SNI by default in s_client

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

SNI by default in s_client

Matt Caswell-2
I'd like to canvas opinion on this PR:
https://github.com/openssl/openssl/pull/2614

At the moment s_client does not add the SNI extension by default. You
have to explicitly ask for it using the "-servername" option. This can
lead to some problems where servers reject connection attempts from
s_client, e.g.:

https://github.com/openssl/openssl/issues/2580

TLSv1.3 says this about SNI:

   Additionally, all implementations MUST support use of the
   "server_name" extension with applications capable of using it.
   Servers MAY require clients to send a valid "server_name" extension.
   Servers requiring this extension SHOULD respond to a ClientHello
   lacking a "server_name" extension by terminating the connection with
   a "missing_extension" alert.

Technically this doesn't really say anything very much other than we
MUST support it (which we do), and that servers may refuse to talk to
clients that don't send it (which we already know). But the direction of
travel seems to be to support SNI where possible.

The PR above changes the default behaviour of s_client so that it always
sends SNI, and adds a "-noservername" option to suppress sending it if
needed.

I was targeting this change for 1.1.1. The issue is that this does
change command line behaviour between minor versions of the 1.1.x series
- which is supposed to preserve API and ABI compatibility. Of course
this change affects neither API or ABI as its in the apps only -
although we usually extend that compatibility to try to ensure that
command line behaviour remains stable too.

You could argue that the only change in behaviour here is the addition
of an extension by default that wasn't there before - and that we've
already decided to add new extensions in 1.1.1 due to the forthcoming
TLSv1.3 support. On the other hand you could argue that this could break
existing scripts that rely on the current SNI behaviour.

So the question is: should this (type of) change be allowed in a 1.1.x
release? Or should it only be allowed in some future 1.2.0 (or not at all)?

Discuss.

Matt
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: SNI by default in s_client

Tomas Mraz-2
On Mon, 2017-02-13 at 16:13 +0000, Matt Caswell wrote:
> I'd like to canvas opinion on this PR:
> https://github.com/openssl/openssl/pull/2614

....

> The PR above changes the default behaviour of s_client so that it
> always
> sends SNI, and adds a "-noservername" option to suppress sending it
> if
> needed.
>
> I was targeting this change for 1.1.1. The issue is that this does
> change command line behaviour between minor versions of the 1.1.x
> series
> - which is supposed to preserve API and ABI compatibility. Of course
> this change affects neither API or ABI as its in the apps only -
> although we usually extend that compatibility to try to ensure that
> command line behaviour remains stable too.
>
> You could argue that the only change in behaviour here is the
> addition
> of an extension by default that wasn't there before - and that we've
> already decided to add new extensions in 1.1.1 due to the forthcoming
> TLSv1.3 support. On the other hand you could argue that this could
> break
> existing scripts that rely on the current SNI behaviour.
>
> So the question is: should this (type of) change be allowed in a
> 1.1.x
> release? Or should it only be allowed in some future 1.2.0 (or not at
> all)?

In my opinion the PR should be allowed in 1.1.x release, depending on
s_client to not send SNI in some kind of scripts seems to me like a
fairly obscure corner case. I would view this change as a simple
usability improvement.

But if you decide to postpone such changes to 1.2.0 I would recommend
to create some intermediate step between fully breaking API/ABI and
command line use changes. I mean - release 1.2.0 as something API/ABI
compatible with 1.1.x, but allowing such usability changes for command-
line and also allowing things like removal of obscure or insecure
features but keeping the function signatures intact (they would simply
return errors). And also keep the library SONAME so dependencies do not
need to be rebuilt.

And spare full break of API/ABI for something like 2.0 release.

--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb
(You'll never know whether the road is wrong though.)

--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: SNI by default in s_client

Salz, Rich
In reply to this post by Matt Caswell-2
> extension by default that wasn't there before - and that we've already
> decided to add new extensions in 1.1.1 due to the forthcoming
> TLSv1.3 support.

You mean adding new extensions in the wire protocol?  Or are did we modify any API/ABI behavior?

>  On the other hand you could argue that this could break
> existing scripts that rely on the current SNI behaviour.

I would support adding a new -sni flag that is shorter, easier to type, and uses the value of the HOST field.

Within the team, we previously had agreement that the CLI was part of the ABI "contract."  Waiting for Viktor to weigh in  here :)

--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: SNI by default in s_client

Viktor Dukhovni
In reply to this post by Matt Caswell-2

> On Feb 13, 2017, at 11:13 AM, Matt Caswell <[hidden email]> wrote:
>
> I'd like to canvas opinion on this PR:
> https://github.com/openssl/openssl/pull/2614
>
> At the moment s_client does not add the SNI extension by default. You
> have to explicitly ask for it using the "-servername" option.

So long as the "-servername" option remains in place and supports
setting the SNI name to something other than the host part of the
"-connect" option I think we provide sufficient compatibility with
the legacy s_client CLI interface.  Adding a "-noservername" option
is compatible enough.

The change of default behaviour is not an interface change, it is a
behaviour change, and could even, with enough squinting, be viewed
as a bugfix, given the modern TLS landscape.

