Re: [TLS] No cypher overlap (was: ban more old crap)
Hubert Kario <hkario@redhat.com> Wed, 29 July 2015 09:59 UTC
Return-Path: <hkario@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 760201A028A for <tls@ietfa.amsl.com>; Wed, 29 Jul 2015 02:59:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.911
X-Spam-Level:
X-Spam-Status: No, score=-6.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5QJBnvndV5Ey for <tls@ietfa.amsl.com>; Wed, 29 Jul 2015 02:59:53 -0700 (PDT)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1A62E1A0217 for <tls@ietf.org>; Wed, 29 Jul 2015 02:59:53 -0700 (PDT)
Received: from int-mx09.intmail.prod.int.phx2.redhat.com (int-mx09.intmail.prod.int.phx2.redhat.com [10.5.11.22]) by mx1.redhat.com (Postfix) with ESMTPS id 5DEE078; Wed, 29 Jul 2015 09:59:52 +0000 (UTC)
Received: from pintsize.usersys.redhat.com (ovpn-112-64.ams2.redhat.com [10.36.112.64]) by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id t6T9xlCh022403 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 29 Jul 2015 05:59:51 -0400
From: Hubert Kario <hkario@redhat.com>
To: tls@ietf.org
Date: Wed, 29 Jul 2015 11:59:41 +0200
Message-ID: <2289724.pXJjcWpFTc@pintsize.usersys.redhat.com>
User-Agent: KMail/4.14.9 (Linux/4.0.8-300.fc22.x86_64; KDE/4.14.9; x86_64; ; )
In-Reply-To: <20150728160154.GU4347@mournblade.imrryr.org>
References: <8087760.Ce9A43SzlW@pintsize.usersys.redhat.com> <20150728160154.GU4347@mournblade.imrryr.org>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="nextPart2165947.i50fGD6tct"; micalg="pgp-sha512"; protocol="application/pgp-signature"
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.22
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/zL-16PK0jGLV1VFpbBoxFpV22HE>
Subject: Re: [TLS] No cypher overlap (was: ban more old crap)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Jul 2015 09:59:54 -0000
On Tuesday 28 July 2015 16:01:55 Viktor Dukhovni wrote: > On Tue, Jul 28, 2015 at 05:41:58PM +0200, Hubert Kario wrote: > > I see one possible problem with TLS1.3 not being a superset of TLS1.2. > > > > Consider the following: > > Server which supports TLSv1.3 but is configured to accept only AES256 > > ciphers. > > > > Client which advertises TLSv1.3, but no support for AES256-GCM. The client > > advertises also CBC ciphers (both AES128 and AES256) as it wants to be > > able > > to connect to legacy servers too. > > > > Should such a connection end up with TLS1.2 with AES-CBC ciphersuite, or > > should it be aborted? > > We already see a similar dilemma with clients that (artificially) > support only SSLv2 ciphersuites, but advertise TLS protocol versions. > OpenSSL will first choose a common protocol (TLS 1.x) and then fail > to find any shared ciphers. To complete the connection, the client > must explicitly request only SSL 2.0. There is at present no > filtering out of protocol choices for lack of compatible ciphers. > > > I think we should go for continue connection with downgraded protocol, but > > explicitly say that it may not happen if the negotiated ciphersuite would > > be DES, RC4, export grade... > > In that case, it should be said that a client MUST NOT advertise > TLS 1.3 unless it offers at least one of the TLS 1.3 MTI ciphers > (or perhaps less restrictive at least one TLS 1.3 compatible cipher). MTI does not mean Mandatory To Enable > Otherwise, there'll be lots of clients whose TLS libraries advertise > 1.3 (just because they implement the protocol), but whose cipher > configuration includes only TLS 1.2 (or lower) suites (because the > application configuration has not been updated). yes, that's what I'm afraid of > Punishing those clients by having servers abort the handshake is > a bad idea. The right outcome is use of TLS 1.2, whether because > client implementations of 1.3 need to check that adequate cipher > suites are available, or because servers negotiate 1.2 when 1.3 > is impossible. neither clients nor servers are required to support (have them enabled) all ciphersuites defined for TLS1.3, so there is always chance for no common cipher between them -- Regards, Hubert Kario Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
- [TLS] No cypher overlap (was: ban more old crap) Hubert Kario
- Re: [TLS] No cypher overlap (was: ban more old cr… Viktor Dukhovni
- Re: [TLS] No cypher overlap (was: ban more old cr… Hubert Kario
- Re: [TLS] No cypher overlap Florian Weimer
- Re: [TLS] No cypher overlap Florian Weimer
- Re: [TLS] No cypher overlap Martin Rex
- Re: [TLS] No cypher overlap Hubert Kario
- Re: [TLS] No cypher overlap Simon Josefsson