Re: [TLS] checking on an scsv point
Henrik Grubbström <grubba@gmail.com> Tue, 17 February 2015 23:19 UTC
Return-Path: <grubba@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A5201A90F3 for <tls@ietfa.amsl.com>; Tue, 17 Feb 2015 15:19:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.4
X-Spam-Level:
X-Spam-Status: No, score=-2.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 962jOruTg9GJ for <tls@ietfa.amsl.com>; Tue, 17 Feb 2015 15:19:39 -0800 (PST)
Received: from mail-la0-f54.google.com (mail-la0-f54.google.com [209.85.215.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 698E01A8A55 for <tls@ietf.org>; Tue, 17 Feb 2015 15:19:39 -0800 (PST)
Received: by labpv20 with SMTP id pv20so38656408lab.8 for <tls@ietf.org>; Tue, 17 Feb 2015 15:19:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=Ue5Jgim5rreUlk7HKofOZeQmnxoVioli+vFhUfJLQHY=; b=IRSsvSAy5NUED4Jfc6Gzb/3pk6QmE2K0qmMNRLmcBl782+8Cjre09cmjBCnio3ByrJ 5y7ZqTs5LUZd930A77SSPq5R5QpIU4Y/w37+MKmIIQEEeBMvgQQTgUPV+L3IlzyWhPuW lHKlMcUiQCVrUOBfbUfWtVGt3CrWRI+f1V14erx/b02dmQ8RGa2C0oheL0THtvhrCUnT iEWkRbF72UIMnlMyHbx3tNXejs5/U0r27reVlUdTpRYyr53ZXLjWmM0u5Ly3+vMhEVEb gsh9+j57r5c9JO5YCWsLnXCskcppEDapweSJzlsV4Hp5jGOX3V3cpH7CgCJksenWy+KC Eb/w==
MIME-Version: 1.0
X-Received: by 10.112.39.69 with SMTP id n5mr28510740lbk.1.1424215177988; Tue, 17 Feb 2015 15:19:37 -0800 (PST)
Received: by 10.112.241.69 with HTTP; Tue, 17 Feb 2015 15:19:37 -0800 (PST)
In-Reply-To: <54E3BFE3.5080204@cs.tcd.ie>
References: <54E3BFE3.5080204@cs.tcd.ie>
Date: Wed, 18 Feb 2015 00:19:37 +0100
Message-ID: <CALuAYvYZut20D=73f58RL+mykR_r5kQAqYKeoubH2i6dipDrAw@mail.gmail.com>
From: Henrik Grubbström <grubba@gmail.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/FWPj6SigFBu5vuyx8eSpG9infbE>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] checking on an scsv point
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Feb 2015 23:19:41 -0000
On Tue, Feb 17, 2015 at 11:25 PM, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote: [...] > A client (and this affects only the clients that assert the > FALLBACK_SCSV) will be able to recognize that the server supports a > higher TLS protocol version than what the TLS client proposed in > ClientHello.client_version, and it will be left to that client to > decide whether the resulting TLS session properties are OK, or wether > the client want to take chances, establishing a new connection, > starting a new handshake and proposing other/additional TLS protocol > features in ClientHello that it might have omitted (for whatever > reason) in the last ClientHello. > > This alternative behaviour is better, because it provides actual > *interoperability* between TLS client and TLS server -- and in many > cases the same or reasonably secure TLS session properties without > the need for complex heuristics and a whole new connection establishment > and handshake through the entire application protocol stack > (such as HTTP CONNECT proxy traversals or the stuff before STARTTLS). I consider breaking the obviously broken intervening proxy a feature, as it obviously is broken enough that plain recent TLS doesn't work with it (as otherwise the downgrade wouldn't have been needed), as it would make it obvious to the system maintainer that something is wrong. Hiding broken code behind workarounds like the suggested is almost never a good idea. I also fail to see how you can call this less complex and without new connection establishment, as for the FALLBACK_SCSV to have been asserted there will already have been a reconnect. > Keep in mind that I'm NOT asking to make early adopter servers(!) > non-compliant. Admittedly, I don't know what exactly the early > adopting clients will currently do when they receive Yes, this will break (probably most) early adopters, as good practice in applications (especially those involving crypto) is to validate that all parameters are within the expected range, and it isn't allowed for a server to bump the protocol version above what the client requested. I suspect the most common failure is a protocol_version alert. -- Henrik Grubbström grubba@grubba.org Roxen Internet Software AB grubba@roxen.com
- [TLS] checking on an scsv point Stephen Farrell
- Re: [TLS] checking on an scsv point Martin Thomson
- Re: [TLS] checking on an scsv point Martin Rex
- Re: [TLS] checking on an scsv point Henrik Grubbström
- Re: [TLS] checking on an scsv point David Benjamin
- Re: [TLS] checking on an scsv point Martin Thomson
- Re: [TLS] checking on an scsv point Martin Rex
- Re: [TLS] checking on an scsv point Martin Rex
- Re: [TLS] checking on an scsv point Martin Thomson
- Re: [TLS] checking on an scsv point Martin Thomson
- Re: [TLS] checking on an scsv point Martin Rex
- Re: [TLS] checking on an scsv point Martin Thomson