That said, even behaviour changes in stable releases do merit
discussion.  Certainly I would not support the proposed change in
a patch release.  For 1.1.1, I am not opposed, because s_client
is not stunnel, it is primarily useful as a diagnostic tool, and
while some monitoring tools built around it may behave differently
as a result of the change, it is not clear that delaying to 1.2.x
helps.  If we're going to do this, I think that 1.1.1 is OK, if the
interface remains compatible.

--
        Viktor.
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: SNI by default in s_client

Matt Caswell-2
In reply to this post by Salz, Rich


On 13/02/17 16:55, Salz, Rich wrote:
>> extension by default that wasn't there before - and that we've already
>> decided to add new extensions in 1.1.1 due to the forthcoming
>> TLSv1.3 support.
>
> You mean adding new extensions in the wire protocol?  Or are did we modify any API/ABI behavior?

Wire protocol. We haven't modified API/ABI behaviour (except to add new
APIs).

>
>>  On the other hand you could argue that this could break
>> existing scripts that rely on the current SNI behaviour.
>
> I would support adding a new -sni flag that is shorter, easier to type, and uses the value of the HOST field.

Which doesn't really solve the problem I was seeking to address.

>
> Within the team, we previously had agreement that the CLI was part of the ABI "contract."  Waiting for Viktor to weigh in  here :)
>

I'm all in favour of a stable command line interface. What I think is
unclear is where the line is drawn between what is and isn't allowed.

I'm also waiting for Viktor :-)

Matt
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: SNI by default in s_client

Benjamin Kaduk
In reply to this post by Matt Caswell-2
On 02/13/2017 10:13 AM, Matt Caswell wrote:
I was targeting this change for 1.1.1. The issue is that this does
change command line behaviour between minor versions of the 1.1.x series
- which is supposed to preserve API and ABI compatibility. Of course
this change affects neither API or ABI as its in the apps only -
although we usually extend that compatibility to try to ensure that
command line behaviour remains stable too.

You could argue that the only change in behaviour here is the addition
of an extension by default that wasn't there before - and that we've
already decided to add new extensions in 1.1.1 due to the forthcoming
TLSv1.3 support. On the other hand you could argue that this could break
existing scripts that rely on the current SNI behaviour.

So the question is: should this (type of) change be allowed in a 1.1.x
release? Or should it only be allowed in some future 1.2.0 (or not at all)?


A few thoughts: I agree that the ecosystem is moving towards using SNI almost all of the time, and this change is probably net helpful to our users.  However, it is also the sort of change that I would have expected to be blocked by the ABI stability promise (as I understand it to be, or maybe as I imagine it to be in my wishful thinking).  In this particular case, my personal opinion is that the benefit outweighs the compatibility breakage, but I could sympathize with someone who felt differently.

Perhaps a reasonable compromise would be to ensure that the -noservername option is accepted (as a noop) in 1.1.0<letter>, so that there is a way to write a script that remains compatible between 1.1.0 and 1.1.1 even if the default does change.

-Ben

--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: SNI by default in s_client

Viktor Dukhovni

> On Feb 13, 2017, at 12:20 PM, Benjamin Kaduk <[hidden email]> wrote:
>
> Perhaps a reasonable compromise would be to ensure that the -noservername option is accepted (as a noop) in 1.1.0<letter>, so that there is a way to write a script that remains compatible between 1.1.0 and 1.1.1 even if the default does change.

We could add a "-ignore_unknown" option, which (if specified first)
would more generally allow the CLI to ignore attempts to use features
only available in later versions.  An environment variable could provide
another means to the same end.

That said, I don't think that enabling SNI by default *in s_client* is
sufficient cause to motivate such a feature.  The s_client command adds
new options from time to time, and IIRC we've never before back-ported
these as NOPs.  If an "ignore_unknown" option is warranted, it is for
all the other new things we might add in addition to "-noservername".

I'd be more concerned with potentially incompatible changes to cms(1),
enc(1), req(1), x509(1), ... which are the main day-to-day tools used
by users to get useful work done.  The s_client(1) and s_server(1)
commands are diagnostic utilities, and such it is reasonable to be
less strict w.r.t. reasonable behaviour changes.

We should still provide a backwards compatible interface, but that
does not preclude reasonable differences in the resulting behaviour.

--
--
        Viktor.

--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: SNI by default in s_client

Salz, Rich
Having asked for Viktor's opinion, and reading it, I withdraw my concerns about changing the behavior and adding the flag.  I think it should be called out in the docs and CHANGES however.
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: SNI by default in s_client

Viktor Dukhovni

> On Feb 13, 2017, at 12:35 PM, Salz, Rich <[hidden email]> wrote:
>
> I think it should be called out in the docs and CHANGES however.

Yes, definitely.

--
        Viktor.

--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: SNI by default in s_client

Viktor Dukhovni
In reply to this post by Viktor Dukhovni

> On Feb 13, 2017, at 12:32 PM, Viktor Dukhovni <[hidden email]> wrote:
>
> That said, I don't think that enabling SNI by default *in s_client* is
> sufficient cause to motivate such a feature.  The s_client command adds
> new options from time to time, and IIRC we've never before back-ported
> these as NOPs.  If an "ignore_unknown" option is warranted, it is for
> all the other new things we might add in addition to "-noservername".

One more thing I should note.  The implementation should not break the
"-dane_tldsa_domain" option.  That is, with no explicit "-servername"
and with "-dane_tlsa_domain", the SNI name must come from that option,
and not the "-connect" hostname.

--
        Viktor.

--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev