Re: [TLS] Proposal for hybrid solution using most of the ideas

To: marsh at extendedsubset.com (Marsh Ray)
Subject: Re: [TLS] Proposal for hybrid solution using most of the ideas
From: Martin Rex <mrex at sap.com>
Date: Thu, 19 Nov 2009 20:21:55 +0100 (MET)
Cc: tls at ietf.org
Delivered-to: tls at core3.amsl.com
In-reply-to: <4B059658.2010200 at extendedsubset.com> from "Marsh Ray" at Nov 19, 9 01:02:48 pm
List-archive: <http://www.ietf.org/mail-archive/web/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
Reply-to: mrex at sap.com

Marsh Ray wrote:
> 
> So using extensions (even when both ends support TLS 1.1) would
> significantly change the client hello for many current clients? Yngve of
> Opera and Nelson of Mozilla had posted some connection logic that didn't
> work quite like that. But now that you mention it that is what I see
> from typical non-browser clients.
> 
> Back to unified SSL/TLS solutions then.
> 
> Looks like C->S signaling could be achieved back to SSLv2 with the magic
> cipher suite technique.
> 
> For S->C, setting that high bit in the version field is looking not so
> bad now.
> 
> RFC 4346:
> > server_version
> >       This field will contain the lower of that suggested by the client
> >       in the client hello and the highest supported by the server.
> 
> What worries me is that a great many inspecting firewalls are going to
> see that and freak out because the server is replying with a version
> higher than the client.

I'm somewhat more worried about breaking interop with SSL and TLS peers
than confusing inspecting firewalls.

It is the IETF that defines how TLS clients and TLS servers can negotiate
a change in protocol and consensually communicate with modified
semantics.  If they want to filter on "signatures" of known attacks,
fine, but they must not make flawed assumptions about evolvement
of network or transport-level protocols.

> 
> Perhaps those nice, friendly, and helpful networking hardware and
> software vendors on this list will offer some lab time to check this out?

Of course, if vendors/suppliers are listening in to this discussion,
it would be interesting to hear their opinion on what kind of changes
might upset their equiment!

> 
> Another possibility is bit 15 of cipher_suite, assuming there will not
> be a need for 32769 different cipher suites before extensions become usable.

The ciphersuite number space is dived into three ranges:

http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-3

So you can not just shave off one bit at one end.

Same for compression identifiers (3 ranges):

http://www.iana.org/assignments/comp-meth-ids/comp-meth-ids.xhtml

-Martin

Follow-Ups:
- Re: [TLS] Proposal for hybrid solution using most of the ideas
  - From: Marsh Ray

References:
- Re: [TLS] Proposal for hybrid solution using most of the ideas
  - From: Marsh Ray

Prev by Date: Re: [TLS] simplistic renego protection
Next by Date: Re: [TLS] Proposal for hybrid solution using most of the ideas
Previous by thread: Re: [TLS] Proposal for hybrid solution using most of the ideas
Next by thread: Re: [TLS] Proposal for hybrid solution using most of the ideas
Index(es):
- Date
- Thread

Re: [TLS] Proposal for hybrid solution using most of the ideas

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.