[tor-dev] Proposal 198: Restore semantics of TLS ClientHello

Robert Ransom rransom.8774 at gmail.com
Mon Mar 26 07:17:16 UTC 2012

On 2012-03-20, Nick Mathewson <nickm at freehaven.net> wrote:
> Filename: 198-restore-clienthello-semantics.txt
> Title: Restore semantics of TLS ClientHello
> Author: Nick Mathewson
> Created: 19-Mar-2012
> Status: Open
> Overview:
>    Currently, all supported Tor versions try to imitate an older version
>    of Firefox when advertising ciphers in their TLS ClientHello.  This
>    feature is intended to make it harder for a censor to distinguish a
>    Tor client from other TLS traffic.  Unfortunately, it makes the
>    contents of the ClientHello unreliable: a server cannot conclude that
>    a cipher is really supported by a Tor client simply because it is
>    advertised in the ClientHello.
>    This proposal suggests an approach for restoring sanity to our use of
>    ClientHello, so that we still avoid ciphersuite-based fingerprinting,
>    but allow nodes to negotiate better ciphersuites than they are
>    allowed to negotiate today.
> Background reading:
>    Section 2 of tor-spec.txt 2 describes our current baroque link
>    negotiation scheme.  Proposals 176 and 184 describe more information
>    about how it got that way.
>    Bug 4744 is a big part of the motivation for this proposal: we want
>    to allow Tors to advertise even more ciphers, some of which we would
>    actually prefer to the ones we are using now.
>    What you need to know about the TLS handshake is that the client
>    sends a list of all the ciphersuites that it supports in its
>    ClientHello message, and then the server chooses one and tells the
>    client which one it picked.
> Motivation and constraints:
>    We'd like to use some of the ECDHE TLS ciphersuites, since they allow
>    us to get better forward-secrecy at lower cost than our current
>    DH-1024 usage.  But right now, we can't ever use them, since Tor will
>    advertise them whether or not it has a version of OpenSSL that
>    supports them.
>    (OpenSSL before 1.0.0 did not support ECDHE ciphersuites; OpenSSL
>    before 1.0.0e or so had some security issues with them.)

Can Tor detect that it is running with a version of OpenSSL with those
security issues and refuse to support the broken ciphersuites?

>    We cannot have the rule be "Tors must only advertise ciphersuites
>    that they can use", since current Tors will advertise such
>    ciphersuites anyway.
>    We cannot have the rule be "Tors must support every ECDHE ciphersuite
>    on the following list", since current Tors don't do all that, and
>    since one prominent Linux distribution builds OpenSSL without ECC
>    support because of patent/freedom fears.
>    Fortunately, nearly every ciphersuite that we would like to advertise
>    to imitate FF8 (see bug 4744) is currently supported by OpenSSL 1.0.0
>    and later.  This enables the following proposal to work:
> Proposed spec changes:
>    I propose that the rules for handling ciphersuites at the server side
>    become the following:
>    If the ciphersuites in the ClientHello contains no ciphers other than
>    the following[*], they indicate that the Tor v1 link protocol is in use.
>    If the advertised ciphersuites in the ClientHello are _exactly_[*]
>    the following, they indicate that the Tor v2+ link protocol is in
>    use, AND that the ClientHello may have unsupported ciphers.  In this
>    case, the server may choose DHE_RSA_WITH_AES_128_CBC_SHA  or
>    DHE_RSA_WITH_AES_256_SHA, but may not choose any other cipher.
>      TLS1_RSA_WITH_AES_256_SHA
>      SSL3_RSA_RC4_128_MD5
>      SSL3_RSA_RC4_128_SHA
>      TLS1_RSA_WITH_AES_128_SHA
>      SSL3_EDH_RSA_DES_192_CBC3_SHA
>      SSL3_EDH_DSS_DES_192_CBC3_SHA
>      SSL3_RSA_DES_192_CBC3_SHA
>   [*] The "extended renegotiation is supported" ciphersuite, 0x00ff, is
>       not counted when checking the list of ciphersuites.
>   Otherwise, the ClientHello has these semantics: The inclusion of any
>   cipher supported by OpenSSL 1.0.0 means that the client supports it,
>   with the exception of
>   which is never supported. Clients MUST advertise support for at least one
> of

I'm no longer comfortable with 128-bit symmetric keys.  An attacker
with many messages encrypted with a 128-bit symmetric cipher can
attempt a brute-force search on many messages at once, and is likely
to succeed in finding keys for some messages.  (See
http://cr.yp.to/papers.html#bruteforce .)

