Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance

To: mrex at sap.com
Subject: Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
From: Martin Rex <mrex at sap.com>
Date: Mon, 9 Nov 2009 18:20:11 +0100 (MET)
Cc: tls at ietf.org
Delivered-to: tls at core3.amsl.com
In-reply-to: <200911091646.nA9GkW6n008821 at fs4113.wdf.sap.corp> from "Martin Rex" at Nov 9, 9 05:46:32 pm
List-archive: <http://www.ietf.org/mail-archive/web/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
Reply-to: mrex at sap.com

Hmmm, I think I can answer this myself:

Martin Rex wrote:
> 
> If you look at the TLSv1.0 spec (rfc2246) and TLSv1.1 spec (rfc4346),
> neither contains extension data in the ServerHello in the base spec.
> 
> Is there a reason why TLS extensions should _NOT_ be applicable
> to SSLv3 in just the same way they're applicable to TLSv1.0 and TLSv1.1 ?
> 
> 
> There may be SSLv3 servers out there that choke on extension data
> in the ClientHello.  But that doesn't mean that one could not
> upgrade SSLv3 servers to support TLS extensions.  The more interesting
> question is IMHO -- which TLS clients will choke when an SSLv3 server
> returns a ServerHello extension?  spec-wise, a ServerHello extension
> is as unusual to SSLv3 as it is to TLSv1.0.

Since such an SSLv3 server will only be returning extensions in
an extended ServerHello that the TLS client asserted, and in our
specific situation here, the new extension for secure renegotiation
that we're just defining, then the answer is:  Test the update
before shipping it, and all TLS clients with the secure renegotiation
update ought to interoperate smoothly with SSLv3 servers that implement
this TLS extension.

Adding support for other/existing TLS extensions might eventually
confuse or upset installed base TLS clients, so I wouldn't try those
this time. :) 

-Martin

References:
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
  - From: Martin Rex

Prev by Date: Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
Next by Date: Re: [TLS] Implementing https://svn.resiprocate.org/rep/ietf-drafts/ekr/draft-rescorla-tls-renegot iate.txt
Previous by thread: Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
Next by thread: Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
Index(es):
- Date
- Thread

Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.