IETF Logo Mail Archive

Re: [TLS] Working Group Last Call for draft-ietf-tls-downgrade-scsv-00

Andrey Jivsov <crypto@brainhub.org> Fri, 24 October 2014 05:53 UTC

Return-Path: <crypto@brainhub.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 581681ACFC5 for <tls@ietfa.amsl.com>; Thu, 23 Oct 2014 22:53:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3_oxRgAG7KML for <tls@ietfa.amsl.com>; Thu, 23 Oct 2014 22:53:47 -0700 (PDT)
Received: from resqmta-po-02v.sys.comcast.net (resqmta-po-02v.sys.comcast.net [IPv6:2001:558:fe16:19:96:114:154:161]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ACA7E1A88C5 for <tls@ietf.org>; Thu, 23 Oct 2014 22:53:47 -0700 (PDT)
Received: from resomta-po-01v.sys.comcast.net ([96.114.154.225]) by resqmta-po-02v.sys.comcast.net with comcast id 6ttl1p0094s37d401ttn8i; Fri, 24 Oct 2014 05:53:47 +0000
Received: from [192.168.1.2] ([71.202.164.227]) by resomta-po-01v.sys.comcast.net with comcast id 6ttl1p0044uhcbK01ttl3z; Fri, 24 Oct 2014 05:53:46 +0000
Message-ID: <5449E969.9000800@brainhub.org>
Date: Thu, 23 Oct 2014 22:53:45 -0700
From: Andrey Jivsov <crypto@brainhub.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.1.1
MIME-Version: 1.0
To: "tls@ietf.org" <tls@ietf.org>
References: <2112FCAD-4820-49D9-9871-6501C83A554D@cisco.com>
In-Reply-To: <2112FCAD-4820-49D9-9871-6501C83A554D@cisco.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20140121; t=1414130027; bh=bQQvsmxNgklUnsiK2eB+fQ/0eT791bhUlXDY20h7WAE=; h=Received:Received:Message-ID:Date:From:MIME-Version:To:Subject: Content-Type; b=LKsinUZYYCV/5kKEWlaqD4AJ3jg2ZH0/We98H+tmFFHBCI0xC4lAc08ttlHVBHEBx l4iHuZzahTQ072okC47SI/v6rIGltNKbeLf8MBA4KStufjMmCuGRTW2P9vJMrPCKt7 BV4BGsqPhtvy7/PYbhh/Vx8pKTitju/gO8Mce9giMLGB6WkKFy5YIliA3yl2qAakxD hFkZDaZ1OMbohpSkgQX40sOCSAJZkYDqWQ4rsSdDDAlKbjCeoqtFJCV4/JMIYN19LI IEYCMTXsVyVKXmAzgOK6tHj2ScNpWNlJGbYA39esy96PwfqXxMgboUzg/kb0eausJB mQQgu+uJTtBeA==
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/Fcm_lUazUB29a4VO1a2280fuEEk
Subject: Re: [TLS] Working Group Last Call for draft-ietf-tls-downgrade-scsv-00
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Oct 2014 05:53:49 -0000

Server list of acceptable ciphersuites is sometimes protocol-specific. 
For example, AES-GCM suites are associated with TLS1.2.

There may be ciphersuites that apply to all protocols but only 
configured to be available with lower ones on some servers. For example, 
DES-CBC3-SHA (or RC4-SHA, etc) might be made available for SSL3.0 only.

Let's assume that the server supports all protocols SSL3.0-TLS1.0, but 
this server supports DES-CBC3-SHA with SSL3.0 only.

Assume that a client only negotiates DES-CBC3-SHA (or that this would be 
the only intersection)

Client does {DES-CBC3-SHA} with TLS1.2 in ClientHello. The pair 
negotiates DES-CBC3-SHA with SSL3.0.

Client decides to drop to TLS1.1 (due to network glitch, etc). It SHOULD 
do {DES-CBC3-SHA,TLS_FALLBACK_SCSV} with TLS1.1 per sec 4. The server 
MUST fail with inappropriate_fallback per sec 3.

Is it a good idea to reject a more secure protocol than the server can 
possibly negotiate with this client? Did I interpret the draft correctly?

( The scenario applies in other cases when you adjust some of values 
here. For example, we expect TLS1.3 intolerant servers, so TLS1.2+SCSV 
was advocated in this case this list. The server is expected to fail 
with inappropriate_fallback even when it doesn't have a match with 
ciphersuites associated with TLS1.2. )

Thank you.

v2.23.0 | Report a Bug | By Email