Re: [TLS] TLS renegotiation issue

To: Eric Rescorla <ekr at rtfm.com>
Subject: Re: [TLS] TLS renegotiation issue
From: Nagendra Modadugu <ngm+ietf at google.com>
Date: Sun, 8 Nov 2009 12:51:58 -0800
Cc: "tls at ietf.org" <tls at ietf.org>
Delivered-to: tls at core3.amsl.com
Dkim-signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1257713524; bh=LOvOmtWslRi1N9yn9VnpW9zAG6o=; h=MIME-Version:In-Reply-To:References:Date:Message-ID:Subject:From: To:Cc:Content-Type; b=Nuyomirm3vSBhtOISW53qorT5EvzIsA5yfoABMLhefTQhEbOcWZyrkcuJDVQqmiaq 8anwl3fpb2VcnXthMBNnw==
Domainkey-signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=mime-version:in-reply-to:references:date:message-id:subject:from:to: cc:content-type:x-system-of-record; b=uxwqsjYnSp+tB3ZH63q5Upr/3qFAUJEyPNwb58X2Unct5LLxSIpJwSYRX0S0b4hdR 0D7KkdZsWzQ8rmqc68OxQ==
In-reply-to: <d3aa5d00911051016p7a0cc508q2090b86de30a50d5 at mail.gmail.com>
List-archive: <http://www.ietf.org/mail-archive/web/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
References: <73843DF9-EFCB-4B8D-913E-FE2235E5BDD3 at rtfm.com> <d3aa5d00911051016p7a0cc508q2090b86de30a50d5 at mail.gmail.com>

SSL3 is still in wide use since it is not considered insecure (other than the renegotiation issue). Is it feasible to explicitly deprecate SSL3? Or state that renegotiation support for SSL3 is deprecated?

Here is the rationale. Clients that have both SSL3/TLS1 enabled will send a 'mixed-type' SSL3/TLS1 ClientHello (i.e. Record.version = 3.0, ClientHello.version = 3.1). Such clients should, strictly speaking, not include TLS extensions, which means that renegotiation should not be allowed by the server regardless of the protocol version negotiated. Considering that a majority of clients will continue to support both SSL3 and TLS1 for some time (as a practical matter), the new extension will not come into effect unless clients (a) cease sending mixed-type ClientHello messages, or (b) send TLS extensions even when Record.version = 3.0.

Option (a) leaves open the possibility for down-grade attacks (i.e. a MITM blocks TLS1 connections, allowing clients to reconnect over SSL3 -- I recall that atleast one major browser will attempt to reconnect over SSL3 if a TLS1, or mixed-type handshake fails). Option (b) requires extension support to be "back-ported" to SSL3.

I suggest that the draft discourage the use of SSL3 entirely.

On Thu, Nov 5, 2009 at 10:16 AM, Eric Rescorla <ekr at rtfm.com> wrote:
> I now have a draft extension up at:
>
> https://svn.resiprocate.org/rep/ietf-drafts/ekr/draft-rescorla-tls-renegotiate.txt
> https://svn.resiprocate.org/rep/ietf-drafts/ekr/draft-rescorla-tls-renegotiate.xml
>
> Comments welcome.
>
> -Ekr
> _______________________________________________
> TLS mailing list
> TLS at ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>

Follow-Ups:
- Re: [TLS] TLS renegotiation issue
  - From: Eric Rescorla

References:
- [TLS] TLS renegotiation issue
  - From: Eric Rescorla
- Re: [TLS] TLS renegotiation issue
  - From: Eric Rescorla

Prev by Date: [TLS] Implementing https://svn.resiprocate.org/rep/ietf-drafts/ekr/draft-rescorla-tls-renegotiate.txt
Next by Date: Re: [TLS] Implementing https://svn.resiprocate.org/rep/ietf-drafts/ekr/draft-rescorla-tls-renegot iate.txt
Previous by thread: Re: [TLS] TLS renegotiation issue
Next by thread: Re: [TLS] TLS renegotiation issue
Index(es):
- Date
- Thread

Re: [TLS] TLS renegotiation issue

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.