Re: [TLS] Record layer corner cases
Bodo Moeller <bmoeller@acm.org> Tue, 28 November 2006 12:22 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1Gp1yK-0002Zw-OR; Tue, 28 Nov 2006 07:22:00 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1Gp1yI-0002Wd-SE for tls@ietf.org; Tue, 28 Nov 2006 07:21:58 -0500
Received: from moutng.kundenserver.de ([212.227.126.187]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1Gp1xt-0004Hn-Az for tls@ietf.org; Tue, 28 Nov 2006 07:21:34 -0500
Received: from [134.147.40.251] (helo=tau.invalid) by mrelayeu.kundenserver.de (node=mrelayeu0) with ESMTP (Nemesis), id 0MKwh2-1Gp1xl42Ep-0001KK; Tue, 28 Nov 2006 13:21:27 +0100
Received: by tau.invalid (Postfix, from userid 1000) id 6A2004D93; Tue, 28 Nov 2006 13:21:25 +0100 (CET)
Date: Tue, 28 Nov 2006 13:21:25 +0100
From: Bodo Moeller <bmoeller@acm.org>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
Subject: Re: [TLS] Record layer corner cases
Message-ID: <20061128122125.GC11403@tau.invalid>
References: <BAY103-W82F5B536679C37B4BA72F92E60@phx.gbl> <E1GosGt-000398-00@medusa01.cs.auckland.ac.nz>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <E1GosGt-000398-00@medusa01.cs.auckland.ac.nz>
User-Agent: Mutt/1.5.9i
X-Provags-ID: kundenserver.de abuse@kundenserver.de login:2100a517a32aea841b51dac1f7c5a318
X-Spam-Score: 0.0 (/)
X-Scan-Signature: bb8f917bb6b8da28fc948aeffb74aa17
Cc: tls@ietf.org
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org
On Tue, Nov 28, 2006 at 03:00:31PM +1300, Peter Gutmann wrote: > Peter Williams <home_pw@msn.com> writes: >> Out of interest Peter and Martin, how well do your software and hardward >> modules handle the following change from SSL v2 to SSL v3, including fallback >> handling as specified by SSL3, and then the TLS fallback mechanisms? >> >> "SSL Version 3 supports the transmission and reception of "out of band data". >> Out of band data is normally defined at the TCP/IP protocol level, but >> because of SSL's privacy enhancements and support for block ciphers, this >> becomes difficult to support. > I don't handle it at all, if my code sees OOB data in the middle of a TLS > stream it flags it as a network-level error (my security model is default- > deny). I've never seen OOB data used and can't imagine why it'd ever be used > except as a potential attack vector targetting corner cases in TLS > implementations. The above quote is from the SSL patent, which does mention "SSL Version 3" -- but it's not really about what we know as SSL 3.0, it only describes the SSL 2 protocol design. The patent says that "currently there are several versions of the novel SSL", and there the "novel SSL" is what we know as SSL 2 and variants thereof. What eventually was fielded as SSL 3.0 is, of course, a very different protocol. The SSL 2 protocol design provides for a "security escape" flag in record headers ("reserved for future versions of the protocol"), which would be used to tag out-of-band data. That and now TCP-leve out-of-band data is what the above patent text is talking about. (As noted there, handling TCP out-of-band data would be difficult within SSL.) Bodo _______________________________________________ TLS mailing list TLS@lists.ietf.org https://www1.ietf.org/mailman/listinfo/tls
- RE: [TLS] Record layer corner cases Peter Williams
- [TLS] Record layer corner cases Pasi.Eronen
- Re: [TLS] Record layer corner cases Bodo Moeller
- Re: [TLS] Record layer corner cases Peter Gutmann
- Re: [TLS] Record layer corner cases Rob Dugal
- RE: [TLS] Record layer corner cases Pasi.Eronen
- Re: [TLS] Record layer corner cases Mike
- RE: [TLS] Record layer corner cases Pasi.Eronen
- Re: [TLS] Record layer corner cases Mike
- Re: [TLS] Record layer corner cases Martin Rex
- Re: [TLS] Record layer corner cases Peter Gutmann
- RE: [TLS] Record layer corner cases Peter Williams
- RE: [TLS] Record layer corner cases Peter Williams
- RE: [TLS] Record layer corner cases Peter Gutmann
- Re: [TLS] Record layer corner cases Bodo Moeller
- RE: [TLS] Record layer corner cases Peter Williams
- RE: [TLS] Record layer corner cases Kemp, David P.
- Re: [TLS] Record layer corner cases Martin Rex
- RE: [TLS] Record layer corner cases Peter Williams
- RE: [TLS] Record layer corner cases Kemp, David P.
- Re: [TLS] Record layer corner cases Mike
- Re: [TLS] Record layer corner cases Martin Rex
- RE: [TLS] Record layer corner cases Kemp, David P.
- Re: [TLS] Record layer corner cases Martin Rex
- Re: [TLS] Record layer corner cases Mike
- RE: [TLS] Record layer corner cases Peter Gutmann
- RE: [TLS] Record layer corner cases Peter Gutmann
- Re: [TLS] Record layer corner cases Kyle Hamilton
- Re: [TLS] Record layer corner cases Steven M. Bellovin
- Re: [TLS] Record layer corner cases Bodo Moeller
- Re: [TLS] Record layer corner cases Martin Rex
- RE: [TLS] Record layer corner cases Kemp, David P.
- Re: [TLS] Record layer corner cases Kyle Hamilton
- RE: [TLS] Record layer corner cases Peter Gutmann
- Re: [TLS] Record layer corner cases Bodo Moeller
- RE: [TLS] Record layer corner cases Pasi.Eronen
- Re: [TLS] Record layer corner cases Mike
- RE: [TLS] Record layer corner cases Kemp, David P.
- RE: [TLS] Record layer corner cases Kemp, David P.
- RE: [TLS] Record layer corner cases Peter Williams
- Re: [TLS] Record layer corner cases Martin Rex
- RE: [TLS] Record layer corner cases Peter Gutmann
- Re: [TLS] Record layer corner cases Martin Rex
- RE: [TLS] Record layer corner cases Peter Gutmann
- RE: [TLS] Record layer corner cases Kemp, David P.
- RE: [TLS] Record layer corner cases Pasi.Eronen
- Re: [TLS] Record layer corner cases Bodo Moeller
- Re: [TLS] Record layer corner cases Mike
- Re: [TLS] Record layer corner cases Bodo Moeller
- RE: [TLS] Diffie-Hellman parameters are unsigned … Pasi.Eronen
- Re: [TLS] Record layer corner cases Bodo Moeller
- RE: [TLS] Record layer corner cases Peter Williams