IETF Logo Mail Archive

Re: [TLS] AES and SSLv3 (was Re: Unfortunate current practices for HTTP

Martin Rex <mrex@sap.com> Wed, 19 January 2011 01:10 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 93D303A7080 for <tls@core3.amsl.com>; Tue, 18 Jan 2011 17:10:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.16
X-Spam-Level:
X-Spam-Status: No, score=-10.16 tagged_above=-999 required=5 tests=[AWL=0.089, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lnp108GUuo5e for <tls@core3.amsl.com>; Tue, 18 Jan 2011 17:10:44 -0800 (PST)
Received: from smtpde01.sap-ag.de (smtpde01.sap-ag.de [155.56.68.170]) by core3.amsl.com (Postfix) with ESMTP id 83EEA3A7053 for <tls@ietf.org>; Tue, 18 Jan 2011 17:10:44 -0800 (PST)
Received: from mail.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id p0J1DM7S020294 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 19 Jan 2011 02:13:22 +0100 (MET)
From: Martin Rex <mrex@sap.com>
Message-Id: <201101190113.p0J1DLPw018889@fs4113.wdf.sap.corp>
To: mike-list@pobox.com
Date: Wed, 19 Jan 2011 02:13:21 +0100
In-Reply-To: <4D363198.2050301@pobox.com> from "Michael D'Errico" at Jan 18, 11 04:34:32 pm
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-SAP: out
Cc: tls@ietf.org
Subject: Re: [TLS] AES and SSLv3 (was Re: Unfortunate current practices for HTTP
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Jan 2011 01:10:45 -0000

Michael D'Errico wrote:
> 
> The SHA-256 cipher suites aren't compatible with SSLv3 since the SSLv3
> spec only shows what to do with MD5 and SHA-1.  But there is nothing
> about AES which is incompatible with SSLv3, and indeed my server is able
> to negotiate non-SHA-256 AES_CBC cipher suites with SSLv3 clients that
> offer them.
> 
> So my question is now:
> 
>      If a client offers AES cipher suites in a ClientHello with a
>      version of 0300, why is it wrong to choose one of them?

I'm not aware of _any_ reason why the ciphersuites defined in rfc-3268.

In fact, if you look at rfc-3268:

Cipher Usage

   The new ciphersuites proposed here are very similar to the following,
   defined in [TLS]:

   TLS_RSA_WITH_3DES_EDE_CBC_SHA
   TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA
   TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA
   TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
   TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
   TLS_DH_anon_WITH_3DES_EDE_CBC_SHA

and then look up these cipher suites in rfc-2246 and then in
SSLv3 draft302.txt, you ought to realize that these "very similar"
cipher suites are really SSLv3 cipher suites.

Using and interoperating AES cipher suites from rfc-3268 with
Firefox and OpenSSL works without any additional thoughts.
(preventing it from working probably require additonal code).

Since AES128 is faster than tripleDES it would be unreasonable
to leave this cipher suite _not_ working with SSLv3.

But I know of at least one TLS implementation shipped by a large vendor
that aborts on the combination of rfc-3268 cipher suites and SSLv3.


-Martin

v2.23.0 | Report a Bug | By Email