Re: [TLS] Prohibiting SSL 3.0
mrex@sap.com (Martin Rex) Wed, 29 October 2014 20:43 UTC
Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EE74B1A8ABC for <tls@ietfa.amsl.com>; Wed, 29 Oct 2014 13:43:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.251
X-Spam-Level:
X-Spam-Status: No, score=-6.251 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EYPZ0BTPM6VV for <tls@ietfa.amsl.com>; Wed, 29 Oct 2014 13:43:12 -0700 (PDT)
Received: from smtpde02.smtp.sap-ag.de (smtpde02.smtp.sap-ag.de [155.56.68.140]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AE8F11A88D7 for <tls@ietf.org>; Wed, 29 Oct 2014 13:43:12 -0700 (PDT)
Received: from mail05.wdf.sap.corp (mail05.sap.corp [194.39.131.55]) by smtpde02.smtp.sap-ag.de (Postfix) with ESMTPS id 551F43A177; Wed, 29 Oct 2014 21:43:11 +0100 (CET)
Received: from ld9781.wdf.sap.corp (ld9781.wdf.sap.corp [10.21.82.193]) by mail05.wdf.sap.corp (Postfix) with ESMTP id 4529C43E30; Wed, 29 Oct 2014 21:43:11 +0100 (CET)
Received: by ld9781.wdf.sap.corp (Postfix, from userid 10159) id 3E9611AF68; Wed, 29 Oct 2014 21:43:11 +0100 (CET)
In-Reply-To: <5450CFC1.2020308@polarssl.org>
To: Manuel Pégourié-Gonnard <mpg@polarssl.org>
Date: Wed, 29 Oct 2014 21:43:11 +0100
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="ISO-8859-1"
Message-Id: <20141029204311.3E9611AF68@ld9781.wdf.sap.corp>
From: mrex@sap.com
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/yU0UOtXVCt1RVgZYZ9DJ_g24yxI
Cc: Florian Weimer <fw@deneb.enyo.de>, tls@ietf.org
Subject: Re: [TLS] Prohibiting SSL 3.0
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Oct 2014 20:43:16 -0000
Manuel Pégourié-Gonnard wrote: > On 29/10/2014 12:18, Florian Weimer wrote: >> >> I think the SSLv2 compatible client hello is unrelated to the protocol >> version advertised by the client, but I might be mistaken about that. Correct. You can negotiate TLSv1.2 on a connection that is started with a SSL VERSION 2.0 CLIENT-HELLO. > > Unless I'm mistaken, there is no point for a client to send a SSLv2 > compatible ClientHello unless the client is prepared to actually > negotiate SSLv2. If think if fair to say that client MUST NOT do that. You might be surprised just how much crap (as servers) got shipped into the installed base, and what turns out to be the most suitable workaround to interop with those. The problem with SSLv3 & ClientHello protocol version negotiation is that a number of servers totally goofed the implementation, and a number of clients (pretty much all browsers) followed suit. The issue with TLS protocol version negotiation is that the SSLv3&TLS record layer uses a "protocol_version" tag in the record layer PDU that indicates _the_record_layer_PDU_encoding_, and when an initial ClientHello is received on a new connection, there is also a ClientHello.client_version field included. A number of broken servers screwed up the protocol version negotiation (which is performed EXCLUSIVELY through ClientHello.client_version) by choking on the record layer PDU encoding protocol_version when it differs from ClientHello.client_version. Now the advantage of the SSL VERSION 2.0 CLIENT-HELLO is that it comes with only a single protocol version -- and it seems that less server implementors got that wrong. > > OTOH, accepting an SSLv2 ClientHello on the server makes sense even if the > server will never negotiate SSLv2. So I guess the MAY here is ok. We already settled the SSLv2 ClientHello issues. http://tools.ietf.org/html/rfc6176#section-3 -Martin
- [TLS] Prohibiting SSL 3.0 Yuhong Bao
- Re: [TLS] Prohibiting SSL 3.0 Martin Thomson
- Re: [TLS] Prohibiting SSL 3.0 Florian Weimer
- Re: [TLS] Prohibiting SSL 3.0 Hubert Kario
- Re: [TLS] Prohibiting SSL 3.0 Peter Gutmann
- Re: [TLS] Prohibiting SSL 3.0 Florian Weimer
- Re: [TLS] Prohibiting SSL 3.0 Ilari Liusvaara
- Re: [TLS] Prohibiting SSL 3.0 Manuel Pégourié-Gonnard
- Re: [TLS] Prohibiting SSL 3.0 Bodo Moeller
- Re: [TLS] Prohibiting SSL 3.0 Eric Rescorla
- Re: [TLS] Prohibiting SSL 3.0 Manuel Pégourié-Gonnard
- Re: [TLS] Prohibiting SSL 3.0 Salz, Rich
- Re: [TLS] Prohibiting SSL 3.0 Hubert Kario
- Re: [TLS] Prohibiting SSL 3.0 Yoav Nir
- Re: [TLS] Prohibiting SSL 3.0 Hubert Kario
- Re: [TLS] Prohibiting SSL 3.0 Yoav Nir
- Re: [TLS] Prohibiting SSL 3.0 Hubert Kario
- Re: [TLS] Prohibiting SSL 3.0 Martin Rex
- Re: [TLS] Prohibiting SSL 3.0 Manuel Pégourié-Gonnard
- Re: [TLS] Prohibiting SSL 3.0 Martin Rex
- Re: [TLS] Prohibiting SSL 3.0 Watson Ladd
- Re: [TLS] Prohibiting SSL 3.0 Martin Rex
- Re: [TLS] Prohibiting SSL 3.0 Geoffrey Keating
- Re: [TLS] Prohibiting SSL 3.0 Watson Ladd
- Re: [TLS] Prohibiting SSL 3.0 Bodo Moeller
- Re: [TLS] Prohibiting SSL 3.0 Watson Ladd
- Re: [TLS] Prohibiting SSL 3.0 Bodo Moeller
- Re: [TLS] Prohibiting SSL 3.0 Watson Ladd
- Re: [TLS] Prohibiting SSL 3.0 Sean Turner
- Re: [TLS] Prohibiting SSL 3.0 Joseph Salowey
- Re: [TLS] Prohibiting SSL 3.0 Yuhong Bao
- Re: [TLS] Prohibiting SSL 3.0 Yoav Nir
- Re: [TLS] Prohibiting SSL 3.0 Dave Garrett
- Re: [TLS] Prohibiting SSL 3.0 Jeffrey Walton
- Re: [TLS] Prohibiting SSL 3.0 Yoav Nir