IETF Logo Mail Archive

Re: [TLS] Prohibiting SSL 3.0

mrex@sap.com (Martin Rex) Wed, 29 October 2014 20:43 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EE74B1A8ABC for <tls@ietfa.amsl.com>; Wed, 29 Oct 2014 13:43:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.251
X-Spam-Level:
X-Spam-Status: No, score=-6.251 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EYPZ0BTPM6VV for <tls@ietfa.amsl.com>; Wed, 29 Oct 2014 13:43:12 -0700 (PDT)
Received: from smtpde02.smtp.sap-ag.de (smtpde02.smtp.sap-ag.de [155.56.68.140]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AE8F11A88D7 for <tls@ietf.org>; Wed, 29 Oct 2014 13:43:12 -0700 (PDT)
Received: from mail05.wdf.sap.corp (mail05.sap.corp [194.39.131.55]) by smtpde02.smtp.sap-ag.de (Postfix) with ESMTPS id 551F43A177; Wed, 29 Oct 2014 21:43:11 +0100 (CET)
Received: from ld9781.wdf.sap.corp (ld9781.wdf.sap.corp [10.21.82.193]) by mail05.wdf.sap.corp (Postfix) with ESMTP id 4529C43E30; Wed, 29 Oct 2014 21:43:11 +0100 (CET)
Received: by ld9781.wdf.sap.corp (Postfix, from userid 10159) id 3E9611AF68; Wed, 29 Oct 2014 21:43:11 +0100 (CET)
In-Reply-To: <5450CFC1.2020308@polarssl.org>
To: Manuel Pégourié-Gonnard <mpg@polarssl.org>
Date: Wed, 29 Oct 2014 21:43:11 +0100
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="ISO-8859-1"
Message-Id: <20141029204311.3E9611AF68@ld9781.wdf.sap.corp>
From: mrex@sap.com
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/yU0UOtXVCt1RVgZYZ9DJ_g24yxI
Cc: Florian Weimer <fw@deneb.enyo.de>, tls@ietf.org
Subject: Re: [TLS] Prohibiting SSL 3.0
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Oct 2014 20:43:16 -0000

Manuel Pégourié-Gonnard wrote:
> On 29/10/2014 12:18, Florian Weimer wrote:
>> 
>> I think the SSLv2 compatible client hello is unrelated to the protocol
>> version advertised by the client, but I might be mistaken about that.

Correct.  You can negotiate TLSv1.2 on a connection that is started
with a SSL VERSION 2.0 CLIENT-HELLO.


>
> Unless I'm mistaken, there is no point for a client to send a SSLv2
> compatible ClientHello unless the client is prepared to actually
> negotiate SSLv2. If think if fair to say that client MUST NOT do that.

You might be surprised just how much crap (as servers) got shipped into
the installed base, and what turns out to be the most suitable workaround
to interop with those.

The problem with SSLv3 & ClientHello protocol version negotiation is
that a number of servers totally goofed the implementation, and a number
of clients (pretty much all browsers) followed suit.

The issue with TLS protocol version negotiation is that the SSLv3&TLS record
layer uses a "protocol_version" tag in the record layer PDU that indicates
_the_record_layer_PDU_encoding_, and when an initial ClientHello
is received on a new connection, there is also a ClientHello.client_version
field included.  A number of broken servers screwed up the protocol
version negotiation (which is performed EXCLUSIVELY through
ClientHello.client_version) by choking on the record layer PDU encoding
protocol_version when it differs from ClientHello.client_version.

Now the advantage of the SSL VERSION 2.0 CLIENT-HELLO is that it comes
with only a single protocol version -- and it seems that less server
implementors got that wrong.



> 
> OTOH, accepting an SSLv2 ClientHello on the server makes sense even if the
> server will never negotiate SSLv2. So I guess the MAY here is ok.

We already settled the SSLv2 ClientHello issues.

http://tools.ietf.org/html/rfc6176#section-3


-Martin

v2.23.0 | Report a Bug | By Email