Re: [TLS] checking on an scsv point
Martin Thomson <martin.thomson@gmail.com> Tue, 17 February 2015 22:35 UTC
Return-Path: <martin.thomson@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 530731A88CF for <tls@ietfa.amsl.com>; Tue, 17 Feb 2015 14:35:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ppmXDi6whbdT for <tls@ietfa.amsl.com>; Tue, 17 Feb 2015 14:35:34 -0800 (PST)
Received: from mail-ob0-x229.google.com (mail-ob0-x229.google.com [IPv6:2607:f8b0:4003:c01::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1F57C1A1B3A for <tls@ietf.org>; Tue, 17 Feb 2015 14:35:34 -0800 (PST)
Received: by mail-ob0-f169.google.com with SMTP id wp4so58828982obc.0 for <tls@ietf.org>; Tue, 17 Feb 2015 14:35:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=HIUXiQWuq3wEz0FRWyomF21i9LFy11HqBTNEBBOcvcI=; b=gw89eB/T+vzw1TLkdcdBGzClo4JYu8HvrZdKtVOzU9UiBaTYR8DjEKZYWzJ9ZQ9f9X tng03L1cZ0y7Knmisp+N13tRCNrz8oe85iZyZIn0vbHX43zunImG19y8aMsw9NkopMSS ifGCefuEeggU7+mkaQKsU4eTSSjXkXOFWLLsgs5v+JnnpSWwp45fDVA6deBbZwbbj6+v 0B/h/rgBsbAj5++KZn5IwEVXKKD43hzcvPSNJTv9BalTtPQgAfw9U4SGft/zr7i8B9be 54ZIWgnD/Iq8Z9tOq6wtXpSIm6n/jkz9vNih/5CB9pE2hKZ/rKjf2Cgpo4bjKh+nX0sD j/ww==
MIME-Version: 1.0
X-Received: by 10.182.60.197 with SMTP id j5mr19949690obr.85.1424212533387; Tue, 17 Feb 2015 14:35:33 -0800 (PST)
Received: by 10.202.225.135 with HTTP; Tue, 17 Feb 2015 14:35:33 -0800 (PST)
In-Reply-To: <54E3BFE3.5080204@cs.tcd.ie>
References: <54E3BFE3.5080204@cs.tcd.ie>
Date: Wed, 18 Feb 2015 09:35:33 +1100
Message-ID: <CABkgnnW+HpGuKq5BZo+OAeF_p00sWqccPk5bcsWJ-obKNU-7eg@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/-tdfWRktEo9ceIWPxpewpHgJNVE>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] checking on an scsv point
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Feb 2015 22:35:36 -0000
FWIW, I just checked and an NSS client would fail the handshake if a server did this. We'd probably need new configuration to avoid the "upgrade attack" if this were permitted. On 18 February 2015 at 09:25, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote: > > Hiya, > > In going over the threads on this I think there was one point of > Martin's where it wasn't clear to me that the WG considered his > proposal. That might be because it was raised just before the > holidays and was part of a mega-thread and fairly deeply embedded > in a longer message. Anyway, I asked Martin if he could describe > it better and he did (see below) so I'd like to just check that > the WG don't in fact want this. > > If you do not want to make this change, silence if fine, but if > you would implement this in your TLS stack then please say so in > the next few days. (Pretty please: let's not side-track - I'm > really only looking for "yes, I'd implement that in my TLS > code" responses, or silence:-) > > I figure it's not likely that the WG will want this, but if > there's a groundswell for doing it, we can handle the process > stuff, so don't worry about that. > > Thanks, > S. > > What I've been asking for time and time again is allowing (adding) > an additional/alternative server behaviour, which a TLS (server) > implementer will be _allowed_ to implement instead of a fatal > handshake failure. > > The most simplistic alternative server behaviour would be for > the server to continue the handshake successfully, using > > ServerHello.server_version = (ClientHello.client_version + 1) > > i.e. negotiating a _higher_ TLS version instead of aborting the > TLS handshake with a fatal error. > > A client (and this affects only the clients that assert the > FALLBACK_SCSV) will be able to recognize that the server supports a > higher TLS protocol version than what the TLS client proposed in > ClientHello.client_version, and it will be left to that client to > decide whether the resulting TLS session properties are OK, or wether > the client want to take chances, establishing a new connection, > starting a new handshake and proposing other/additional TLS protocol > features in ClientHello that it might have omitted (for whatever > reason) in the last ClientHello. > > This alternative behaviour is better, because it provides actual > *interoperability* between TLS client and TLS server -- and in many > cases the same or reasonably secure TLS session properties without > the need for complex heuristics and a whole new connection establishment > and handshake through the entire application protocol stack > (such as HTTP CONNECT proxy traversals or the stuff before STARTTLS). > > Keep in mind that I'm NOT asking to make early adopter servers(!) > non-compliant. Admittedly, I don't know what exactly the early > adopting clients will currently do when they receive > > ServerHello.server_version = (ClientHello.client_version + 1) > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls
- [TLS] checking on an scsv point Stephen Farrell
- Re: [TLS] checking on an scsv point Martin Thomson
- Re: [TLS] checking on an scsv point Martin Rex
- Re: [TLS] checking on an scsv point Henrik Grubbström
- Re: [TLS] checking on an scsv point David Benjamin
- Re: [TLS] checking on an scsv point Martin Thomson
- Re: [TLS] checking on an scsv point Martin Rex
- Re: [TLS] checking on an scsv point Martin Rex
- Re: [TLS] checking on an scsv point Martin Thomson
- Re: [TLS] checking on an scsv point Martin Thomson
- Re: [TLS] checking on an scsv point Martin Rex
- Re: [TLS] checking on an scsv point Martin Thomson