Re: [9front] [PATCH] libsec: add minimal support for the tls renegotiation extension

9front - general discussion about 9front
 help / color / mirror / Atom feed

From: hiro <23hiro@gmail.com>
To: 9front@9front.org
Subject: Re: [9front] [PATCH] libsec: add minimal support for the tls renegotiation extension
Date: Mon, 23 Jan 2023 14:16:11 +0100	[thread overview]
Message-ID: <CAFSF3XO2W4skzFJUsY2AikX-6R1=1rdH+cHsy_TFVT4_jrQsTQ@mail.gmail.com> (raw)
In-Reply-To: <Y85s6z/imzZxd6Xh@alice>

did you try explaining this to "The OpenSSL developers" ?

also, is there no way in openssl to turn off this behavior?

it seems like an industry-wide sabotage effort.

On 1/23/23, Anthony Martin <ality@pbrane.org> wrote:
> hiro <23hiro@gmail.com> once said:
>> your explanation of their secondary reasoning is good. the original
>> assumptions that led to this extension are still invalid.
>
> The IETF TLS group had a lengthy discussion¹ about this
> problem back in 2009 when Marsh Ray described his attacks².
>
> Martin Rex said:
>
> 	I can understand what it says, but I _really_ dislike it.
>
> 	The root of the problem is servers that perform (or at least
> 	allow) TLS renegotiations and make flawed assumptions about
> 	what a successful TLS renegotiation means for the data
> 	previously received.
>
> 	What you're essentially asking for, is that a client should no
> 	longer talk TLS to _any_ Server that doesn't support the new
> 	extension. Not even to the good ones that neither offer nor
> 	support renegotiation.
>
> 	This is discriminating against servers that have been playing
> 	safe!
>
> 	Essentially we are going to hold TLS clients and the installed
> 	base of good Servers responsible for the broken Servers out
> 	there. That feels very wrong.
>
> Eric Rescorla responded:
>
> 	I'm not recommending that clients do that. What I'm trying to
> 	say is that *if* a client wants to be totally sure then all it
> 	can do is require the extension. I agree it's impractical (and
> 	probably unwise) to suggest that they actually behave that
> 	way.
>
> The OpenSSL developers have decided that clients should now
> "do that" by default.
>
> Like it or not, OpenSSL is the apex predator. We can either
> refuse to support v3.0 clients connecting to our servers or
> make the minimal changes necessary to accommodate them. I
> think we all know our place in the ecosystem.
>
> I'm not defending their decision. I just fixed the problem
> months ago and moved on with my life. I was checking in to see
> if you guys still wanted the patch or not.
>
> Cheers,
>   Anthony
>
> 1. https://mailarchive.ietf.org/arch/msg/tls/N7EcRpvK2ENs5IwWYv2p7nrUG8w/
> 2.
> https://web.archive.org/web/20091107111709/http://www.extendedsubset.com/
>

next prev parent reply	other threads:[~2023-01-23 13:17 UTC|newest]

Thread overview: 35+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-11-10  2:24 Anthony Martin
2023-01-18 15:07 ` [9front] " Anthony Martin
2023-01-19  4:30 ` [9front] " ori
2023-01-19  4:48   ` ori
2022-11-10  2:24     ` Anthony Martin
2023-01-28 21:20       ` ori
2023-01-28 21:59       ` cinap_lenrek
2023-01-19  9:50     ` Anthony Martin
2023-01-20 12:12 ` hiro
2023-01-20 21:05   ` Anthony Martin
2023-01-20 22:33     ` hiro
2023-01-21  3:48       ` Anthony Martin
2023-01-21 12:54         ` hiro
2023-01-21 17:29           ` Steve Simon
2023-01-22 16:00             ` hiro
2023-01-22  7:55           ` Anthony Martin
2023-01-22 16:10             ` hiro
2023-01-23 11:18               ` Anthony Martin
2023-01-23 13:16                 ` hiro [this message]
2023-01-23 14:24                   ` Ori Bernstein
2023-01-23 14:29                     ` Ori Bernstein
2023-01-24  0:14                   ` hiro
2023-01-24  0:16                     ` hiro
2023-01-25 16:19                   ` kemal
2023-01-25 16:39                     ` hiro
2023-01-25 17:07                       ` kemal
2023-01-25 17:18                         ` hiro
2023-01-25 17:30                           ` kemal
2023-01-25 17:36                             ` kemal
2023-01-26 20:54                               ` hiro
2023-01-26 21:52                                 ` Frank D. Engel, Jr.
2023-01-27  6:11                                 ` kemal
2023-01-27 10:55                                   ` hiro
2023-01-27 17:38                                     ` kemal
2023-01-23 16:23                 ` hiro

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAFSF3XO2W4skzFJUsY2AikX-6R1=1rdH+cHsy_TFVT4_jrQsTQ@mail.gmail.com' \
    --to=23hiro@gmail.com \
    --cc=9front@9front.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).