IETF Logo Mail Archive

Re: [TLS] Last Call: <draft-ietf-tls-downgrade-scsv-03.txt> (TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol Downgrade Attacks) to Proposed Standard

Nikos Mavrogiannopoulos <nmav@redhat.com> Wed, 21 January 2015 10:56 UTC

Return-Path: <nmav@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7C4DC1A1A07 for <tls@ietfa.amsl.com>; Wed, 21 Jan 2015 02:56:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.912
X-Spam-Level:
X-Spam-Status: No, score=-6.912 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c1ZgrqUm71qS for <tls@ietfa.amsl.com>; Wed, 21 Jan 2015 02:56:06 -0800 (PST)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 174E31A19EF for <tls@ietf.org>; Wed, 21 Jan 2015 02:56:05 -0800 (PST)
Received: from int-mx14.intmail.prod.int.phx2.redhat.com (int-mx14.intmail.prod.int.phx2.redhat.com [10.5.11.27]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id t0LAu3Kq002561 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Wed, 21 Jan 2015 05:56:03 -0500
Received: from dhcp-2-127.brq.redhat.com (dhcp-2-127.brq.redhat.com [10.34.2.127]) by int-mx14.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id t0LAu1Cg015024 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NO); Wed, 21 Jan 2015 05:56:02 -0500
Message-ID: <1421837761.2723.32.camel@redhat.com>
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
To: Yoav Nir <ynir.ietf@gmail.com>
Date: Wed, 21 Jan 2015 11:56:01 +0100
In-Reply-To: <39B8BC24-D539-456F-970B-B11665B0E892@gmail.com>
References: <40128f312378442fbd26459bf5d7593b@usma1ex-dag1mb2.msg.corp.akamai.com> <, > <20150119192701.190C71B0FF@ld9781.wdf.sap.corp> <, > <CAFewVt6LRafnJN_L=xVeiAxNcpSB+8vPYzquPfjXsduudyj+QQ@mail.gmail.com> <BAY180-W688DE2930CB7F231E60989FF480@phx.gbl> <, <04690E05-4905-4941-A60D-7BC5CDC93431@gmail.com> <> > <BAY180-W1849690A1D8C42F1063DDBFF480@phx.gbl> <39B8BC24-D539-456F-970B-B11665B0E892@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Mime-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.27
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/5HSWm7-HhZhlEn4xmB3mZgnY_Vo>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Last Call: <draft-ietf-tls-downgrade-scsv-03.txt> (TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol Downgrade Attacks) to Proposed Standard
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Jan 2015 10:56:08 -0000

On Wed, 2015-01-21 at 11:16 +0200, Yoav Nir wrote:
> Thanks

> In that case, I think my implementation would fail with (1.3,1.3).
> Since I can’t know what changes TLS 1.3 made to the record layer, I
> can’t be sure that I understand what I’m parsing. Perhaps those bytes
> that I thought were the ClientHello are actually some new fields that
> were added to the record header.

You can know that. It is mentioned in rfc5246:
https://tools.ietf.org/html/rfc5246#appendix-E.1

"TLS servers compliant with this specification MUST accept any value
{03,XX} as the record layer version number for ClientHello."

It is, then, explicit that the record format cannot change without
changing the TLS major version from 03 to 04 or so.

> If the record layer version exceeds what the server supports, I think
> it wouldn’t be prudent to reply with anything but an alert. Many
> implementations treated the record layer version in the ClientHello as
> a minimum version number. Yes, I know this goes against a MUST
> requirement in appendix E.1 or RFC 5246, but as that appendix says,
> this is behavior that is often implemented.

Well, we can only interoperate as long as we implement the same
protocol, and the protocol is specific on what to do in that case.

regards,
Nikos

v2.23.0 | Report a Bug | By Email