Re: [TLS] Client Hello size intolerance Was: Re: Thoughts on Version Intolerance

Brian Smith <brian@briansmith.org> Wed, 27 July 2016 02:33 UTC

Return-Path: <brian@briansmith.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 440BE12DD36 for <tls@ietfa.amsl.com>; Tue, 26 Jul 2016 19:33:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=briansmith-org.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sTUpYU7P-rZk for <tls@ietfa.amsl.com>; Tue, 26 Jul 2016 19:33:14 -0700 (PDT)
Received: from mail-io0-x235.google.com (mail-io0-x235.google.com [IPv6:2607:f8b0:4001:c06::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9F73912DCA8 for <tls@ietf.org>; Tue, 26 Jul 2016 19:27:33 -0700 (PDT)
Received: by mail-io0-x235.google.com with SMTP id q83so57462094iod.1 for <tls@ietf.org>; Tue, 26 Jul 2016 19:27:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=briansmith-org.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=1CU/9A05TvfILyIDgKDBOzq6v57QA5XE3V4O93d0vFo=; b=HIgj4mgendpM8am3fvP/0IAxsoC9QwpYyTcbN3VF3JSpXkjHSRoEng2ZKOc7z2kd7T ZtaKbHKTQwL51Kb1Igqwb2lCofRG+amadFWEImX8s3/pDbQ4ZsGpC9Reu7mOwdHJHhv9 ZlNoRhgLhWDERnDTYL8QiNbSYGHxxv6UrGXYd40T0VrG4s/icXFAfWZD5D89c4ilKcIm m6zdV5iL6EdffsfCMg/R08tB9sr4bmhokr4sVSPBx64V2LEldeIqntvzFrzTp/BUGwWW 5K8PGKrPxKxM5ygeopIb9r2XDmzmMO3MFQFNUeb4dZxd+C7LSSCtNGoM0mLV8bzyQhh1 6reQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=1CU/9A05TvfILyIDgKDBOzq6v57QA5XE3V4O93d0vFo=; b=Uc0pOSgM7shhuB5rNkKcTL3kBu7QFiiaqtAI252D8tY5fOxLSxZObzuBErVUNLrI1F WUwFJpCDKmIuTk0xH9wQxfPxH1j+fahx/3WAlXZIkhVWTZ5F1quHpS9BOhY5f+QskfAh W2WuujSjyvNlz6iethibzGasYcwR6F3sXmvbNRHzO/A3nIjeLc+aSBr+RWXOFD4Tr0SF mfHc+hkrslCfz7VB/szErMH/dCl5lfHOPxJq43QG5E6JzddbIgvwyEwB5wU0uDzsULBp dCgIk4GWc9RjvLfni3D/ayFkowkYwOTP7hqnxTr9jr9znFiVeI7/xEOUg/NIJEiZNaJe MimA==
X-Gm-Message-State: AEkoouvwqoZbvOabgcgqq4/YkpE5bpoLyuFnSSjbJFFxDojU7vLisLX6cNN8d9XBJi4kCL0Rm14qYMgEp8C3DA==
X-Received: by 10.107.9.231 with SMTP id 100mr30383500ioj.196.1469586453033; Tue, 26 Jul 2016 19:27:33 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.36.74.73 with HTTP; Tue, 26 Jul 2016 19:27:32 -0700 (PDT)
In-Reply-To: <10280200.XEPfMK1A2H@pintsize.usersys.redhat.com>
References: <20160720173027.9BC3D1A504@ld9781.wdf.sap.corp> <201607211604.25745.davemgarrett@gmail.com> <2581885.dP5x8nd4GP@pintsize.usersys.redhat.com> <10280200.XEPfMK1A2H@pintsize.usersys.redhat.com>
From: Brian Smith <brian@briansmith.org>
Date: Tue, 26 Jul 2016 16:27:32 -1000
Message-ID: <CAFewVt64sj2-oFQDL=PKDcfJifaLc=yNwyaz_Dy2j57e2qAKqQ@mail.gmail.com>
To: Hubert Kario <hkario@redhat.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/wVcAzoSuJrMl-3fy1XiLN6BlYhs>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] Client Hello size intolerance Was: Re: Thoughts on Version Intolerance
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Jul 2016 02:33:15 -0000

Hubert Kario <hkario@redhat.com> wrote:
> 170 were detected as TLS 1.3 incompatible (3.9%)
> 183 were detected as TLS 1.4 incompatible (4.2%)
> 229 were detected as TLS 1.253 incompatible (5.22%)
>
> in the below excerpt (full list below, this is just entries that have at least
> 4 servers with same behaviour), "e/<number>" means that it's the smallest size
> of "Very Compatible" client hello extended through the padding extension that
> causes its rejection by server, similarly "c/<number>" indicates smallest size
> rejected by server when the client hello is made big through addition of
> cipher suite IDs

> Cumulative distribution function for size intolerancies looks like this:
>
> size <c/512                              12        0.2733
> size <c/1024                             16        0.3644
> size <c/2048                             33        0.7515
> size <c/4096                             47        1.0704
> size <c/8192                             47        1.0704
> size >=c/8192                            4064      92.5529

This seems like a good indication that clients should limit the number
of cipher suites in the client hello.

>
> size <e/512                              0         0
> size <e/1024                             0         0
> size <e/2048                             11        0.2505

A finer-grained breakdown of sizes between 0-2048 bytes is a better
area to focus on. I personally would try very hard to ensure my
ClientHello fits comfortably in a single packet if at all possible, at
least for a connection to a server that I don't have a session ticket
(or equivalent) for.

> TLS 1.3                                  170       3.8742
> TLS 1.4                                  183       4.1705

> size e/1356                              10        0.2279
> size e/1356 c/1356                       5         0.1139
> size e/1356 c/1357                       5         0.1139
> size e/2046                              1         0.0228
> size e/2046 c/1979                       1         0.0228
> size e/2049                              4         0.0912
> size e/2049 c/1153                       1         0.0228
> size e/2049 c/2049                       2         0.0456
> size e/2049 c/2050                       1         0.0228
> size e/2053                              1         0.0228
> size e/2053 c/555                        1         0.0228

When we consider the most reasonable (initial) ClientHello sizes, it
seems that the ClientHello version number intolerance is a much more
significant problem than size intolerance, if I'm understanding your
numbers correctly.

Cheers,
Brian
-- 
https://briansmith.org/