Re: [TLS] no fallbacks please [was: Downgrade protection, fallbacks, and server time]

Andrei Popov <Andrei.Popov@microsoft.com> Fri, 03 June 2016 17:28 UTC

Return-Path: <Andrei.Popov@microsoft.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5793312D72A for <tls@ietfa.amsl.com>; Fri, 3 Jun 2016 10:28:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RvJ4s7FsqW_U for <tls@ietfa.amsl.com>; Fri, 3 Jun 2016 10:28:21 -0700 (PDT)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2on0101.outbound.protection.outlook.com [65.55.169.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9D25A12D54C for <tls@ietf.org>; Fri, 3 Jun 2016 10:28:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=yOSpZI1DE5sQIkDf41OJQT6TCvep2AQFZBIv6lCOsD4=; b=lNKKzp3CBL41EZPiuvZ+caCYtjXs5MSwad2dybGY13x/VkbmvCG2RkSmbfNVwfLkwrbN9eAaaoYVcQJwOlzTtv0wWjKI+1ydS7H0Oppyrvq4z4s7DZ6PkqC4DSEdZT4LHlDdHVsy81wfGk5U6cr6iVhEb50g6MzPT9KFeJlFG5g=
Received: from BN3PR03MB1445.namprd03.prod.outlook.com (10.163.34.28) by BN3PR03MB1445.namprd03.prod.outlook.com (10.163.34.28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.506.9; Fri, 3 Jun 2016 17:28:14 +0000
Received: from BN3PR03MB1445.namprd03.prod.outlook.com ([10.163.34.28]) by BN3PR03MB1445.namprd03.prod.outlook.com ([10.163.34.28]) with mapi id 15.01.0506.013; Fri, 3 Jun 2016 17:28:14 +0000
From: Andrei Popov <Andrei.Popov@microsoft.com>
To: Eric Rescorla <ekr@rtfm.com>, Dave Garrett <davemgarrett@gmail.com>
Thread-Topic: [TLS] no fallbacks please [was: Downgrade protection, fallbacks, and server time]
Thread-Index: AQHRvOCeMmidP5FLoUi3Xegm0HRWy5/XFoaAgAANXACAAJ0zAIAAPvTg
Date: Fri, 3 Jun 2016 17:28:14 +0000
Message-ID: <BN3PR03MB1445B98411646620C45FDBEF8C590@BN3PR03MB1445.namprd03.prod.outlook.com>
References: <CAF8qwaDuGyHOu_4kpWN+c+vJKXyERPJu-2xR+nu=sPzG5vZ+ag@mail.gmail.com> <CAF8qwaASpH3Fapo61TDBuF35++GyMbZa4c-9Uy-JZ8CKywpAFw@mail.gmail.com> <CABkgnnXs5UBPZRzPoyiVs1R7arBcPV7WuEY692SHkj=doW6bwQ@mail.gmail.com> <201606030017.20760.davemgarrett@gmail.com> <CABcZeBN2UPNng_0zMEE=v1tWnYTep=q2QEmD91FZfWF69NCsMQ@mail.gmail.com>
In-Reply-To: <CABcZeBN2UPNng_0zMEE=v1tWnYTep=q2QEmD91FZfWF69NCsMQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: rtfm.com; dkim=none (message not signed) header.d=none;rtfm.com; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [2001:4898:80e8:c::1d2]
x-ms-office365-filtering-correlation-id: 3e0a14da-a859-485c-296d-08d38bd471d0
x-microsoft-exchange-diagnostics: 1; BN3PR03MB1445; 5:iUR9J+ci6zYIu9tXX25Sye0/nshpByZT2AQ2ZV5EivVtnc7vILUICKlYa1+0AtLc9a4ZSd/bnMxDFAgyu2xMcwr5D4LIXYhTZwJnCvyRMboaXtoSBYBnoBh4tTV0cqYMthEyVUlk20AYXiXBCoOlCg==; 24:tuYY1RYE1DAvZxcprQibOTZ1TFtO09oN2F9jT3izW7yrZ25Mf5IQmfAZ81sylVqhXoYm8kd7d9+6C8Hr1SNsTa0dperRguKT6f3gSePSjyY=; 7:SUo5wW+cD4NFhJJdD2iFj95OG/BayaWaC1M2BgFRxsHIgcMsaYIxGpZ8Z/94NoofqucywzcCR/ks4WHpoUl5l38b/B+lhBhDpXnwQNLh4o7WdmuYXP96FkTsszvtb0hNVJVbk1nfg79xTlW6jvKXNdLm5euFXjV40KvAfU/UQzqDh5PPOoMkpzRAhEbBFC+27L6mtAgn3EXQ5FNLvrEoeLVZZcbivuiD73TMYjAoYhLYPofkH/c3ifPC+xGkMPXd
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BN3PR03MB1445;
x-microsoft-antispam-prvs: <BN3PR03MB144591B5D31C1B412B598EB98C590@BN3PR03MB1445.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863)(166708455590820)(21748063052155);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001)(6055026)(61426038)(61427038); SRVR:BN3PR03MB1445; BCL:0; PCL:0; RULEID:; SRVR:BN3PR03MB1445;
x-forefront-prvs: 0962D394D2
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(377454003)(24454002)(81166006)(561944003)(8676002)(19617315012)(87936001)(77096005)(122556002)(76576001)(189998001)(19609705001)(9686002)(99286002)(15975445007)(3280700002)(19580405001)(8936002)(3660700001)(86362001)(5001770100001)(6116002)(790700001)(5003600100002)(10290500002)(5004730100002)(33656002)(5005710100001)(19580395003)(50986999)(92566002)(102836003)(54356999)(5002640100001)(10400500002)(19300405004)(4326007)(76176999)(93886004)(5008740100001)(19625215002)(106116001)(10090500001)(74316001)(2950100001)(16236675004)(586003)(11100500001)(2900100001)(2906002)(3826002); DIR:OUT; SFP:1102; SCL:1; SRVR:BN3PR03MB1445; H:BN3PR03MB1445.namprd03.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_BN3PR03MB1445B98411646620C45FDBEF8C590BN3PR03MB1445namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Jun 2016 17:28:14.4729 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN3PR03MB1445
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/xjaKFCQXZHooyV97_Fc8-nuUyks>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] no fallbacks please [was: Downgrade protection, fallbacks, and server time]
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Jun 2016 17:28:23 -0000

