My OperaNew in Opera Presto 2.2: TLS 1.2 Support
By Yngve Nysæter Pettersenyngve. Wednesday, February 25, 2009 2:27:00 PM
One of the new, but less obvious, features in Opera Presto 2.2 and Opera 10 is support for version 1.2 of the Transport Layer Security (TLS) protocol, the protocol formerly known as SSL.
TLS 1.2 was released as RFC 5246 last August, replacing TLS 1.1 (RFC 4346).
What is new in TLS 1.2?
This version of the protocol has several new features:
Using SHA-256 as the digest method means we are using a more secure method for all the important calculations, and it removes TLS's dependency on MD5. While MD5 is used in a fashion that should reduce the impact of, if not eliminate, the problems the MD5 method is now encountering, the fact that the method is crumbling is, at best, problematic for TLS 1.1 and TLS 1.0.
Additionally, the document now includes the TLS extensions specification. This means that developers no longer need two documents to get all details about the formats used for these.
The document also added an implementor's checklist, making it easier for developers to catch mistakes early. This was added in part due to Opera's findings about the lack of interoperability between many clients and servers, often due to server-side implementation errors.
There are currently few, if any, production servers using TLS 1.2, which is to be expected for a new protocol version, but there are a couple of test servers available.
What is new in Opera relating to TLS?
Adapting Opera's TLS stack to support TLS 1.2 required some significant changes, mostly caused by the new flexibility in the key calculation.
The TLS feature testing, which determines the highest version of TLS supported by the server, was also slightly modified, and it will now always require TLS Extensions for TLS 1.1 and higher. We will also, in future upgrades, assume that any server supporting TLS 1.1 or higher will not panic if the client offers a protocol version newer than it supports, and will, in the future, test TLS 1.0, TLS 1.0+extenstion, TLS 1.1
(w/extenstion) and then the highest TLS version we support. A few years down the road we may also remove this cumbersome method, and offer our highest version in the first connection.
These changes resulted in a redesign with so many deep changes that the dormant support for SSL v2 was removed completely from the source code. Although the binary formats of TLS 1.2 and SSL v2 are incompatible, it is possible for them to co-exist, but the cost of making sure the inactive code actually worked would be too high. SSL v2 has been disabled by default in Opera since v8.0, and the actual functionality was disabled completely in 9.5. It would just not be economical to make sure this protocol version still works, along with the associated internal structure changes, when we have no intention of reactivating the code again. Instead, it was much easier to just "tear out" the code.
Testing
If you want to test TLS 1.2, Michael D'Errico, who's developing his own TLS toolkit, has graciously agreed to let you test against his server at https://www.mikestoolbox.net/. This server is using two private Root Certificates, <1> and <2> which you may want to import into your test configuration (it may be necessary to reload after a negotiation error once if you don't install it). When importing the certificates, after saving them to disk, you must remember to click "View" to go to the details dialog, and uncheck the "Warn about" checkbox, before completing the installation. When connecting to Michael's server you should get a page that includes these two lines:
Mike was quite helpful while we were debugging our implementation and helped clear up several mistakes. We also use his server in our automatic regression tests, and we thank him for the assistance.
First Root Certificate for Mikes Toolbox
Second Root Certificate for Mikes Toolbox (needed in 10.0)
TLS 1.2 was released as RFC 5246 last August, replacing TLS 1.1 (RFC 4346).
What is new in TLS 1.2?
This version of the protocol has several new features:
- The way calculation of encryption keys is performed is made more dynamic, and new ciphersuites (set of encryption methods used by a connection) can define their own method, rather than having only the default one. This was necessary because some suites, such as a russian one, could not be used with the default method.
- The default digest method is now SHA-256, offering stronger security.
- Several new cipher suites (using existing encryption methods) also use SHA-256.
- It has better ways to negotiate what signature algorithms the client supports.
Using SHA-256 as the digest method means we are using a more secure method for all the important calculations, and it removes TLS's dependency on MD5. While MD5 is used in a fashion that should reduce the impact of, if not eliminate, the problems the MD5 method is now encountering, the fact that the method is crumbling is, at best, problematic for TLS 1.1 and TLS 1.0.
Additionally, the document now includes the TLS extensions specification. This means that developers no longer need two documents to get all details about the formats used for these.
The document also added an implementor's checklist, making it easier for developers to catch mistakes early. This was added in part due to Opera's findings about the lack of interoperability between many clients and servers, often due to server-side implementation errors.
There are currently few, if any, production servers using TLS 1.2, which is to be expected for a new protocol version, but there are a couple of test servers available.
What is new in Opera relating to TLS?
Adapting Opera's TLS stack to support TLS 1.2 required some significant changes, mostly caused by the new flexibility in the key calculation.
