[TLS] Windows 2003 TLS 64 ciphersuite limit
Nico Williams <nico@cryptonector.com> Thu, 07 November 2013 21:38 UTC
Return-Path: <nico@cryptonector.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7C96021E8163 for <tls@ietfa.amsl.com>; Thu, 7 Nov 2013 13:38:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.224
X-Spam-Level:
X-Spam-Status: No, score=-2.224 tagged_above=-999 required=5 tests=[AWL=-0.225, BAYES_00=-2.599, J_CHICKENPOX_23=0.6]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c3o0r89G11En for <tls@ietfa.amsl.com>; Thu, 7 Nov 2013 13:37:56 -0800 (PST)
Received: from homiemail-a86.g.dreamhost.com (caiajhbdccac.dreamhost.com [208.97.132.202]) by ietfa.amsl.com (Postfix) with ESMTP id 7E99111E8110 for <tls@ietf.org>; Thu, 7 Nov 2013 13:37:55 -0800 (PST)
Received: from homiemail-a86.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a86.g.dreamhost.com (Postfix) with ESMTP id C8DC2360083 for <tls@ietf.org>; Thu, 7 Nov 2013 13:37:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:subject:message-id:mime-version:content-type; s= cryptonector.com; bh=w9Oviivf76UCnNtrh4SlOlvmmfU=; b=Y1XkJOrM+2c xkmLum8dTUcW1qN0vY2lplIOgLDuFMBzlXYIv9ibxve3sY6KhDRc0gf3aROy4c50 m7p9cv6M9ZTiy7RnxZvpZqetbawdspjip9tFT93EzWYAbqk1K0AuralkghgkTqoq tgR7Wo93q0kdIkCBEjWWf3TOFuw2NNGY=
Received: from localhost (108-207-244-174.lightspeed.austtx.sbcglobal.net [108.207.244.174]) (Authenticated sender: nico@cryptonector.com) by homiemail-a86.g.dreamhost.com (Postfix) with ESMTPA id 9E16D360079 for <tls@ietf.org>; Thu, 7 Nov 2013 13:37:47 -0800 (PST)
Date: Thu, 07 Nov 2013 15:37:46 -0600
From: Nico Williams <nico@cryptonector.com>
To: tls@ietf.org
Message-ID: <20131107213744.GQ18713@localhost>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: [TLS] Windows 2003 TLS 64 ciphersuite limit
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Nov 2013 21:38:01 -0000
A non-subscriber (who doesn't want to subscribe just to send this) has asked me to forward this to the TLS WG list. Without further ado: From: Viktor Dukhovni <postfix-users@dukhovni.org> Subject: Windows 2003 TLS 64 ciphersuite limit Date: Thu, 7 Nov 2013 19:40:16 +0000 [ Please forward to TLS list ] While we're removing interoperability obstacles with TLSv1.2, ... There is another problem with expanded client HELLO messages. The Windows 2003 TLS stack (still used by a non-trivial number of Microsoft Exchange SMTP servers) only looks at the first 64 elements of the cipherlist. If neither RC4-SHA nor RC4-MD5 are among these, it sometimes chooses 3DES (for which it misimplements CBC padding) and fails during data transfer, or if that is suppressed or also too far down the list, just fails the handshake. With TLSv1.2 in OpenSSL master (dev branch), one usually finds RC4 at position: $ openssl ciphers -v 'DEFAULT' | grep -n '^RC4-' 93:RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 $ openssl ciphers -v 'ALL:!SSLv2' | grep -n '^RC4-' 111:RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 so TLS handshakes with these servers fail! It is not clear what should be done here, the most practical reordering and trimming that comes to mind is: $ openssl ciphers -v 'ALL:!SSLv2:-RC4:RC4-SHA:RC4:+SEED:!IDEA:!3DES:!MD5:!aDSS:!aDH:!PSK:!SRP:@STRENGTH' | grep -n '^RC4-SHA' 51:RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 Which does not leave much room for more ciphers. I've never seen DSS or DH certificates in the wild, but presumably they are needed in some quarters, so this is likely not a generally applicable solution. I don't know how much longer such servers are likely to remain active. Postfix users are working around this with custom cipher exclusions in the per-destination TLS policy table on a case-by-case basis. :-( The best outcome would be if they all got upgraded! This will take some time I imagine. -- Viktor.
- [TLS] Windows 2003 TLS 64 ciphersuite limit Nico Williams
- Re: [TLS] Windows 2003 TLS 64 ciphersuite limit Wan-Teh Chang
- Re: [TLS] Windows 2003 TLS 64 ciphersuite limit Watson Ladd
- Re: [TLS] Windows 2003 TLS 64 ciphersuite limit Martin Rex
- Re: [TLS] Windows 2003 TLS 64 ciphersuite limit Martin Rex
- Re: [TLS] Windows 2003 TLS 64 ciphersuite limit Wan-Teh Chang
- Re: [TLS] Windows 2003 TLS 64 ciphersuite limit Dr Stephen Henson
- Re: [TLS] Windows 2003 TLS 64 ciphersuite limit Martin Rex
- Re: [TLS] Windows 2003 TLS 64 ciphersuite limit Nico Williams