RE: [TLS] Open issue: Record Version Numbers
<Pasi.Eronen@nokia.com> Fri, 20 October 2006 12:26 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1GatS0-00031N-U4; Fri, 20 Oct 2006 08:26:12 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GatRz-00031F-VP for tls@ietf.org; Fri, 20 Oct 2006 08:26:11 -0400
Received: from mgw-ext14.nokia.com ([131.228.20.173]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GatRy-00050G-BT for tls@ietf.org; Fri, 20 Oct 2006 08:26:11 -0400
Received: from esebh105.NOE.Nokia.com (esebh105.ntc.nokia.com [172.21.138.211]) by mgw-ext14.nokia.com (Switch-3.1.10/Switch-3.1.10) with ESMTP id k9KCPxdP020943; Fri, 20 Oct 2006 15:26:06 +0300
Received: from esebh102.NOE.Nokia.com ([172.21.138.183]) by esebh105.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.1830); Fri, 20 Oct 2006 15:26:05 +0300
Received: from esebe105.NOE.Nokia.com ([172.21.143.53]) by esebh102.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.1830); Fri, 20 Oct 2006 15:26:04 +0300
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Subject: RE: [TLS] Open issue: Record Version Numbers
Date: Fri, 20 Oct 2006 15:26:12 +0300
Message-ID: <B356D8F434D20B40A8CEDAEC305A1F2403495D36@esebe105.NOE.Nokia.com>
In-Reply-To: <20061020070358.GA26457@tau.invalid>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [TLS] Open issue: Record Version Numbers
Thread-Index: Acb0FpwcjLhk66gnSJSuP9vo79s/XgAK5KHA
From: Pasi.Eronen@nokia.com
To: bmoeller@acm.org
X-OriginalArrivalTime: 20 Oct 2006 12:26:04.0978 (UTC) FILETIME=[E989D120:01C6F442]
X-Spam-Score: 0.2 (/)
X-Scan-Signature: a2c12dacc0736f14d6b540e805505a86
Cc: tls@ietf.org
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org
Bodo Moeller wrote: > What remains is my main conclusion that the language in the > specification in this regards is a total mess, and that we can't just > look what we would *like* the specification to be, but mostly at what > will work best with the implementations that are actually out there. I agree. Here's some suggested text; let's see if we can improve on it somehow... In Section 6.2.1, when describing the version field, add the following text: "Note that a client that supports multiple versions of TLS may not know what version will be employed before it receives ServerHello. See Appendix E for discussion about what record layer version number should be employed for ClientHello." And rewrite E.1. Compatibility with TLS 1.0/1.1 and SSL 3.0 For historical reasons and in order to avoid a profligate consumption of reserved port numbers, application protocols which are secured by various versions of TLS (1.0, 1.1, and 1.2) and SSL (2.0 and 3.0) all frequently share the same connection port: for example, the https protocol (HTTP secured by SSL or TLS) uses port 443 regardless of which security protocol it is using. Thus, some mechanism must be determined to distinguish and negotiate among the various protocols. TLS versions 1.0, 1.1, and 1.2, and SSL 3.0 are very similar, and use compatible ClientHello messages; thus, supporting all of them is relatively easy. A TLS 1.2 client who wishes to negotiate with such older servers will send a normal TLS 1.2 ClientHello, containing { 3, 3 } (TLS 1.2) in ClientHello.client_version. If the server does not support this version, it will respond with ServerHello containing an older version number. If the client agrees to use this version, the negotiation will proceed as appropriate for the negotiated protocol. If the version chosen by the server is not supported by the client (or not acceptable), the client MUST send a "protocol_version" alert message and close the connection. If a TLS server receives a ClientHello containing a version number greater than the highest version supported by the server, it MUST reply according to the highest version supported by the server. A TLS server can also receive a ClientHello containing version number smaller than the highest supported version. If the server wishes to negotiate with old clients, it will proceed as appropriate for the highest version supported by the server that is