Re: [TLS] supported_versions question
David Benjamin <davidben@chromium.org> Mon, 31 October 2016 23:13 UTC
Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E6A491294BE for <tls@ietfa.amsl.com>; Mon, 31 Oct 2016 16:13:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.196
X-Spam-Level:
X-Spam-Status: No, score=-4.196 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-1.497, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id woV_6V9Gl_Zh for <tls@ietfa.amsl.com>; Mon, 31 Oct 2016 16:13:25 -0700 (PDT)
Received: from mail-oi0-x230.google.com (mail-oi0-x230.google.com [IPv6:2607:f8b0:4003:c06::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DB7D2127078 for <tls@ietf.org>; Mon, 31 Oct 2016 16:13:24 -0700 (PDT)
Received: by mail-oi0-x230.google.com with SMTP id v84so98562713oie.3 for <tls@ietf.org>; Mon, 31 Oct 2016 16:13:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=xO0kVYUhufrhdloX5uLrHkrLrA8N/UB6vW5bQZIorcE=; b=MwlvTt1b5w7HwkGp+Eehe++uUuHmhtNiU7PGMKwa2BX7HmE667VMpxDsi/XzvzdTvN 8FOm5ly1E8OmP4gh1NvOm1Adf9uXpZZKWN3Jw+3aG6IwHkhd6WfutKBJSHjXTQs0baDp tVOiLfKYOAj5BDQjj+E42JVBawFJ3jyhbqBUY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=xO0kVYUhufrhdloX5uLrHkrLrA8N/UB6vW5bQZIorcE=; b=lCiDxic0XKA7zH5doadoWeQLHB+mfRKRU3xrWoIShcdZW3fvJC5kVZQaYR+UsguJEW hGNCAAWQZnesFCktcqw1NonJ78M7wEBoaPmCCMkvk6R0k+x5Un/zSu9D8EeOueyLnKEA MZ6/84Asxl8Hc4kVrQfIuwW5gfPiiShL3rQsdSkZQgViQJwMm8kbCpAgPYnqDbRwmLcE SfbHEiXgMv/tjLclfSV4Jq2+XkoguT5tHb5W61ulmzEIyzTspe1eho6dKOI1Vogud8eO iOVdwoyve/5dE8SEpXkf+2IuMOVSQ2G+RuBivtOIm+AUXxYQXLmTxRTQrN756ng/RsLn Vsog==
X-Gm-Message-State: ABUngve3e5pQ/i/8po/mnml/qYg9a0YfYKE0yFHCrB7Vb8xTlqAAOKaIq6GKUgKZt0lYQBmL5KQj8QqGCUDXy4og
X-Received: by 10.107.10.96 with SMTP id u93mr592826ioi.174.1477955603870; Mon, 31 Oct 2016 16:13:23 -0700 (PDT)
MIME-Version: 1.0
References: <CAMoSCWaVJy9f6NFy1Msc1_VSDxRFM2pruhecWb+22N4ct-t0+g@mail.gmail.com> <20161031185724.GA23357@LK-Perkele-V2.elisa-laajakaista.fi> <CAF8qwaCe89epMMzCA0BNfXWss9FWpDze8ScydufdoTNTNqmW1g@mail.gmail.com> <20161031223431.6j23de5gyqx6vpop@roeckx.be>
In-Reply-To: <20161031223431.6j23de5gyqx6vpop@roeckx.be>
From: David Benjamin <davidben@chromium.org>
Date: Mon, 31 Oct 2016 23:13:12 +0000
Message-ID: <CAF8qwaAEfa2V4g+fqG0we+cer5PPrgA3jLQZbJfvq5dKTvs_-A@mail.gmail.com>
To: Kurt Roeckx <kurt@roeckx.be>
Content-Type: multipart/alternative; boundary="001a113ee79cc3835c0540315a05"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/yb6uRxdiJA7F3Ah3x8UxpXO5vxU>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] supported_versions question
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 31 Oct 2016 23:13:27 -0000
On Mon, Oct 31, 2016 at 6:34 PM Kurt Roeckx <kurt@roeckx.be> wrote: On Mon, Oct 31, 2016 at 07:11:10PM +0000, David Benjamin wrote: > On Mon, Oct 31, 2016 at 2:57 PM Ilari Liusvaara <ilariliusvaara@welho.com> > wrote: > > > On Mon, Oct 31, 2016 at 06:43:52PM +0000, Matt Caswell wrote: > > > A few supported_versions questions: > > > > > > 1) What should a server do if supported_versions is received but > > > ClientHello.legacy_version != TLS1.2? Fail the handshake, or just > > > ignore legacy_version? > > > > If legacy_version > TLS1.2, the spec requires server to ignore > > legacy_version. > > > > The case where legacy_version < TLS1.2 IIRC isn't specified, but > > ignoring legacy_version is reasonable in this case too. > > > > > 2) What should a server do if supported_versions is received, > > > ClientHello.legacy_version == TLS1.2, but supported_versions does not > > > contain TLS1.3 or TLS1.2 (e.g. it contains TLS1.1 or below)? Fail the > > > handshake, use the legacy_version, or use use the versions in > > > supported_versions? > > > > There's also the case where supported_versions has TLS 1.1 and TLS 1.4, > > the latter the server has never heard about... > > > > > 3) If the answer to (2) above is ignore the legacy_version, and just > > > use the versions in supported_versions, which client_version should be > > > used in the RSA pre-master secret calculation? The one in > > > legacy_version, or the highest one in supported_versions? Presumably > > > it has to be the one in legacy_version, otherwise thing will fail when > > > the client talks to a server that doesn't understand > > > supported_versions? > > > > Yeah, I presume putting the version in legacy_version is the only sane > > thing to do. But causes other problems with downgrade protection. > > > > OTOH, RSA key exchange is known to be very broken and is affected by > > all kinds of downgrade (and other) attacks. So if one wants actual > > security, it needs to be removed. > > > > We could say the versions extension only applies to 1.2 and up. I.e. don't > bother advertising 1.1 and 1.0 as a client and servers ignore 1.1 and 1.0 > when they see them in the version list. That keeps the protocol deployable > on the Internet as it exists, avoids having to evaluate too versioning > schemes (if you see the extension, you don't bother reading legacy_version > at all), while avoiding the weird behavior where, given this ClientHello: > > legacy_version: TLS 1.2 > supported_versions: {TLS 1.1} > > TLS 1.3 says to negotiate TLS 1.1 and TLS 1.2 says to negotiate TLS 1.2. So I guess you're also saying that a server that implements TLS 1.1 to TLS 1.3, but disables TLS 1.2 and TLS 1.3 support should ignore the supported_versions even when it knows about it? I guess I have same questions but with only TLS 1.3 disabled, to be sure when we need to look at it. Hrm, actually I hadn't thought of that. Yeah, I guess a server which disables versions must then gate supported_version handling on whether TLS 1.3 is enabled. That's not a dealbreaker, but is certainly additional gnarliness. (Our current implementation just processes the extension uncondtionally, but we'll also happily negotiate old versions out of it.) David
- [TLS] supported_versions question Matt Caswell
- Re: [TLS] supported_versions question Ilari Liusvaara
- Re: [TLS] supported_versions question David Benjamin
- Re: [TLS] supported_versions question Xiaoyin Liu
- Re: [TLS] supported_versions question Ilari Liusvaara
- Re: [TLS] supported_versions question Brian Smith
- Re: [TLS] supported_versions question Kurt Roeckx
- Re: [TLS] supported_versions question Kurt Roeckx
- Re: [TLS] supported_versions question David Benjamin
- Re: [TLS] supported_versions question Matt Caswell
- Re: [TLS] supported_versions question Eric Rescorla
- Re: [TLS] supported_versions question Matt Caswell
- Re: [TLS] supported_versions question Dave Garrett
- Re: [TLS] supported_versions question Matt Caswell
- Re: [TLS] supported_versions question Dave Garrett
- Re: [TLS] supported_versions question Brian Smith
- Re: [TLS] supported_versions question Hubert Kario