Re: [TLS] Downgrade SCSV info

Bodo Moeller <> Thu, 13 November 2014 08:47 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id E8DBF1A6FA6 for <>; Thu, 13 Nov 2014 00:47:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.262
X-Spam-Status: No, score=-0.262 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_SOFTFAIL=0.665] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id zFtOYKjnDEdr for <>; Thu, 13 Nov 2014 00:47:29 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 1D7AC1A2130 for <>; Thu, 13 Nov 2014 00:47:29 -0800 (PST)
Received: from ( []) by (node=mreue102) with ESMTP (Nemesis) id 0M9Gk2-1Xhfay3TJu-00Cgtp; Thu, 13 Nov 2014 09:47:27 +0100
Received: by with SMTP id nt9so11381146obb.41 for <>; Thu, 13 Nov 2014 00:47:24 -0800 (PST)
MIME-Version: 1.0
X-Received: by with SMTP id bo16mr664932oec.55.1415868444618; Thu, 13 Nov 2014 00:47:24 -0800 (PST)
Received: by with HTTP; Thu, 13 Nov 2014 00:47:24 -0800 (PST)
In-Reply-To: <>
References: <>
Date: Thu, 13 Nov 2014 09:47:24 +0100
Message-ID: <>
From: Bodo Moeller <>
To: "" <>
Content-Type: multipart/alternative; boundary="089e011838ecb0b6bb0507b98f03"
X-Provags-ID: V02:K0:GdAH003u34OQ5GQ2EMaPBhOL8zOeysvU7IBV3J5vKUa kDvoJaLnsk9XQNk/H08dtVPBCXyUeXf8lgESIsdHddr86L27Dj iVhp50izwmLCmsjQAv4ublWXStRqk5ttFOcQaDGRY/pssUbOaO 9KKCavOUxV8lGeHbNcAQGPJAYniCOT5Fwa2sX3LeiL0EDoDdqE J/5bBqf/QUJYdTBvZF9dbFcIDSJxgx7yQt9s6CrsJKkNFaV8rc YLj8uGyQO5Pq3fpamsG3IFzi3+yDvXFbC2gFMw9JpLc13++XNG IACAxIN3xogyVpv2Ef9IJk4s4UILwt+1sAAbd52YNocOmlG7D4 YiFdjQq8BiKPtQbAntCr2xhCT9RztgXl3077PFiyB1HfN5GU/f W6yL/5Skga2nR6GVMGLao0uuj2KXh3Nfaqy8LGhJ6PfIGxUxQ3 9ZMG9
X-UI-Out-Filterresults: notjunk:1;
Subject: Re: [TLS] Downgrade SCSV info
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 13 Nov 2014 08:47:31 -0000

Rob Trace <>:

 > Right, although it couldn't hurt for the client to try TLS 1.1 next in
> case
> > it sees an inappropriate_fallback alert. (Then in the end you have
> > essentially the same outcome as if trying the protocols in decreasing
> order,
> > in the presence of an active attacker forcing you to downgrade.)

> When we looked at the fallback to HTTP 1.1, it was just as Martin stated
> and there were almost 0 times when the connection completed over TLS 1.1.
> The 1.1 fallback was a lot of wasted roundtrips and did not provide any
> value.
> I am not sure what a wasted fallback to HTTP 1.1 would provide with SCSV,
> in that the TLS 1.0 fallback would still result in the
> inappropriate_fallback before we send any data.

I do understand the reasoning, although I don't think that this is a good

- There are servers that are TLS 1.2 intolerant but do tolerate TLS 1.1, so
in that case the fallback to TLS 1.1 does have a chance to complete the
handshake without wasting any round trips (even if the negotiated protocol
may still be TLS 1.0).

- A handshake failure in the initial TLS 1.2 attempt may be due to network
problems rather than incompatibility or an attack. Now assume that the
server does not support TLS_FALLBACK_SCSV. In that case, if you fall back
to TLS 1.1 first (rather than straight to TLS 1.0), you'll end up using the
better protocol (TLS 1.1 instead of TLS 1.0).

I'd rather incur additional latency with servers that are TLS 1.1
intolerant than risk falling back to an unnecessarily bad protocol version.
 (I said that before, about SSL 3.0.  <Cue dramatic music>)

Anyway, if you *do* fall back from a TLS 1.2 Client Hello to a TLS 1.0
Client Hello with TLS_FALLBACK_SCSV, as I said above it might be a good
idea to do the missing TLS 1.1 Client Hello (with TLS_FALLBACK_SCSV) later
in the sequence, if you see an inappropriate_fallback alert with TLS 1.0.
This doesn't address known interoperability issues with particular servers,
but there *could* be servers that are TLS 1.2 intolerant but do support TLS
1.1 (take any decent TLS implementation and add a wacky load balancer in
front of it). This sequence still feels wrong (you really, really should
try TLS 1.1 before TLS 1.0), but it may improve interoperability further.