The TLS feature testing, which determines the highest version of TLS supported by the server, was also slightly modified, and it will now always require TLS Extensions for TLS 1.1 and higher. We will also, in future upgrades, assume that any server supporting TLS 1.1 or higher will not panic if the client offers a protocol version newer than it supports, and will, in the future, test TLS 1.0, TLS 1.0+extenstion, TLS 1.1
(w/extenstion) and then the highest TLS version we support. A few years down the road we may also remove this cumbersome method, and offer our highest version in the first connection.
These changes resulted in a redesign with so many deep changes that the dormant support for SSL v2 was removed completely from the source code. Although the binary formats of TLS 1.2 and SSL v2 are incompatible, it is possible for them to co-exist, but the cost of making sure the inactive code actually worked would be too high. SSL v2 has been disabled by default in Opera since v8.0, and the actual functionality was disabled completely in 9.5. It would just not be economical to make sure this protocol version still works, along with the associated internal structure changes, when we have no intention of reactivating the code again. Instead, it was much easier to just "tear out" the code.
Testing
If you want to test TLS 1.2, Michael D'Errico, who's developing his own TLS toolkit, has graciously agreed to let you test against his server at https://www.mikestoolbox.net/. This server is using two private Root Certificates, <1> and <2> which you may want to import into your test configuration (it may be necessary to reload after a negotiation error once if you don't install it). When importing the certificates, after saving them to disk, you must remember to click "View" to go to the details dialog, and uncheck the "Warn about" checkbox, before completing the installation. When connecting to Michael's server you should get a page that includes these two lines:
TLS version: 1.2
Cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (006B)
Mike was quite helpful while we were debugging our implementation and helped clear up several mistakes. We also use his server in our automatic regression tests, and we thank him for the assistance.
First Root Certificate for Mikes Toolbox
Second Root Certificate for Mikes Toolbox (needed in 10.0)
Charles SchlossChas4 # Wednesday, February 25, 2009 10:58:17 PM
Great post explaining what TLS 1.2 is
Opera always ahead of the competition
Johnhandsometechnews # Thursday, April 22, 2010 9:43:06 PM
Fred Quecksilberanightatheopera # Saturday, October 22, 2011 12:34:46 AM
Connect one of the TLS 1.2 enabled servers with Opera (tested with 11.5 on Linux) you will see that Opera connected the site using TLS 1.0. The only way to convince Opera to use TLS 1.1 or TLS 1.2 is to *disable* TLS 1.0 and restart Opera. This renders your TLS 1.2 support useless.
Yngve Nysæter Pettersenyngve # Saturday, October 22, 2011 2:18:10 AM
As long as the server is not TLS 1.2 enabled, it is not possible to negotiate TLS 1.2.
Also, for performance reasons, currently TLS 1.1 and TLS 1.2 are not tested unless the server is known to be TLS Renego patched, due to the significant number (1.8% of all) of unpatched servers that have interoperability trouble with clients indicating that version.
If you want to try a known TLS 1.2 capable server, try https://certs.opera.com/ (make sure your installation have TLS 1.1 and TLS 1.2 enabled).
Charles SchlossChas4 # Saturday, October 22, 2011 2:31:14 AM
Fred Quecksilberanightatheopera # Monday, October 24, 2011 7:56:50 AM
Yngve Nysæter Pettersenyngve # Monday, October 24, 2011 8:21:54 AM
However, remember what I said about the server having to support secure renegotiation (RFC 5746). Opera will not try TLS 1.1 and newer unless the server supports that.
Fred Quecksilberanightatheopera # Monday, October 24, 2011 8:36:17 AM
See the URL https://www.ssllabs.com/ssldb/index.html . All the best rated Servers from ssllabs support TLS 1.1 or higher, otherwise they wouldn't be best rated :-). You can also use that URL to check which SSL/TLS versions and cipher suits they support.
Fred Quecksilberanightatheopera # Monday, October 24, 2011 8:55:01 AM
Yngve Nysæter Pettersenyngve # Monday, October 24, 2011 9:43:56 AM
Yngve Nysæter Pettersenyngve # Monday, October 24, 2011 3:52:29 PM
bugzilla.samba.org is not renego patced, and for that reason TLS 1.1 and TLS 1.2 are not attempted.
Fred Quecksilberanightatheopera # Tuesday, October 25, 2011 2:37:32 PM
Yngve Nysæter Pettersenyngve # Tuesday, October 25, 2011 3:48:13 PM
In short, given the present procedure, since most renego unpatched servers are TLS 1.0 servers, and a significant percentage of them are version and/or extension intolerant, it is a waste of time to attempt to signal TLS 1.1 or 1.2 to those servers, in an attempt to connect with TLS 1.1+ with an unpatched server.