Re: null ciphers in 9.2.2 from Eric Rescorla on 2014-10-01 (ietf-http-wg@w3.org from October to December 2014)

From: Eric Rescorla <ekr@rtfm.com>
Date: Wed, 1 Oct 2014 04:49:45 -0700
To: Jason Greene <jason.greene@redhat.com>
Cc: Martin Thomson <martin.thomson@gmail.com>, Stephen Farrell <stephen.farrell@cs.tcd.ie>, Greg Wilkins <gregw@intalio.com>, "FOSSATI, Thomas (Thomas)" <thomas.fossati@alcatel-lucent.com>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CABcZeBNs8=zYC74VTAZc9NsxqrZFoxc1E7zj2YEziHBpx+a+EA@mail.gmail.com>

On Tue, Sep 30, 2014 at 9:38 PM, Jason Greene <jason.greene@redhat.com>
wrote:

>
> On Sep 30, 2014, at 10:27 PM, Martin Thomson <martin.thomson@gmail.com>
> wrote:
>
> > On 30 September 2014 20:15, Jason Greene <jason.greene@redhat.com>
> wrote:
> >> A TLS 1.3 stack will accept a TLS 1.2 client using a cipher which a
> compliant HTTP/2 stack will then reject.
> >
> > How is that possible?  I'm not saying that my understanding is
> > perfect, but I believe that's impossible.
>
> So the current TLS 1.3 draft allows a TLS 1.3 server to accept connections
> for anything from SSL 3 to 1.3. A TLS 1.2 client can specify a block cipher
> like AES256-CBC, and that will be accepted by the TLS stack (unless of
> course the TLS implementation has been operationally configured not to
> allow it).


Yes, and no.

TLS 1.3 servers can concurrently implement multiple versions of TLS. Thus,
if a TLS 1.3 server implement TLS 1.2, it would respond to the ClientHello
you indicate by negotiating 1.2 and selecting the cipher suite. A *pure*
TLS 1.3 server [either because it had been implemented that way or because
it had been configured that way] would, however, fail to negotiate with
such a
client.

-Ekr












> Such ciphers aren’t bad, they just aren’t state of the art, and are
> accepted by major websites/servers right now. They will likely continue to
> be supported as well since sites wish to remain compatible with legacy
> devices and software.
>
> If the client uses HTTP/1.1 and TLS 1.2 talking to a TLS 1.3 server, using
> CBC it will all work fine. However, if the client uses HTTP/2, and CBC ends
> up getting negotiated, then the server needs to reject with
> INADEQUATE_SECURITY. So HTTP/2 is asserting additional restrictions beyond
> what a TLS 1.3 stack would natively do. Since both HTTP/1.1 and HTTP/2
> share the same port, a dual h1/h2 stack will be forced to do fiddly things
> to allow ciphers from H1 that it will disallow on H2.
>
> --
> Jason T. Greene
> WildFly Lead / JBoss EAP Platform Architect
> JBoss, a division of Red Hat
>
>
>

Received on Wednesday, 1 October 2014 11:50:54 UTC