[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ietf-tls
Subject:    Re: [TLS] [mogul-open] Interoperability testing
From:       Martin Rex <mrex () sap ! com>
Date:       2010-01-08 1:41:08
Message-ID: 201001080141.o081f8VN001932 () fs4113 ! wdf ! sap ! corp
[Download RAW message or body]

Martin Rex wrote:
> 
> Nelson B Bolyard wrote:
> > 
> > On 2010-01-06 14:30 PST, Eric Rescorla wrote:
> > > I agree with Marsh here.
> > > 
> > > Any server which is going to implement this draft, SSLv3 or otherwise
> > > is going to need to process RI correctly (whehter empty or not,
> > > but especially if not because otherwise it can't renegotiate at all).
> > > The only reason to send SCSV is if you're afraid to send RI because
> > > you think an unupgraded server might break on it. 
> > 
> > My understanding of this draft is that it does NOT require upgraded SSL 3.0
> > servers to understand any extensions in _initial_ handshakes.  An SSL 3.0
> > server that ignores all handshakes (per the "draft-02" version of the 3.0
> > spec), but understands SCSV, can be fully compliant with this draft.
> > 
> > I have come to expect that that will be the norm for upgraded SSL 3.0
> > servers.  They will not, in general, understand any extensions in initial
> > client hellos, and will only understand one extension in renegotiation
> > client hellos, namely a non-empty RI.
> > 
> > Consistent with that expectation, I believe SCSV is the only reliable way to
> > request renegotiation protection from upgraded SSL 3.0 servers.
> > 
> > Is that not the compromise we reached with Martin Rex?
> 
> I'm similarly confused.
> 
> The -03 document does not reflect WG consensus on the use of SCSV.
> 
> And the document is unnecessarily complicated and inconsistent.
> 
> OK:       3.3   "... the SCSV may be safely sent to any server."
> 
> OK:       3.4   "MUST include ... TLS_RENEGO_PROTECTION_REQUEST signal(l)ing
>                 cipher suite value in every ClientHello.
> 
> not good: 3.4   "MUST include and empty "renegotiation_info" extension
>                  ... in every ClientHello"
> 
>           because the empty renegotiation_info applies only to
>           ClientHellos of initial handshakes.
> 
> bad:      3.4   "Including both is not recommended."
> 
>           Working group consensus is that both may be included.
> 
> very bad: 3.5   "The SCSV MUST NOT be included."
> 
>           There is no working group consensus for this MUST NOT,
>           and not a single technical argument for this MUST NOT
>           has been given during the last 2 months.
> 
> Simply removing the two last mentioned sentences will
> improve the document and reflect working group consensus.

Correcting myself:

The last mentioned two sentences should be changed to say

"A ClientHello handshake message may contain both SCSV and a
 "renegotiation_info" extension.  If SCSV is present, but no
 "renegotiation_info" extension, then it should be treated as
 if an empty renegotiation_info extension was present."


It really strikes me as odd to see a requirement to create an interoperability
problem based on the mere presence of a particular ciphersuite value.
This interoperability problem is _completely_ unnecessary and serves
absolutely no technical purpose.

-Martin

[prev in list] [next in list] [prev in thread] [next in thread]