IETF Logo Mail Archive

Re: [TLS] inappropriate_fallback

Hubert Kario <hkario@redhat.com> Thu, 09 August 2018 16:11 UTC

Return-Path: <hkario@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 98D1C130E5C for <tls@ietfa.amsl.com>; Thu, 9 Aug 2018 09:11:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xtMoYAoM-JLF for <tls@ietfa.amsl.com>; Thu, 9 Aug 2018 09:11:50 -0700 (PDT)
Received: from mx1.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7CA17130E5B for <tls@ietf.org>; Thu, 9 Aug 2018 09:11:50 -0700 (PDT)
Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 848F683221; Thu, 9 Aug 2018 16:11:49 +0000 (UTC)
Received: from pintsize.usersys.redhat.com (ovpn-200-43.brq.redhat.com [10.40.200.43]) by smtp.corp.redhat.com (Postfix) with ESMTP id B22632026D66; Thu, 9 Aug 2018 16:11:48 +0000 (UTC)
From: Hubert Kario <hkario@redhat.com>
To: tls@ietf.org
Cc: "Short, Todd" <tshort=40akamai.com@dmarc.ietf.org>
Date: Thu, 09 Aug 2018 18:11:43 +0200
Message-ID: <2188947.p4FsqiceqA@pintsize.usersys.redhat.com>
In-Reply-To: <084E22DD-9B7E-4F68-A0F9-AE17CD1830A6@akamai.com>
References: <2fd24f64-bee5-18ed-cf0d-0fc999add395@openssl.org> <9fec7f0c-9591-703a-066f-2eab54a57515@openssl.org> <084E22DD-9B7E-4F68-A0F9-AE17CD1830A6@akamai.com>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="nextPart3102651.CdvAXY5VrF"; micalg="pgp-sha512"; protocol="application/pgp-signature"
X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.1]); Thu, 09 Aug 2018 16:11:49 +0000 (UTC)
X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.1]); Thu, 09 Aug 2018 16:11:49 +0000 (UTC) for IP:'10.11.54.4' DOMAIN:'int-mx04.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'hkario@redhat.com' RCPT:''
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/E3J6TN7nZfQIFPfu40n8x647fdI>
Subject: Re: [TLS] inappropriate_fallback
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Aug 2018 16:11:54 -0000

On Thursday, 9 August 2018 16:09:02 CEST Short, Todd wrote:
> > On Aug 9, 2018, at 9:02 AM, Matt Caswell <matt@openssl.org> wrote:
> > 
> > 
> > 
> > On 09/08/18 13:56, Peter Gutmann wrote:
> > 
> >> ​Eric Rescorla <ekr@rtfm.com> writes:
> >> 
> >> 
> >>> So if the server wants TLS 1.1, then it doesn't set the bytes.
> >> 
> >> 
> >> If that's the case then the text that says:
> >> 
> >> 
> >>   If negotiating TLS 1.1 or below, TLS 1.3 servers MUST and TLS 1.2
> >>   servers SHOULD set the last eight bytes of their Random value ...
> >> 
> >> 
> >> needs to be fixed, beause as far as I can tell that's saying that if the
> >> server wants TLS 1.1 then it has to set the bytes, not that it doesn't
> >> set the
> >> bytes.
> >> 
> >> Here's an example of where this causes problems.  A TLS 1.2 client
> >> connects to
> >> the server.  The server, a TLS 1.2 server, is configured to
> >> use TLS 1.1, so it responds with the signalling bytes in its random
> >> value.
> > 
> > 
> > That's not the way I read it. If a server is configured to use TLSv1.1
> > then its not a TLSv1.3 server and this text doesn't apply (regardless of
> > whether the binary could do TLSv1.3 if it was configured differently).
> > 
> > Matt
> > 
> 
> 
> Agreed.
> 
> If a TLS 1.2 (capable) server is negotiating TLS 1.1 with a TLS 1.2 client,
> then it can’t be considered a TLS 1.2 server, otherwise, it would negotiate
> TLS 1.2.
 
> It must be considered a TLS 1.1 server, since that is the maximum version it
> is configured to support.

actually, no, if it has both TLS 1.2 and TLS 1.1 enabled, then it is a TLS 1.2 
server, so receiving a TLS 1.1 ClientHello with FALLBACK_SCSV MUST fail with 
inappropriate_fallback

if it is has TLS 1.1 enabled, and nothing else, *then* it is TLS 1.1 server, 
and receiving a TLS 1.1 ClientHello with FALLBACK_SCSV SHOULD NOT fail (it may 
fail because of ciphersuite mismatch, but it MUST NOT fail because of the the 
FALLBACK_SCSV being present)

situation with TLS 1.3, TLS 1.2 and downgrade protection from Section 4.1.3 
(bottom of page 37 onwards:
https://tools.ietf.org/html/draft-ietf-tls-tls13-28#page-37) is exactly the 
same – it does not matter what is _implemented_ it matters what is _enabled_

-- 
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00  Brno, Czech Republic

v2.23.0 | Report a Bug | By Email