It’s not that the existing version negotiation mechanism doesn’t work; the problem is that implementers got it wrong. Similarly, implementers can mess up the new negotiation mechanism. Especially since we have to support it at the same time as the old one.

Cheers,

Andrei

From: TLS [mailto:tls-bounces@ietf.org] On Behalf Of Eric Rescorla
Sent: Friday, June 3, 2016 6:40 AM
To: Dave Garrett <davemgarrett@gmail.com>;
Cc: tls@ietf.org
Subject: Re: [TLS] no fallbacks please [was: Downgrade protection, fallbacks, and server time]

My opinion on this hasn't really changed since the last time. This seems like it's more complicated and it's not clear to me why it won't lead to exactly the same version intolerance problem in future.

-Ekr


On Thu, Jun 2, 2016 at 9:17 PM, Dave Garrett <davemgarrett@gmail.com<mailto:davemgarrett@gmail.com>> wrote:
Allrighty then; time to dust off and rebase an old changeset I was fiddling with last year on this topic:
https://github.com/davegarrett/tls13-spec/commit/058ff1518508b094b8c9f1bd4096be9393f20076
(I cleaned up a bit when rebasing, but it probably needs some work; was just a WIP branch, never a PR)

This was the result of prior discussions on-list about TLS version intolerance. The gist of the proposal:
1) Freeze all the various version number fields.
2) Send a list of all supported versions in an extension. (version IDs converted to 16-bit ints instead of 8-bit pairs)
3) Use short (1 or 2 value, based on hello version) predefined lists for hellos from old clients not sending the extension.
4) Compare lists to find highest overlap, avoiding guesswork or problems with noncontinuous lists.
5) Forget the old mess of version intolerance existed.

Do we want to consider scrapping the old version negotiation method again?


Dave