not greater than ClientHello.client_version. For example, if the server supports TLS 1.0, 1.1, and 1.2, and client_version is TLS 1.0, the server will proceed with a TLS 1.0 ServerHello. If server supports (or is willing to use) only versions greater than client_version, it MUST send a "protocol_version" alert message and close the connection. Whenever a client already knows the highest protocol known to a server (for example, when resuming a session), it SHOULD initiate the connection in that native protocol. Note: some server implementations are known to implement version negotiation incorrectly. For example, there are buggy TLS 1.0 servers that simply close the connection when the client offers a version newer than TLS 1.0. Also, it is known that some servers will refuse connection if any TLS extensions are included in ClientHello. Interoperability with such buggy servers is a complex topic beyond the scope of this document, and may require multiple connection attempts by the client. Earlier versions of the TLS specification were not fully clear on what the record layer version number (TLSPlaintext.version) should contain when sending ClientHello (i.e., before it is known which version of the protocol will be employed). Thus, TLS servers compliant with this specification MUST accept any value {03,XX} as the record layer version number for ClientHello. TLS clients that wish to negotiate with older servers MAY send any value {03,XX} as the record layer version number. Typical values would be {03,00}, the lowest version number supported by the client, and the value of ClientHello.client_version. No single value will guarantee interoperability with all old servers, but this is a complex topic beyond the scope of this document. (and move all discussion of SSL 2.0 discussion to separate section, appendix E.2) Best regards, Pasi _______________________________________________ TLS mailing list TLS@lists.ietf.org https://www1.ietf.org/mailman/listinfo/tls
- RE: [TLS] Open issue: Record Version Numbers Pasi.Eronen
- [TLS] Open issue: Record Version Numbers Eric Rescorla
- Re: [TLS] Open issue: Record Version Numbers Eric Rescorla
- Re: [TLS] Open issue: Record Version Numbers Bodo Moeller
- Re: [TLS] Open issue: Record Version Numbers Martin Rex
- Re: [TLS] Open issue: Record Version Numbers Bodo Moeller
- Re: [TLS] Open issue: Record Version Numbers Martin Rex
- Re: [TLS] Open issue: Record Version Numbers Bodo Moeller
- Re: [TLS] Open issue: Record Version Numbers Martin Rex
- Re: [TLS] Open issue: Record Version Numbers Bodo Moeller
- Re: [TLS] Open issue: Record Version Numbers Martin Rex
- Re: [TLS] Open issue: Record Version Numbers Bodo Moeller
- RE: [TLS] Open issue: Record Version Numbers Pasi.Eronen
- Re: [TLS] Open issue: Record Version Numbers Bodo Moeller
- [TLS] TLS 1.1 and static DH Jan Nordqvist
- RE: [TLS] TLS 1.1 and static DH Pasi Eronen
- RE: [TLS] TLS 1.1 and static DH Peter Gutmann
- RE: [TLS] TLS 1.1 and static DH Pasi.Eronen
- Re: [TLS] TLS 1.1 and static DH Bodo Moeller
- Re: [TLS] TLS 1.1 and static DH Dr Stephen Henson
- RE: [TLS] Open issue: Record Version Numbers Pasi.Eronen
- Re: [TLS] Open issue: Record Version Numbers Bodo Moeller
- Re: [TLS] TLS 1.1 and static DH EKR
- RE: [TLS] Open issue: Record Version Numbers Peter Gutmann
- Re: [TLS] TLS 1.1 and static DH Nelson B Bolyard
- Re: [TLS] TLS 1.1 and static DH Nelson B Bolyard
- Re: [TLS] Open issue: Record Version Numbers Nelson B Bolyard
- Re: [TLS] TLS 1.1 and static DH Peter Gutmann
- Re: [TLS] Open issue: Record Version Numbers tom.petch
- RE: [TLS] TLS 1.1 and static DH Pasi.Eronen
- RE: [TLS] TLS 1.1 and static DH Rob Dugal
- Re: [TLS] TLS 1.1 and static DH Jan Nordqvist
- Re: [TLS] TLS 1.1 and static DH Jan Nordqvist
- Re: [TLS] TLS 1.1 and static DH Rob Dugal
- RE: [TLS] Open issue: Record Version Numbers Pasi.Eronen
- [TLS] Stateless TLS Session Resumption extension … Jan Nordqvist
- RE: [TLS] Stateless TLS Session Resumption extens… Joseph Salowey (jsalowey)
- RE: [TLS] Stateless TLS Session Resumption extens… Joseph Salowey (jsalowey)