Re: [TLS] RI, TLS Extension tolerance and version tolerance in servers
Martin Rex <mrex@sap.com> Mon, 14 December 2009 02:11 UTC
Return-Path: <mrex@sap.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 45A083A6831 for <tls@core3.amsl.com>; Sun, 13 Dec 2009 18:11:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.194
X-Spam-Level:
X-Spam-Status: No, score=-6.194 tagged_above=-999 required=5 tests=[AWL=0.055, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mL5QjLNwOfoO for <tls@core3.amsl.com>; Sun, 13 Dec 2009 18:11:17 -0800 (PST)
Received: from smtpde01.sap-ag.de (smtpde01.sap-ag.de [155.56.68.171]) by core3.amsl.com (Postfix) with ESMTP id 854733A676A for <tls@ietf.org>; Sun, 13 Dec 2009 18:11:17 -0800 (PST)
Received: from mail.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id nBE2B3Nr017410 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 14 Dec 2009 03:11:03 +0100 (MET)
From: Martin Rex <mrex@sap.com>
Message-Id: <200912140211.nBE2B2rp012757@fs4113.wdf.sap.corp>
To: yngve@opera.com
Date: Mon, 14 Dec 2009 03:11:02 +0100
In-Reply-To: <op.u4uckfreqrq7tp@acorna.invalid.invalid> from "Yngve N. Pettersen" at Dec 12, 9 09:01:17 pm
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal06
X-SAP: out
Cc: tls@ietf.org
Subject: Re: [TLS] RI, TLS Extension tolerance and version tolerance in servers
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Dec 2009 02:11:19 -0000
Yngve N. Pettersen wrote: > > I also think that a client supporting RI which, due to fallback > negotiation procedures, sent a MCSV-only handshake MUST, upon discovering > that the server supports RI, terminate the connection (with a warning > close notify, since it is not a real error), and re-establish the > connection with a Client Hello that uses the RI extension. I'm sorry, but I think that is a particularly bad idea, and completely unnecessary. In the IETF we are supposed to define and/or extend protocols in a fashion that promotes interoperability. The purpose of the MCSV is _NOT_ to prevent secure renegotiation in the fashion you describe. MCSV is the Client->Server signal that should be both usable and non-disruptive to all existing SSLv3 and TLS usage scenarios. A server that receives a ClientHello with MCSV must treat this exactly as if it had received an empty TLS extension RI. The only thing that a server needs to know for the initial handshake is that the client has been updated. It is definitely not necessary that the server asks the client to put a bow on it and retry. If that handshake is an initial handshake for the server, then the server must respond with a ServerHello containing an empty TLS extension RI. If the handshake is a renegotiation for the server, then the server must abort the handshake with a fatal handshake alert. Old servers that do _not_ need renegotiation do not need TLS extensions either. They will look purely for MCSV and return 7 extra bytes on ServerHello following compression method -- aka "RI-minimal". > > If this is implemented, this means that all patched servers will be TLS > Extension tolerant, even if the only extension they understand is the RI > Extension. There is a misunderstanding about the term "Extension tolerant". That is supposed to characterize the ClientHello forward compatibility in the 18-Nov-1996 SSLv3 document, in TLSv1.0 (rfc-2246) and TLSv1.1 (rfc-4346). It means that the server receiving data after compression_methods in ClientHello will tolerate the presence of this data, but otherwise _completely_ ignore it. The client MUST send MCSV on _every_ ClientHello, so that the Client->Server signaling completely condition-free, which will make it trivial to implement and robust. This easy rule completely obviates any talking about special cases or attack scenario. Every TLS handshake requires an initial ClientHello, and if that ClientHello always carries the Client->Server signal (which is easy to accomplish for the MCSV and non-disruptive to existing usage scenarios, then it will be completely impossible to lure an updated client into an old renegotiation with an updated server, no matter how willing client and server are to perform backwards interoperable renegotiations with old peers. -Martin
- [TLS] RI, TLS Extension tolerance and version tol… Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [TLS] RI, TLS Extension tolerance and version… Martin Rex
- Re: [TLS] RI, TLS Extension tolerance and version… David-Sarah Hopwood
- Re: [TLS] RI, TLS Extension tolerance and version… Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [TLS] RI, TLS Extension tolerance and version… Martin Rex
- Re: [TLS] RI, TLS Extension tolerance and version… Yngve Nysaeter Pettersen
- Re: [TLS] RI, TLS Extension tolerance and version… Martin Rex
- Re: [TLS] RI, TLS Extension tolerance and version… Yngve Nysaeter Pettersen
- Re: [TLS] RI, TLS Extension tolerance and version… Nelson B Bolyard
- Re: [TLS] RI, TLS Extension tolerance and version… Martin Rex
- Re: [TLS] RI, TLS Extension tolerance and version… Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [TLS] RI, TLS Extension tolerance and version… Michael D'Errico
- Re: [TLS] RI, TLS Extension tolerance and version… David-Sarah Hopwood
- Re: [TLS] RI, TLS Extension tolerance and version… David-Sarah Hopwood
- Re: [TLS] RI, TLS Extension tolerance and version… David-Sarah Hopwood
- Re: [TLS] RI, TLS Extension tolerance and version… David-Sarah Hopwood
- Re: [TLS] RI, TLS Extension tolerance and version… Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [TLS] RI, TLS Extension tolerance and version… Martin Rex