers <112 bits for backwards compatibility
> * added the line:
> "If an implementation negotiates usage of TLS 1.2, then negotiation of cipher
> suites also supported by TLS 1.3 SHOULD be preferred, if available."

Comments as an observer.


1). Contention on setting the ClientHello record layer version to { 3, 0
} or { 3, 1 } in TLSv1.3

-: The version of the protocol being employed.  This document
-  describes TLS Version 1.3, which uses the version { 3, 4 }.  The
-  version value 3.4 is historical, deriving from the use of {3, 1}
-  for TLS 1.0.  (See {{record-layer-1}}.)  Note that a client that
-  supports multiple versions of TLS may not know what version will
-  be employed before it receives the ServerHello.  See
-  {{backward-compatibility}} for discussion about what record layer
-  version number should be employed for ClientHello.
+: The version of the protocol being employed in the current record.
+  TLS clients MUST set this version to { 3, 1 } for the initial ClientHello.
+  For the ServerHello and all other TLS records this MUST be equal to the negotiated version.


* In support of https://github.com/tlswg/tls13-spec/issues/113 and SSLv3
deprecation with haste
* Observe approximate consensus for TLSv1.3 implementation to not
negotiate protocol versions lower than TLSv1.0 with >= 128 bit cipher suites
* Text mentions information leakage. Argue that sending { 3, 1 } { 3, 4
} qualifies as information leakage.
* Spec can be explicit that it is NOT RECOMMENDED for TLSv1.3 clients to
negotiate SSLv3 { 3, 0 } not to be conflated with the record layer lower
bound.
* Believe ClientHello { 3, 0 } { 3, 4 } may be more guarded.
* The record layer version is not to be conflated with the minimum
negotiated TLS protocol version (from the same reasoning we deduce this
as information leakage).
* If a server sees ClientHello { 3, 0 } { 3, 4 } it knows the
ClientHello binary structure changes are additive since { 3, 0 } as it
is the record layer binary compatibility boundary.
* Given TLSv1.0 is a best practice for a protocol lower bound (separate
from TLSv1.3); then a TLSv1.3 client can safely assume servers will be
extension tolerant with ClientHello { 3, 0 } { 3, 4 } .
* Argue that setting the record layer version to { 3, 0 } leaks less
information given it is the record layer binary compatibility boundary
(not to be conflated with the minimum supported TLS version).
* Observation is that { 3, 0 } { 3, 4 } at the record layer would not be
incompatible with a client not supporting versions lower than TLSv1.0 {
3, 1 }
* If TLSv1.3 ClientHello is { 3, 1 } { 3, 4 } then so be it; however not
pivoting record layer version on backwards incompatible binary changes;
leads to { 3, 2 } { 3, 5 } and more information leakage.
* The fact that an SSLv3.0 server can parse the first part of the
ClientHello is not relevant to the choice of record layer lower bound
for the TLSv1.3 ClientHello.

Please note these as observations not recommendations. If there is
approximate consensus for { 3, 1 } at the record layer then I am in the
minority on the *pinned* value; prefer it to the minimum supported
backwards compatible record layer version; given an alert indicates a
buggy server. Please do not read this as support for SSLv3 backwards
compatibility.

Flip side:

* { 3, 1 } can be regarded as the binary compatibility pivot point due
to its extension support. In that case I favor { 3, 1 }
* The only argument for { 3, 0 } supports servers that are tolerant of
unknown data after the compression methods (in addition to cipher suite
tolerance).

Flip side:

* This tolerance is not a bug. TLS requires extension and version
tolerance as it is the forwards compatibility mechanism
* This is unknown hello data in view of SSLv3.0 servers that are not
even going to be supported
* { 3, 0 } leaks less information no matter what the protocol lower
bound of the client is

Conclusion

* Would rather accept ClientHello { 3, 0 } { 3, 5 } and send ServerHello
{ 3, 4 } { 3, 4 } and not have ClientHello { 3, 0 } { 3, 5} create
alerts that lead to downgrade attack vectors
* independently from the choice of site operators and clients to drop
support for SSLv3.0. i.e. pin the ClientHello record layer at { 3, 0 }
* Not in favor of pinning ClientHello record { 3, 1 }. { 3, 0 } should
be allowed.
* BCP 188



2.) "Negotiating with buggy servers"

+### Negotiating with buggy servers
+
+Some server implementations are known to implement version negotiation
+incorrectly. There are buggy TLS servers that simply close the connection
+when a client offers a version newer than it supports. Also, it is
+known that some servers will refuse the connection if any TLS extensions are
+included in ClientHello. Interoperability with such buggy servers is a complex
+topic beyond the scope of this document, and may require multiple connection
+attempts by the client.



* Primary observation. This section is at odds with the consensus for
TLSv1.3 implementation to not negotiate anything lower than TLSv1.0 { 3,
1 } with >= TLSv1.2.
* While the protocol lower bound may not be in scope for the TLSv1.3
spec; the security concern for bugger servers should be; a small number
of buggy servers lead to clients with attack vectors
* Buggy servers should not be named or supported in a security protocol
draft.

As an observer I would prefer to see this text changed from this:

    "and may require multiple connection attempts by the client."

to something like this:

    "and may require multiple connection attempts by the client, however
it is NOT RECOMMENDED that clients make multiple connection attempts as
this provides a vector for downgrade attacks"

or change the title to:
  

### Negotiating with version and extension intolerant servers

v2.23.0 | Report a Bug | By Email