Re: [TLS] TLS Protocol Version

To: Pasi.Eronen at nokia.com
Subject: Re: [TLS] TLS Protocol Version
From: Martin Rex <mrex at sap.com>
Date: Fri, 20 Nov 2009 18:58:18 +0100 (MET)
Cc: tls at ietf.org
Delivered-to: tls at core3.amsl.com
In-reply-to: <808FD6E27AD4884E94820BC333B2DB774F30FE12B7 at NOK-EUMSG-01.mgdnok.nokia.com> from "Pasi.Eronen at nokia.com" at Nov 18, 9 08:02:47 pm
List-archive: <http://www.ietf.org/mail-archive/web/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
Reply-to: mrex at sap.com

Pasi.Eronen at nokia.com wrote:
> 
> BTW, there's another common renegotiation case where a "low-hanging
> fruit" (trivial-to-implement solution known not to cause interop
> problems with broken servers) exists: changing from server-only
> authentication to mutual authentication (with certificate-based 
> cipher suites).
> 
> In this case, the client could include a magic "This is a
> renegotiation, but with same server certificate" cipher suite in the
> renegotiation client hello, and verify that the server certs in the old
> and new sessions are identical (bitwise). This would be just a magic
> cipher suite number: no other on-the-wire changes, and no changes to
> Finished message calculations. But the server would know this
> renegotiation is secure, and could proceed even if it prohibited
> "old-style" insecure renegotiation.


When there really is a desire to add a few simple signals in
a (probably) fully backwards compatible fashion into all existing
TLS&SSL protocols through magic ciphersuite,

Then I would like to suggest the following approach:

 - have an entire range (set of 256 ciphersuites) assigned for
   this purpose (e.g. first byte 190/0xBE or 191/0xBF )

 - use the low byte of this range as a bitfield of 8-bits
   for signaling that can be independently assigned by TLS WG / IANA

 - require this magic ciphersuite to be first in the cipher_suites
   list of the ClientHello if this signaling facility is to be used

 - require the Server to NOT ever negotiate a ciphersuite from this range
   i.e. remove it from the list when it appears first in
   ClientHello.cipher_suites and do not pass it on to functions
   that determine a common cipher suite with the client.

 - strongly recommend clients and servers to filter this magic
   ciphersuite range from normal cipher suite configuration APIs


-Martin

References:
- Re: [TLS] TLS Protocol Version
  - From: Pasi.Eronen

Prev by Date: [TLS] Interesting client behavior
Next by Date: [TLS] RC4+3DES rekeying - long-lived TLS connections
Previous by thread: Re: [TLS] TLS Protocol Version
Next by thread: Re: [TLS] TLS Protocol Version
Index(es):
- Date
- Thread

Re: [TLS] TLS Protocol Version

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.