Re: [TLS] Proposal for hybrid solution using most of the ideas

To: tls at ietf.org
Subject: Re: [TLS] Proposal for hybrid solution using most of the ideas
From: David-Sarah Hopwood <david-sarah at jacaranda.org>
Date: Thu, 19 Nov 2009 20:28:44 +0000
Delivered-to: tls at core3.amsl.com
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:received:received:sender:message-id:date:from :user-agent:mime-version:to:subject:references:in-reply-to :x-enigmail-version:content-type; bh=B7rzfnm6hG9Yai+kIHJI2DfCHkrfcJz6bCenXp6a9c4=; b=ohfh6YWECMUSA0BYPJJ+N3fklcdWwbTq5QsZ6gnwkwfhLhr9pRTx3CiL39YLJz4lqe MM0HKiJmH0nvqTDkaoOfJAyUtjf8hxUVWebGU2+uODXF75EWSuQNlvnSedwK0Rl89zaC ulwTQKx71DZ9qvwjx6ryuuKDBI6xwg3kNrhgg=
Domainkey-signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=sender:message-id:date:from:user-agent:mime-version:to:subject :references:in-reply-to:x-enigmail-version:content-type; b=McFhpljR/ioOfWfvePIHweuEi87u/g2lEvOWkb1UgOcK41nFcn7Rt3GwdZ6sUGHIVm jzTPt6B3/jPetmQwr26hS5wtYXbIPq43iGMpUcn6KJuCo6hkhPT638WN3rMV+lB1FgzN 7U7blfs0z3trHwGQX9fWdSfN3+FHsa+pqctQI=
In-reply-to: <C72A33ED.25989%dispensa at phonefactor.com>
List-archive: <http://www.ietf.org/mail-archive/web/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
References: <C72A33ED.25989%dispensa at phonefactor.com>
Sender: David-Sarah Hopwood <djhopwood at googlemail.com>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.8.1.3) Gecko/20070326 Thunderbird/2.0.0.0 Mnenhy/0.7.5.666

Steve Dispensa wrote:
> On 11/18/09 10:10 PM, "David-Sarah Hopwood" <david-sarah at jacaranda.org>
> wrote:
>> Falling back to SSLv3 on a renegotiating handshake is not necessary,
> 
> From the client's perspective, it's an initial negotiation, not a
> renegotiation. 

No, I was referring to handshakes that are renegotiating from the
client's perspective.

>> because the server needs to be patched in order for a renegotiating
>> handshake to succeed. If it is patched, then it is TLS- and
>> extension-tolerant.
> 
> That may be(come) true,

It is true by definition, since a TLS- or extension-intolerant server
wouldn't conform to the spec for the patch.

> but most browsers are currently doing fallback to
> SSLv3 when things go wrong during (initial) negotiation. That code is in the
> apps, not the SSL/TLS libraries.
> 
> For that to become true, you'd have to fix all the servers to handle TLS
> (nontrivial in old code I understand)

No. Servers have to be TLS-tolerant (which later SSLv3 drafts already
required) and to handle one extension; not to support TLS.

> *AND* you'd have to get clients to stop falling back to SSLv3.

That's not correct either. Clients can continue to fall back to SSLv3
provided that they do not both fall back *and* renegotiate (from the
client's point of view) on the same handshake.

> They couldn't stop falling back until the need
> to fall back (i.e., broken TLS server implementations) disappears, which may
> take a long time when you consider old code. It will take another long time
> for browsers to stop falling back.
> 
> By the way, I'm assuming requiring SSLv3 to support the extension is a
> non-starter. I realize it's conceptually straightforward to add, but we're
> talking about adding a major mechanism to the protocol and requiring its use
> immediately and unconditionally.

There's nothing particularly difficult about adding support for one
extension to an SSLv3 server. The extensions spec does not make any
assumptions that hold only for TLS and not SSLv3.

Note that, to head off a possible misconception, we are not talking here
about clients sending extensions in ClientHellos with an SSLv3 record
version. The suggestion is that an SSLv3 server could send an extension
in response to a ClientHello with a TLS record version. This will not
cause any additional interoperability problems, and is not much more
difficult than using any other signalling mechanism.

-- 
avid-Sarah Hopwood  ⚥  http://davidsarah.livejournal.com

Attachment: signature.asc
Description: OpenPGP digital signature

Follow-Ups:
- Re: [TLS] Proposal for hybrid solution using most of the ideas
  - From: Martin Rex
- Re: [TLS] Proposal for hybrid solution using most of the ideas
  - From: Michael D'Errico

References:
- Re: [TLS] Proposal for hybrid solution using most of the ideas
  - From: Steve Dispensa

Prev by Date: Re: [TLS] Proposal for hybrid solution using most of the ideas
Next by Date: Re: [TLS] Justification for "Ugly Dirty Hack"
Previous by thread: Re: [TLS] Proposal for hybrid solution using most of the ideas
Next by thread: Re: [TLS] Proposal for hybrid solution using most of the ideas
Index(es):
- Date
- Thread

Re: [TLS] Proposal for hybrid solution using most of the ideas

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.