New in Opera Presto 2.2: TLS 1.2 Support
By Yngve Nysæter Pettersen. Wednesday, 25. February 2009, 14:27:00
One of the new, but less obvious, features in Opera Presto 2.2 and Opera 10 is support for version 1.2 of the Transport Layer Security (TLS) protocol, the protocol formerly known as SSL.
TLS 1.2 was released as RFC 5246 last August, replacing TLS 1.1 (RFC 4346).
What is new in TLS 1.2?
This version of the protocol has several new features:
Using SHA-256 as the digest method means we are using a more secure method for all the important calculations, and it removes TLS's dependency on MD5. While MD5 is used in a fashion that should reduce the impact of, if not eliminate, the problems the MD5 method is now encountering, the fact that the method is crumbling is, at best, problematic for TLS 1.1 and TLS 1.0.
Additionally, the document now includes the TLS extensions specification. This means that developers no longer need two documents to get all details about the formats used for these.
The document also added an implementor's checklist, making it easier for developers to catch mistakes early. This was added in part due to Opera's findings about the lack of interoperability between many clients and servers, often due to server-side implementation errors.
There are currently few, if any, production servers using TLS 1.2, which is to be expected for a new protocol version, but there are a couple of test servers available.
What is new in Opera relating to TLS?
Adapting Opera's TLS stack to support TLS 1.2 required some significant changes, mostly caused by the new flexibility in the key calculation.
The TLS feature testing, which determines the highest version of TLS supported by the server, was also slightly modified, and it will now always require TLS Extensions for TLS 1.1 and higher. We will also, in future upgrades, assume that any server supporting TLS 1.1 or higher will not panic if the client offers a protocol version newer than it supports, and will, in the future, test TLS 1.0, TLS 1.0+extenstion, TLS 1.1
(w/extenstion) and then the highest TLS version we support. A few years down the road we may also remove this cumbersome method, and offer our highest version in the first connection.
These changes resulted in a redesign with so many deep changes that the dormant support for SSL v2 was removed completely from the source code. Although the binary formats of TLS 1.2 and SSL v2 are incompatible, it is possible for them to co-exist, but the cost of making sure the inactive code actually worked would be too high. SSL v2 has been disabled by default in Opera since v8.0, and the actual functionality was disabled completely in 9.5. It would just not be economical to make sure this protocol version still works, along with the associated internal structure changes, when we have no intention of reactivating the code again. Instead, it was much easier to just "tear out" the code.
Testing
If you want to test TLS 1.2, Michael D'Errico, who's developing his own TLS toolkit, has graciously agreed to let you test against his server at https://www.mikestoolbox.net/. This server is using two private Root Certificates, <1> and <2> which you may want to import into your test configuration (it may be necessary to reload after a negotiation error once if you don't install it). When importing the certificates, after saving them to disk, you must remember to click "View" to go to the details dialog, and uncheck the "Warn about" checkbox, before completing the installation. When connecting to Michael's server you should get a page that includes these two lines:
Mike was quite helpful while we were debugging our implementation and helped clear up several mistakes. We also use his server in our automatic regression tests, and we thank him for the assistance.
First Root Certificate for Mikes Toolbox
Second Root Certificate for Mikes Toolbox (needed in 10.0)
TLS 1.2 was released as RFC 5246 last August, replacing TLS 1.1 (RFC 4346).
What is new in TLS 1.2?
This version of the protocol has several new features:
- The way calculation of encryption keys is performed is made more dynamic, and new ciphersuites (set of encryption methods used by a connection) can define their own method, rather than having only the default one. This was necessary because some suites, such as a russian one, could not be used with the default method.
- The default digest method is now SHA-256, offering stronger security.
- Several new cipher suites (using existing encryption methods) also use SHA-256.
- It has better ways to negotiate what signature algorithms the client supports.
Using SHA-256 as the digest method means we are using a more secure method for all the important calculations, and it removes TLS's dependency on MD5. While MD5 is used in a fashion that should reduce the impact of, if not eliminate, the problems the MD5 method is now encountering, the fact that the method is crumbling is, at best, problematic for TLS 1.1 and TLS 1.0.
Additionally, the document now includes the TLS extensions specification. This means that developers no longer need two documents to get all details about the formats used for these.
The document also added an implementor's checklist, making it easier for developers to catch mistakes early. This was added in part due to Opera's findings about the lack of interoperability between many clients and servers, often due to server-side implementation errors.
There are currently few, if any, production servers using TLS 1.2, which is to be expected for a new protocol version, but there are a couple of test servers available.
What is new in Opera relating to TLS?
Adapting Opera's TLS stack to support TLS 1.2 required some significant changes, mostly caused by the new flexibility in the key calculation.
The TLS feature testing, which determines the highest version of TLS supported by the server, was also slightly modified, and it will now always require TLS Extensions for TLS 1.1 and higher. We will also, in future upgrades, assume that any server supporting TLS 1.1 or higher will not panic if the client offers a protocol version newer than it supports, and will, in the future, test TLS 1.0, TLS 1.0+extenstion, TLS 1.1
(w/extenstion) and then the highest TLS version we support. A few years down the road we may also remove this cumbersome method, and offer our highest version in the first connection.
These changes resulted in a redesign with so many deep changes that the dormant support for SSL v2 was removed completely from the source code. Although the binary formats of TLS 1.2 and SSL v2 are incompatible, it is possible for them to co-exist, but the cost of making sure the inactive code actually worked would be too high. SSL v2 has been disabled by default in Opera since v8.0, and the actual functionality was disabled completely in 9.5. It would just not be economical to make sure this protocol version still works, along with the associated internal structure changes, when we have no intention of reactivating the code again. Instead, it was much easier to just "tear out" the code.
Testing
If you want to test TLS 1.2, Michael D'Errico, who's developing his own TLS toolkit, has graciously agreed to let you test against his server at https://www.mikestoolbox.net/. This server is using two private Root Certificates, <1> and <2> which you may want to import into your test configuration (it may be necessary to reload after a negotiation error once if you don't install it). When importing the certificates, after saving them to disk, you must remember to click "View" to go to the details dialog, and uncheck the "Warn about" checkbox, before completing the installation. When connecting to Michael's server you should get a page that includes these two lines:
TLS version: 1.2
Cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (006B)
Mike was quite helpful while we were debugging our implementation and helped clear up several mistakes. We also use his server in our automatic regression tests, and we thank him for the assistance.
First Root Certificate for Mikes Toolbox
Second Root Certificate for Mikes Toolbox (needed in 10.0)
WIDGETIZE