Hi David & Steven,
Here our intension is to find out buggy server which implemented a cipher suite
support with wrong value other than specified in RFC.
- If that wrong value usage in that buggy server collides with any
real cipher suite on the period of deployment means, the bug would have
identified immediately with some other non buggy client.
- If that wrong value is in the range of unspecified value, then that
bug thrives and it will come out only after several years when IANA assigns
that value to some new cipher suite.
In this case, can you please tell me why we decided only few values as GREASE
value {0x0A0A, 0x1A1A, ..}. Whether chrome browser has found a real buggy web
server which supports these values ?
Regards,
R Ashok
________________________________
Raja Ashok VK
华为技术有限公司 Huawei Technologies Co., Ltd.
[Company_logo]
Phone:
Fax:
Mobile:
Email:
Huawei Technologies Co., Ltd.
Bangalore, India
http://www.huawei.com
________________________________
本邮件及其附件含有华为公司的保密信息,仅限于发送给上面地址中列出的个人或群组。禁
止任何其他人以任何形式使用(包括但不限于全部或部分地泄露、复制、或散发)本邮件中
的信息。如果您错收了本邮件,请您立即电话或邮件通知发件人并删除本邮件!
This e-mail and its attachments contain confidential information from HUAWEI,
which
is intended only for the person or entity whose address is listed above. Any
use of the
information contained herein in any way (including, but not limited to, total
or partial
disclosure, reproduction, or dissemination) by persons other than the intended
recipient(s) is prohibited. If you receive this e-mail in error, please notify
the sender by
phone or email immediately and delete it!
From: David Benjamin [mailto:[email protected]]
Sent: 02 August 2016 19:30
To: Steven Valdez; Raja ashok; [email protected]
Subject: Re: [TLS] Keeping TLS extension points working
To expand on that a little, since it seems comments (a) and (b) are really the
same one:
The purpose of having an explicitly reserved list (b) is precisely so we do not
have to do a second handshake (a). The purpose here is to ensure we exercise
the little-used codepaths, not introduce new ones. This is intended to be an
extremely minimal mechanism. Clients add a tiny bit of code to their
ClientHello and no server code changes at all. (Note that every MUST in the
document is just reiterating what TLS already requires.)
David
On Tue, Aug 2, 2016 at 9:47 AM Steven Valdez
<[email protected]<mailto:[email protected]>> wrote:
a) It seems like if an implementation has updated to be able to handle a
specific GREASE alert, it should be able to handle not sending an invalid
cipher suite. In general, its probably cleaner for the connection to fatally
shutdown and then restart if the server is behaving that poorly. Servers that
are sending back non-existent ciphers are also potentially broken in other
ways, and I don't know whether a client should trust that it can reset any
handshake state correctly if it were to try doing a "warning" alert.
b) The reasoning behind having an explicit list is so that implementations
don't send a value that ends up being defined as some other valid value.
Otherwise its possible that some implementations will update to include GREASE
values, but they might not update immediately upon new values being assigned by
IANA, which means that there will be periods of times that some clients might
send "fake" values that collide with real values, confusing the peer
implementation into believing they actually support something that they don't
and resulting in more intolerance issues between outdated GREASE clients and
newly updated servers, with this intolerance being firmly the GREASE clients
fault. The hardcoded list gets around this by making sure GREASE never overlaps
with an actual value, though at the trade-off that badly designed
implementations could choose to just hard-code ignore the GREASE codepoints.
On Tue, Aug 2, 2016 at 2:59 AM Raja ashok
<[email protected]<mailto:[email protected]>> wrote:
Hi Benjamin,
I have gone through the GREASE mechanism which you proposed in your new draft.
It’s really a nice idea for finding a buggy server before it thrives.
I am having few doubts on this, which are listed below.
a) What should be the behaviour of client incase if a buggy server
responded for a GREASE value ?
- Consider a client sends a GREASE cipher value at first place and
followed by valid cipher suites, in its client hello.
- If a buggy server selects that cipher then it will response server
hello with that GREASE cipher value. At this case if client sends FATAL alert
then both side TLS and TCP needs to be closed and client needs to recreate a
new TCP connection, and then restart TLS handshake without GREASE cipher value.
- Instead of this we can make client to send warning alert (with new
TLS alert code GREASE_CIPHER_VALUE_SELECTED(111)) and restart TLS handshake by
sending client hello again.
- If a server receives this new warning, then it should be ready to
receive new client hello to restart handshake.
