[prev in list] [next in list] [prev in thread] [next in thread]
List: ietf-tls
Subject: Re: [TLS] [mogul-open] Interoperability testing
From: Martin Rex <mrex () sap ! com>
Date: 2010-01-08 1:41:08
Message-ID: 201001080141.o081f8VN001932 () fs4113 ! wdf ! sap ! corp
[Download RAW message or body]
Martin Rex wrote:
>
> Nelson B Bolyard wrote:
> >
> > On 2010-01-06 14:30 PST, Eric Rescorla wrote:
> > > I agree with Marsh here.
> > >
> > > Any server which is going to implement this draft, SSLv3 or otherwise
> > > is going to need to process RI correctly (whehter empty or not,
> > > but especially if not because otherwise it can't renegotiate at all).
> > > The only reason to send SCSV is if you're afraid to send RI because
> > > you think an unupgraded server might break on it.
> >
> > My understanding of this draft is that it does NOT require upgraded SSL 3.0
> > servers to understand any extensions in _initial_ handshakes. An SSL 3.0
> > server that ignores all handshakes (per the "draft-02" version of the 3.0
> > spec), but understands SCSV, can be fully compliant with this draft.
> >
> > I have come to expect that that will be the norm for upgraded SSL 3.0
> > servers. They will not, in general, understand any extensions in initial
> > client hellos, and will only understand one extension in renegotiation
> > client hellos, namely a non-empty RI.
> >
> > Consistent with that expectation, I believe SCSV is the only reliable way to
> > request renegotiation protection from upgraded SSL 3.0 servers.
> >
> > Is that not the compromise we reached with Martin Rex?
>
> I'm similarly confused.
>
> The -03 document does not reflect WG consensus on the use of SCSV.
>
> And the document is unnecessarily complicated and inconsistent.
>
> OK: 3.3 "... the SCSV may be safely sent to any server."
>
> OK: 3.4 "MUST include ... TLS_RENEGO_PROTECTION_REQUEST signal(l)ing
> cipher suite value in every ClientHello.
>
> not good: 3.4 "MUST include and empty "renegotiation_info" extension
> ... in every ClientHello"
>
> because the empty renegotiation_info applies only to
> ClientHellos of initial handshakes.
>
> bad: 3.4 "Including both is not recommended."
>
> Working group consensus is that both may be included.
>
> very bad: 3.5 "The SCSV MUST NOT be included."
>
> There is no working group consensus for this MUST NOT,
> and not a single technical argument for this MUST NOT
> has been given during the last 2 months.
>
> Simply removing the two last mentioned sentences will
> improve the document and reflect working group consensus.
Correcting myself:
The last mentioned two sentences should be changed to say
"A ClientHello handshake message may contain both SCSV and a
"renegotiation_info" extension. If SCSV is present, but no
"renegotiation_info" extension, then it should be treated as
if an empty renegotiation_info extension was present."
It really strikes me as odd to see a requirement to create an interoperability
problem based on the mere presence of a particular ciphersuite value.
This interoperability problem is _completely_ unnecessary and serves
absolutely no technical purpose.
-Martin
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic