Re: [TLS] SCSVs and SSLv3 fallback

["Yngve N. Pettersen" <yngve@spec-work.net>]

On Mon, 08 Apr 2013 22:41:13 +0200, Martin Rex <mrex@sap.com> wrote:

> Yngve N. Pettersen wrote:
>>
>> Even with the reminder about tolerance in RFC 5746 0.15% of renego  
>> patched
>> servers are extension (88%) and/or version intolerant (24%) in the TLS  
>> 1.0
>> to TLS 1.2 range, and the reason they are still around is that the other
>> clients have not enforced a no-rollback policy for renego patched  
>> servers.
>> Overall, 14.7% are intolerant for those in the 3.x and/or 4.x range.
>
> Huh? -------------------------------------------------------^^^
>
> Why would you ever check for 4.xx version numbers?
>
> Rejecting 4.x version numbers is perfectly OK for TLS servers!
>
> rfc5246 says:
>                                                           TLS servers
>    compliant with this specification MUST accept any value {03,XX} as
>    the record layer version number for ClientHello.
>
>    TLS clients that wish to negotiate with older servers MAY send any
>    value {03,XX} as the record layer version number.
>
> A TLS client that uses a version {04,00} at the record layer or in
> ClientHello.client_version is squarely in undefined territory,
> and every conceivable server behaviour is perfectly compliant
> with the TLSv1.2 spec.  (Personally, however, I believe that
> crashing is never a valid option for the server).

The keywords are "forward compatibility".

And your quote concerns the *record* layer version, which is 3.1 in my  
testcase.

The 4.1 that I am using in my test, is set in the  
*ClientHello.client_version* field.

IMO a SSL/TLS server MUST tolerate ANY ClientHello.client_version larger  
than its own highest supported version, and when returning the Server  
Hello will reply with whatever its highest supported version is.

-- 
Sincerely,
Yngve N. Pettersen

Using Opera's mail client: http://www.opera.com/mail/