SERVER
CLIENT
CH (GREASE Cipher value & Valid Cipher value) ------>
<------- SH (GREASE cipher value)
Fatal alert -------->
TCP (SYN) -------->
<-------- TCP(SYN ACK)
TCP (ACK) -------->
CH (Valid cipher value)
------->
Scenario 1 : Sending FATAL alert for server selecting
GREASE value
SERVER
CLIENT
CH (GREASE Cipher value & Valid Cipher value) ------->
<------- SH (GREASE cipher value)
Warning alert -------->
CH (Valid cipher value)
------->
Scenario 2 : Sending WARNING alert for server selecting
GREASE value
- I hope sending warning msg and restarting TLS handshake will be
efficient.
- TLS Server must notify the application, whenever it receives a
GREASE warning alert.
b) Why only few values are specified as GREASE value ? Basically all value
which are not specified by IANA should be considered as GREASE value right ?
- Basically client should maintain the list of values (cipher suite,
extensions) specified by IANA. The range of values.
- For example IANA specified cipher suite values are {{0x0000,0x005C},
{0x0060,0x006D}, {0x0084, 0x00C5}, {0x00FF, 0x00FF} ….. }. This should be
maintained in client.
- We should make the client to choose a random value which are not in
this supported value list. That cipher value should be considered as GREASE
value and need to keep in first place of its cipher list.
- If its selected by a buggy server, then client should behave as
mentioned in above scenario 2.
- Even in future if IANA provides new values to new cipher, then this
list also should be updated. Consider in this case server is supporting that
new cipher and client is not aware about it, so client can propose that value
as GREASE value, then still connection will work with the 2nd handshake.
- I am not understanding why we are planning to maintain a few set of
GREASE values {0x0A0A, 0x1A1A …. }. If I am missing something, please clarify
me.
Regards,
R Ashok
________________________________
Raja Ashok VK
华为技术有限公司 Huawei Technologies Co., Ltd.
[Company_logo]
Phone:
Fax:
Mobile:
Email:
Huawei Technologies Co., Ltd.
Bangalore, India
http://www.huawei.com
________________________________
本邮件及其附件含有华为公司的保密信息,仅限于发送给上面地址中列出的个人或群组。禁
止任何其他人以任何形式使用(包括但不限于全部或部分地泄露、复制、或散发)本邮件中
的信息。如果您错收了本邮件,请您立即电话或邮件通知发件人并删除本邮件!
This e-mail and its attachments contain confidential information from HUAWEI,
which
is intended only for the person or entity whose address is listed above. Any
use of the
information contained herein in any way (including, but not limited to, total
or partial
disclosure, reproduction, or dissemination) by persons other than the intended
recipient(s) is prohibited. If you receive this e-mail in error, please notify
the sender by
phone or email immediately and delete it!
From: TLS [mailto:[email protected]<mailto:[email protected]>] On Behalf
Of David Benjamin
Sent: 26 July 2016 04:02
To: [email protected]<mailto:[email protected]>
Subject: [TLS] Keeping TLS extension points working
Hi folks,
I'm not sure how this process usually works, but I would like to reserve a
bunch of values in the TLS registries to as part of an idea to keep our
extension points working. Here's an I-D:
https://tools.ietf.org/html/draft-davidben-tls-grease-00
(The name GREASE is in honor of AGL's rusted vs. well-oiled joints analogy from
https://www.imperialviolet.org/2016/05/16/agility.html )
One problem we repeatedly run into is servers failing to implement TLS's
various extension points correctly. The most obvious being version intolerance.
When we deployed X25519 in Chrome, we discovered an intolerant implementation.
(Thankfully it was rare enough to not warrant a fallback or revert!) It appears
that signature algorithms maybe also be gathering rust. Ciphers and extensions
seem to have held up, but I would like to ensure they stay that way.
The root problem here is these broken servers interoperate fine with clients at
the time they are deployed. It is only after new values get defined do we
notice, by which time it is too late.
I would like to fix this by reserving a few values in our registries so that
clients may advertise random ones and regularly exercise these codepaths in
servers. If enough of the client base does this, we can turn a large class of
tomorrow's interop failures into today's interop failures. This is important
because an bug will not thrive in the ecosystem if it does not work against the
current deployment.
If you were in Berlin, you may recognize this idea from the version negotiation
debate. Alas that all happened in the wrong order as I hadn't written this up
yet. This idea can't be applied to versioning without giving up on
ClientHello.version, but we can start with the rest of the protocol.
David
PS: This is actually my first I-D, so apologies if I've messed it up somewhere!
_______________________________________________
TLS mailing list
[email protected]<mailto:[email protected]>
https://www.ietf.org/mailman/listinfo/tls
_______________________________________________
TLS mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/tls
