IETF Logo Mail Archive

Re: [TLS] Working Group Last Call for draft-ietf-tls-downgrade-scsv-00

Bodo Moeller <bmoeller@acm.org> Sat, 25 October 2014 10:25 UTC

Return-Path: <SRS0=fQLM=7Q=acm.org=bmoeller@srs.kundenserver.de>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6FEAD1A876F for <tls@ietfa.amsl.com>; Sat, 25 Oct 2014 03:25:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.938
X-Spam-Level:
X-Spam-Status: No, score=-0.938 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W8ReSS_QS8sM for <tls@ietfa.amsl.com>; Sat, 25 Oct 2014 03:25:36 -0700 (PDT)
Received: from mout.kundenserver.de (mout.kundenserver.de [212.227.126.130]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DB1EB1A8768 for <tls@ietf.org>; Sat, 25 Oct 2014 03:25:35 -0700 (PDT)
Received: from mail-yh0-f48.google.com (mail-yh0-f48.google.com [209.85.213.48]) by mrelayeu.kundenserver.de (node=mreue005) with ESMTP (Nemesis) id 0LroEc-1Y6kex1Rpm-013c3n; Sat, 25 Oct 2014 12:25:33 +0200
Received: by mail-yh0-f48.google.com with SMTP id v1so2272332yhn.7 for <tls@ietf.org>; Sat, 25 Oct 2014 03:25:31 -0700 (PDT)
MIME-Version: 1.0
X-Received: by 10.236.36.110 with SMTP id v74mr10358520yha.164.1414232731102; Sat, 25 Oct 2014 03:25:31 -0700 (PDT)
Received: by 10.170.194.15 with HTTP; Sat, 25 Oct 2014 03:25:30 -0700 (PDT)
In-Reply-To: <544B5D82.2080900@brainhub.org>
References: <2112FCAD-4820-49D9-9871-6501C83A554D@cisco.com> <5449E969.9000800@brainhub.org> <CADMpkc+cLJNMYZb4OqukM7qT1aPsqEmCF0JxOyuLYe=78BEcgQ@mail.gmail.com> <544AB4B4.2010305@brainhub.org> <CADMpkc+cku0G6SKs7ZX6oHidiP2X8x8KfB9+E7mjYcNDXrPw9w@mail.gmail.com> <544B5764.9020006@brainhub.org> <CABkgnnVcNgC0SXFkfLYJHyxWe0uxDDShfgPgH=JmmTv0KVQhpg@mail.gmail.com> <544B5D82.2080900@brainhub.org>
Date: Sat, 25 Oct 2014 12:25:30 +0200
Message-ID: <CADMpkcLzXV0P8uyoL7F=o3fMUkaJwWZUF7+fBoGYaBri1DgDcg@mail.gmail.com>
From: Bodo Moeller <bmoeller@acm.org>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="089e0160c47891354405063cb782"
X-Provags-ID: V02:K0:sxJU19nBQQK0FWaGr7rRGr50F72RPyh3hocTvcp4Ox/ C8ngTAg09sU+oqm5jIpotAfsIQhKB+M8AbrHMT70v30IIaXwbz 8RKrxrGdHgcjcoDNuEyrjxHEJT1KX+QjoXXadSgzmYwuKHHfCy wRLQyuR3a7zoUZuqUHFXoDZR7gyRf46RGIyjyC05uRQna6/zBz 4GcP8hd0eqMEhNUv9CTCB5LNlwL/pKLZs2pzeaAM6hAXB5ynnS Oqa8Htd/uQCjo+ObMF9p54ys2Iv9cfrn2nlwGyUKcCnulYHdGu yzxxIZdF0PLmizXaj9f+iM547YAcTrpMJP3bDCvAnrzuxAe1gr fX3l9SrJ9xlOKBAH0QO/CSSIt6IATdYHIaJxC3jnDKtCmFqyUT oQThJGrD5cuU7AU8z1/jybD52tAvNX3MFl70lwaTIQmu3v4BAG y90cS
X-UI-Out-Filterresults: notjunk:1;
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/CIs1zLcwN0dxwsm7sHIuqXQQ6T4
Subject: Re: [TLS] Working Group Last Call for draft-ietf-tls-downgrade-scsv-00
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 25 Oct 2014 10:26:08 -0000

Andrey Jivsov <crypto@brainhub.org>:

 If a server is
>> capable of 1.2, but configured with 1.1, only downgraded handshakes to
>> 1.0 or SSL will cause the alert to be generated.
>>
>

>  I don't think this is what Bodo is saying. Sec 3 (server) is missing the
> concept of "configured", while the sec 4 (client) has it.
>

That's an inconsistency that I can fix. If a protocol version is completely
disabled in the server, of course using that version isn't supposed to be
an "inappropriate fallback".



> My example again is:
>
> * the server capable of TLS 1.2 and lower. I mean, it will accept TLS 1.2
> ClientHello.
>

And will negotiate TLS 1.2?

* the pair of the server and client happened to only able negotiate a
> ciphersuite that is set on the server to be SSL3.0
> * client sends TLS1.1+TLS_FALLBACK_SCSV
>
> So, what is server's maximum version? Bodo says it's TLS1.2. Thus,
> TLS1.1+TLS_FALLBACK_SCSV must fail. I say it's harsh because this pair can
> only negotiate SSL 3.0.
>

If the server is willing to negotiate TLS 1.2, then this is an
inappropriate fallback and will fail. It's not reasonable to optimize the
specification to provide extra error redundancy for blatantly stupid
servers as in this scenario (at the cost of making it more complex, which
can lead to other problems).

Bodo

v2.23.0 | Report a Bug | By Email