Re: [TLS] (strict) decoding of legacy_record_version?

Mon, 07 Nov 2016 16:04:41 -0800 

On Mon, Nov 7, 2016 at 6:50 PM Benjamin Kaduk <bka...@akamai.com> wrote:

(was Re: [TLS] PR#625: Change alert requirements)

Digging up an old sub-thread...

On 09/20/2016 08:03 AM, Eric Rescorla wrote:

in Record Layer there's the following text:

    legacy_record_version : This value MUST be set to { 3, 1 } for all
    records. This field is deprecated and MUST be ignored for all purposes.

in Record Layer Protection there's the following text:

    legacy_record_version : The legacy_record_version field is identical to
    TLSPlaintext.legacy_record_version and is always { 3, 1 }. Note that the
    handshake protocol including the ClientHello and ServerHello messages
    authenticates the protocol version, so this value is redundant.

which doesn't say if the version can be ignored completely (skipped while
parsing) or if it should be verified.


These are different fields.


There's still the question of whether the receiver should enforce 0x0301 in
either/both cases.
OpenSSL is implementing and seems to be reading the spec that it MUST be
ignored (even though I guess strictly speaking that MUST only applies
before record protection is engaged); if I'm doing my code survey
correctly, Mint and NSS always enforce, and Boring only checks the first
octet.

Is there a reason to not do strict enforcement?


Before you know the version, it is not safe to enforce. Prior versions of
TLS did not pin down the value. (BoringSSL checks the first octet because
OpenSSL did so, and it's vaguely nice to sanity-check on the first few
bytes of data in the protocol.)

Immediately after you know the version, enforcement is also problematic.
Alerts sent in response to a ClientHello or ServerHello have somewhat
ambiguous versions. One side may have decided the version is set while the
other has not. Prior to 1.3, the record version needs to be set to the
protocol version (or you break pre-1.3 enforcing implementations). But this
means a receiver which enforces will fail to parse the alert. Not the end
of the world, but weird.

Once you've gotten as far as to switch to TLSCiphertext, I don't see a
reason not to enforce. Keying on versions is problematic (which is why we
avoided a transition to enforcement), but keying on whether the record is
encrypted seems fine. I think it just didn't occur to us to base it on
that. :-)

David

_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Reply via email to