IETF Logo Mail Archive

Re: [TLS] Working Group Last Call for draft-ietf-tls-downgrade-scsv-00

Andrey Jivsov <crypto@brainhub.org> Sat, 25 October 2014 07:55 UTC

Return-Path: <crypto@brainhub.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 522781A8547 for <tls@ietfa.amsl.com>; Sat, 25 Oct 2014 00:55:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8Yfy5lf6GP_2 for <tls@ietfa.amsl.com>; Sat, 25 Oct 2014 00:55:18 -0700 (PDT)
Received: from resqmta-ch2-06v.sys.comcast.net (resqmta-ch2-06v.sys.comcast.net [IPv6:2001:558:fe21:29:69:252:207:38]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 88C741A8029 for <tls@ietf.org>; Sat, 25 Oct 2014 00:55:18 -0700 (PDT)
Received: from resomta-ch2-13v.sys.comcast.net ([69.252.207.109]) by resqmta-ch2-06v.sys.comcast.net with comcast id 7KvB1p0012N9P4d01KvHNF; Sat, 25 Oct 2014 07:55:17 +0000
Received: from [192.168.1.2] ([71.202.164.227]) by resomta-ch2-13v.sys.comcast.net with comcast id 7KvG1p0074uhcbK01KvGw4; Sat, 25 Oct 2014 07:55:17 +0000
Message-ID: <544B5764.9020006@brainhub.org>
Date: Sat, 25 Oct 2014 00:55:16 -0700
From: Andrey Jivsov <crypto@brainhub.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.1.1
MIME-Version: 1.0
To: Bodo Moeller <bmoeller@acm.org>
References: <2112FCAD-4820-49D9-9871-6501C83A554D@cisco.com> <5449E969.9000800@brainhub.org> <CADMpkc+cLJNMYZb4OqukM7qT1aPsqEmCF0JxOyuLYe=78BEcgQ@mail.gmail.com> <544AB4B4.2010305@brainhub.org> <CADMpkc+cku0G6SKs7ZX6oHidiP2X8x8KfB9+E7mjYcNDXrPw9w@mail.gmail.com>
In-Reply-To: <CADMpkc+cku0G6SKs7ZX6oHidiP2X8x8KfB9+E7mjYcNDXrPw9w@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20140121; t=1414223717; bh=xFQnxQLs5SY1TVH0NwqVBU1uY8SBKQ1tNw0ZsHdBni4=; h=Received:Received:Message-ID:Date:From:MIME-Version:To:Subject: Content-Type; b=PwwcavHCd47g85K9/wLKiJNZNPTz6Oi4y7eB1jwkghe9vuUQ3qbQlcZda0xJyghPi /Nweqa31IUgQJNN78TPvQwSm/Ms2C9QSx2XZohPOFRKHjohAaTgPbQHcr4/MVBItgP Fzl3WPifVtLhZfW0MwjFn7WtequSHbdMS0sTFQbR4xp7ayj9kTuf0ymHvVPqj+Tdxu tCPjOP/PxqO9r4AUJCA8+Rdrb1ibNPE7A+0U4Oe6d9XyOztcPfpdps5hlCTOo03q8v s23dfrC7d22sBHoy/dQqC6UXXgnH9QU8TJyiodmKlxsRM/3WUQADDG/4PSbxhFd1HA pszPLCGCpRqIw==
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/52QvqNHSLPygQFZKqshrxQrgsR4
Cc: tls@ietf.org
Subject: Re: [TLS] Working Group Last Call for draft-ietf-tls-downgrade-scsv-00
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 25 Oct 2014 07:55:20 -0000

On 10/24/2014 04:04 PM, Bodo Moeller wrote:
>
> >> Also note that in the *specific* hypothetical scenario that you 
> describe, the server actually would accept the fallback retry: you 
> said that TLS 1.0 is the highest protocol version supported by the 
> server; this is not higher than ClientHello.client_version in the TLS 
> 1.1 retry, so the server wouldn't reject.)
>
> > No, this is not what I was saying.
>
> Yes, it is ("Let's assume that the server supports all protocols 
> SSL3.0-TLS1.0").  I gather that's not what you meant, though.
>
( Sorry for confusion caused by two typos. )

Yes, I am talking about a "modern" server (so TLS1.2 is implemented or 
TLS1.3 in the near future).

> > In my scenario the server supports TLS1.2 in general with some 
> ciphersuites (and will support TLS1.3 in the future). The server is 
> configured in a way that the ciphersuite that it can negotiate with 
> the client requires SSLv3.
> >
> > What does draft-ietf-tls-downgrade-scsv-03 want the server to do 
> here: assume it's highest version is TLS1.2 or SSL 3.0? I.e. is the 
> max. version a static property on the server or dynamic based on 
> ciphers in ClientHello?
>


> There's no -03 draft, but the current draft's implication should be 
> clear: the server compares protocol versions only and hence rejects. 
> (Pretending that the highest protocol version is SSL 3.0 wouldn't make 
> sense.)
>

Thanks, that's what I thought the draft is saying. The server simply 
uses hardcoded value that represents the highest version it implements. 
Well, consider that if the server "pretends" that its version is SSL 3.0 
(because this is what it will negotiate in my example, along the lines 
of the logic for the client in the draft), this will avoid breaking the 
fallback connection, an unnecessary failure in the example I gave.

Repeating my point earlier, it looks kind of harsh to fail TLS 1.1 on 
the server when it can only negotiate SSL3.0 with that client.

In summary, I still don't see good justification for discrepancy: the 
client "SHOULD include the TLS_FALLBACK_SCSV", while the server "MUST 
respond with an inappropriate_fallback". I would prefer that the server 
had SHOULD keyword, which is a reasonable keyword for secure protocols. 
The draft is not MUST with TLS, of course, and it would be reasonable to 
give some wiggle room to server implementation to determine when to fail 
the handshake.

v2.40.3 | Report a Bug | By Email | System Status