>   The server MUST choose a ciphersuite with ephemeral keys for forward
>   secrecy; MUST NOT choose a weak or null ciphersuite; and SHOULD NOT
>   choose any cipher other than AES or 3DES.
> Discussion and consequences:
>   Currently, OpenSSL 1.0.0 (in its default configuration) supports every
>   cipher that we would need in order to give the same list as Firefox
>   versions 8 through 11 give in their default configuration, with the
>   exception of the FIPS ciphersuite above.  Therefore, we will be able
>   to fake the new ciphersuite list correctly in all of our bundles that
>   include OpenSSL, and on every version of Unix that keeps up-to-date.
>   However, versions of Tor compiled to use older versions of OpenSSL, or
>   versions of OpenSSL with some ciphersuites disabled, will no
>   longer give the same ciphersuite lists as other versions of Tor.  On
>   these platforms, Tor clients will no longer impersonate Firefox.
>   Users who need to do so will have to download one of our bundles, or
>   use a (non-system) OpenSSL.


>   The proposed spec change above tries to future-proof ourselves by not
>   declaring that we support every declared cipher, in case we someday
>   need to handle a new Firefox version.  If a new Firefox version
>   comes out that uses ciphers not supported by OpenSSL 1.0.0, we will
>   need to define whether clients may advertise its ciphers without
>   supporting them; but existing servers will continue working whether
>   we decide yes or no.

Why standardize on OpenSSL 1.0.0, rather than OpenSSL 1.0.1?

>   The restriction to "servers SHOULD only pick AES or 3DES" is meant to
>   reflect our current behavior, not to represent a permanent refusal to
>   support other ciphers.  We can revisit it later as appropriate, if for
>   some bizarre reason Camellia or Seed or Aria becomes a better bet than
>   AES.
> Open questions:
>   Should the client drop connections if the server chooses a bad
>   cipher, or a suite without forward secrecy?
>   Can we get OpenSSL to support the dubious FIPS suite excluded above,
>   in order to remove a distinguishing opportunity?  It is not so simple
>   as just editing the SSL_CIPHER list in s3_lib.c, since the nonstandard
>   SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA cipher is (IIUC) defined to use the
>   TLS1 KDF, while declaring itself to be an SSL cipher (!).

Would that FIPS ciphersuite provide forward secrecy?  If not, then
there is no point in having clients or servers implement it.

>   Can we do anything to eventually allow the IE7+[**] cipher list as
>   well?  IE does not support TLS_DHE_RSA_WITH_AES_{256,128}_SHA or
>   SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, and so wouldn't work with current
>   Tor servers, which _only_ support those.  It looks like the only
>   forward-secure ciphersuites that IE7+ *does* support are ECDHE ones,
>   and DHE+DSS ones.  So if we want this flexibility, we could mandate
>   server-side ECDHE, or somehow get DHE+DSS support (which would play
>   havoc with our current certificate generation code IIUC), or say that
>   it is sometimes acceptable to have a non-forward-secure link
>   protocol[***].  None of these answers seems like a great one.  Is one
>   best?  Are there other options?

The certificate-chain validation code and the v3 handshake protocol
would be a bigger issue with DSS or ECDSA ciphersuites.

>   [**] Actually, I think it's the Windows SChannel cipher list we
>   should be looking at here.
>   [***] If we did _that_, we'd want to specify that CREATE_FAST could
>   never be used on a non-forward-secure link.  Even so, I don't like the
>   implications of leaking cell types and circuit IDs to a future
>   compromise.

A relay whose link protocol implementations can't provide forward
secrecy to its clients cannot be used as an entry guard -- it would be
overloaded with CREATE cells very quickly.

Robert Ransom

More information about the tor-dev mailing list