[TLS] Client Hello version during renegotiation.
Fabrice Gautier <fabrice.gautier@gmail.com> Tue, 26 March 2013 23:29 UTC
Return-Path: <fabrice.gautier@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 28DF221F89AA for <tls@ietfa.amsl.com>; Tue, 26 Mar 2013 16:29:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nkbgO4Kfxpi2 for <tls@ietfa.amsl.com>; Tue, 26 Mar 2013 16:29:17 -0700 (PDT)
Received: from mail-qc0-x233.google.com (mail-qc0-x233.google.com [IPv6:2607:f8b0:400d:c01::233]) by ietfa.amsl.com (Postfix) with ESMTP id 7F7E621F894D for <tls@ietf.org>; Tue, 26 Mar 2013 16:29:17 -0700 (PDT)
Received: by mail-qc0-f179.google.com with SMTP id b40so3391911qcq.38 for <tls@ietf.org>; Tue, 26 Mar 2013 16:29:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:mime-version:from:date:message-id:subject:to :content-type; bh=ALV56lZSe22wEOOcG5IS2talkLb7SE5ibXcjBDB4BxU=; b=FhR6V969HCrR0rLoOeREhj0aPJPngwmuR0R47U5y9wuHqKDfPkT+HF0ENETygz49fA Xqm69vFF6bf1ar4S4WMAVA64boB+PwbPEqyHfQKocuSCiBGg4RJ6B6jV3cKN0RTIbhTG VBo+Ml+rBs3NwjyXtsloMpRRrP8WhpWIR0ZFk8rR28yT+qKQ+M09gL6FYwo0n7wQ2UUf O5RLffnMjqgIC5Ca4KE8zxQmG5pp11GbKpVFqRaNkskQdbt1DiBetFcyh3fiFlDGOz/r JuZcyK5/mfGUIYb0YZQ62Ats+SK8npHUei9mJWjYVAN8ShJzCkXfLDH/KLos8pvbcImz PBcg==
X-Received: by 10.224.147.65 with SMTP id k1mr8030128qav.26.1364340130387; Tue, 26 Mar 2013 16:22:10 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.49.1.18 with HTTP; Tue, 26 Mar 2013 16:21:50 -0700 (PDT)
From: Fabrice Gautier <fabrice.gautier@gmail.com>
Date: Tue, 26 Mar 2013 16:21:50 -0700
Message-ID: <CANOyrg_5SosECvhruzzRY6MXigV6VmW9+nMQWE9QGX0xKLeZsg@mail.gmail.com>
To: tls@ietf.org
Content-Type: text/plain; charset="ISO-8859-1"
Subject: [TLS] Client Hello version during renegotiation.
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Mar 2013 23:29:18 -0000
Hi all,
If I'm reading the RFC 5746 correctly, a TLS 1.2 client that initially
negotiated a TLS 1.0 connection with a server should subsequently set
their ClientHello.version to TLS 1.0 in any subsequent renegotiation.
Also, when generating the premaster secret in the RSA key exchange,
the client should use the protocol version sent in its
ClientHello.version, although using the negotiated version may be
acceptable.
As it turns out, it looks like Exchange 2010 servers are not paying
nice with this.
Those servers do not support TLS 1.2 and will downgrade to 1.0.
They will properly accept the 1.2 version in the premaster secret
during the initial handshake.
But when the client send a TLS 1.0 client hello during a
renegotiation, the handshake will fail if a TLS 1.0 version is used in
the premaster secret.
It will succeed if a TLS 1.2 version is used in the premaster secret
during the renegotiation.
On the other hand, using a TLS 1.2 version in the premaster secret,
while sending a TLS 1.0 client hello will break openssl and gnutls
servers.
It looks like this is worked around in OpenSSL (1.0.1) by sending a
TLS 1.2 client hello during the renegotiation, even if the server
indicated that they only supported 1.0.
Gnutls clients (3.0.8) will fail as explained above.
So two questions:
- Is gnutls doing the right thing and Exchange just buggy ?
- Is the OpenSSL workaround a sane thing to do ?
Relevant OpenSSL ChangeLog:
Changes between 1.0.0h and 1.0.1 [14 Mar 2012]
[...]
*) Some servers which support TLS 1.0 can choke if we initially indicate
support for TLS 1.2 and later renegotiate using TLS 1.0 in the RSA
encrypted premaster secret. As a workaround use the maximum pemitted
client version in client hello, this should keep such servers happy
and still work with previous versions of OpenSSL.
[Steve Henson]
-- Fabrice
- [TLS] Client Hello version during renegotiation. Fabrice Gautier
- Re: [TLS] Client Hello version during renegotiati… Ryan Sleevi
- Re: [TLS] Client Hello version during renegotiati… Martin Rex
- Re: [TLS] Client Hello version during renegotiati… Fabrice Gautier
- Re: [TLS] Client Hello version during renegotiati… Martin Rex