IETF Logo Mail Archive

Re: [TLS] Renego Indication RI patch interaction with TLS major version interop

"Yngve N. Pettersen (Developer Opera Software ASA)" <yngve@opera.com> Tue, 15 June 2010 23:50 UTC

Return-Path: <yngve@opera.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 38B163A69E2 for <tls@core3.amsl.com>; Tue, 15 Jun 2010 16:50:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.999
X-Spam-Level:
X-Spam-Status: No, score=-5.999 tagged_above=-999 required=5 tests=[AWL=-2.000, BAYES_50=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hPPDbDoVmttu for <tls@core3.amsl.com>; Tue, 15 Jun 2010 16:50:29 -0700 (PDT)
Received: from smtp.opera.com (smtp.opera.com [213.236.208.81]) by core3.amsl.com (Postfix) with ESMTP id 57B2E3A68E3 for <TLS@ietf.org>; Tue, 15 Jun 2010 16:50:29 -0700 (PDT)
Received: from acorna.invalid.invalid (30.169.202.84.customer.cdi.no [84.202.169.30]) (authenticated bits=0) by smtp.opera.com (8.14.3/8.14.3/Debian-5+lenny1) with ESMTP id o5FNoJsb015935 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Tue, 15 Jun 2010 23:50:24 GMT
Content-Type: text/plain; charset="iso-8859-15"; format="flowed"; delsp="yes"
To: Simon Josefsson <simon@josefsson.org>, Adam Langley <agl@google.com>
References: <4C17AA89.8060904@extendedsubset.com> <4C17B2FE.7080604@pobox.com> <87d3vs574u.fsf@mocca.josefsson.org> <AANLkTimsd145GswXqoHbkh9ejwYuhe4mL7w4wtVkSmeI@mail.gmail.com>
Date: Wed, 16 Jun 2010 01:50:12 +0200
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
From: "Yngve N. Pettersen (Developer Opera Software ASA)" <yngve@opera.com>
Organization: Opera Software AS
Message-ID: <op.vec8hyzoqrq7tp@acorna.invalid.invalid>
In-Reply-To: <AANLkTimsd145GswXqoHbkh9ejwYuhe4mL7w4wtVkSmeI@mail.gmail.com>
User-Agent: Opera Mail/10.53 (Win32)
Cc: TLS@ietf.org
Subject: Re: [TLS] Renego Indication RI patch interaction with TLS major version interop
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Jun 2010 23:50:31 -0000

On Tue, 15 Jun 2010 23:31:58 +0200, Adam Langley <agl@google.com> wrote:

> On Tue, Jun 15, 2010 at 5:16 PM, Simon Josefsson <simon@josefsson.org>  
> wrote:
>> jas@mocca:~$ gnutls-cli -p 443 www.paypal.com
>> Resolving 'www.paypal.com'...
>> Connecting to '64.4.241.49:443'...
>> *** Fatal error: A TLS packet with unexpected length was received.
>> *** Handshake has failed
>> GNUTLS ERROR: A TLS packet with unexpected length was received.
>> jas@mocca:~$
>
> Although I can confirm the brain damage exhibited by www.microsoft.com
> and www.ibm.com, www.paypal.com doesn't have an issue with a
> ClientHello advertising TLS version 1.2. It might have other problems,
> but see the attached handshake.

For reference, my prober utility (which is not testing everything, yet ;),  
like not checking record padding variation ) diagnoses www.paypal.com with  
the following:

   - Not renego patched
   - Version intolerant (refuses to negotiate with client specifying TLS  
NG, v4.x)
   - No version checking of RSA Client Key Exchange (CKE)
   - Does not support AES


www.microsoft.com and www.ibm.com results:

   - Not renego patched
   - Version intolerant (refuses to negotiate with client specifying TLS  
1.1 or higher)


For those interested, at present

   - 3.4% of 383531 probed servers are intolerant in the 3.x range (69%  
including the 4.x range, 83% of renego patched server also in the v4.x  
range)
   - 0.4% require RSA CKE version field to match negotiated version
   - 31.6% does not check the RSA CKE version field
   - 43 of 383531 servers mirror the client hello version back to the client
   - 990 of 383531 server use the record protocol field instead of the  
client hello version when negotiating
   - 99 of 383531 support TLS 1.1
   - 2 of 383531 support TLS 1.2 (both are known test servers)

Among renego patched servers, while virtually all are tolerant in the v3.x  
range, recently some that are version intolerant in the v3.x range has  
started to show up. From this week's run:

    live.rapidswholesale.com
    pazion.nl
    hypotheek-aanvragen.nl
    droog.com
    sso.u-bordeaux3.fr
    www.seekame.com

None of these six servers tolerate v3.4, "TLS 1.3" (multiple tests  
performed), TLS 1.2 was accepted. Most of them identify as Apache, but  
there is no commonality in version numbers, and I suspect that the block  
is done by a server or firewall in front of the servers.

There were also two other servers that showed up in this weeks run, but  
those detections may be false positives due to other issues.



-- 
Sincerely,
Yngve N. Pettersen

********************************************************************
Senior Developer                     Email: yngve@opera.com
Opera Software ASA                   http://www.opera.com/
Phone:  +47 24 16 42 60              Fax:    +47 24 16 40 01
********************************************************************

v2.23.0 | Report a Bug | By Email