IETF Logo Mail Archive

Re: [TLS] SCSVs and SSLv3 fallback

Trevor Perrin <trevp@trevp.net> Fri, 05 April 2013 22:11 UTC

Return-Path: <trevp@trevp.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A58B721F98EB for <tls@ietfa.amsl.com>; Fri, 5 Apr 2013 15:11:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.426
X-Spam-Level:
X-Spam-Status: No, score=-0.426 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, FM_FORGED_GMAIL=0.622, RDNS_NONE=0.1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZlaK27pqwKX0 for <tls@ietfa.amsl.com>; Fri, 5 Apr 2013 15:11:35 -0700 (PDT)
Received: from mail-wi0-x235.google.com (mail-wi0-x235.google.com [IPv6:2a00:1450:400c:c05::235]) by ietfa.amsl.com (Postfix) with ESMTP id E07A721F98DC for <tls@ietf.org>; Fri, 5 Apr 2013 15:11:34 -0700 (PDT)
Received: by mail-wi0-f181.google.com with SMTP id hj8so1036464wib.2 for <tls@ietf.org>; Fri, 05 Apr 2013 15:11:33 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-received:x-originating-ip:in-reply-to:references :date:message-id:subject:from:to:cc:content-type:x-gm-message-state; bh=62smQxB2IuCYSJQEUfNXDvGwImzdg7X6ANMTV92Dqpk=; b=iqLrSb4QjJMDSIH6HuA8UcDvCY49fMLn4XDbjm3CI0qY04qZ4wxPkzo6BOlqel6Vuj oVwKWBt/XnDk5H7Y0hiqUIH6K5y+y2EGQqd+D604B68PsB+zuj8KT4954/fP0eGonv9/ v9KBLDwEIdD9ulPPel4lcGtcuGO008S4B6YThSk5Md3NrexLprHbwR4im5sPbQ4DmJTY Yb8D3Dx8DGUzAEDJuFIbbHZ+8GGMdAaIC2bOPVWCdTUiFUOO/iDgISrs0DKgOY3XVxKO jR+mCSHwTfZLBSarV1zwp4CDdBaBX57HOptLvat0a0ldxyr4qyoFBuvcXPM7/1yNHEXy CpXQ==
MIME-Version: 1.0
X-Received: by 10.194.123.168 with SMTP id mb8mr19024247wjb.24.1365199893203; Fri, 05 Apr 2013 15:11:33 -0700 (PDT)
Received: by 10.217.119.134 with HTTP; Fri, 5 Apr 2013 15:11:32 -0700 (PDT)
X-Originating-IP: [173.11.71.218]
In-Reply-To: <515F428E.2010900@gnutls.org>
References: <CAGZ8ZG0i4-ZDPu=O1+Qy1DJ8oV80_eMz5J9NZrn2UC1-zYu4Sw@mail.gmail.com> <op.wu1f2u2n3dfyax@killashandra.invalid.invalid> <CAGZ8ZG1JzgnCNqfPueKr3wrvMzZKUi7mfvcAdRc-NnCDr33aLg@mail.gmail.com> <515F428E.2010900@gnutls.org>
Date: Fri, 05 Apr 2013 15:11:32 -0700
Message-ID: <CAGZ8ZG2OqLz8NymWzR0WNWsHz7qHLA+8eq95WFTLVFGaTK=RCA@mail.gmail.com>
From: Trevor Perrin <trevp@trevp.net>
To: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Content-Type: text/plain; charset="ISO-8859-1"
X-Gm-Message-State: ALoCoQkAY2X3jrYoSWH6850bikNiuAntbaDWdJ3nHDY1i79dg6gU9+ApPUXkdzeoBDJdFW2w0wh6
Cc: tls@ietf.org
Subject: Re: [TLS] SCSVs and SSLv3 fallback
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Apr 2013 22:11:35 -0000

On Fri, Apr 5, 2013 at 2:30 PM, Nikos Mavrogiannopoulos <nmav@gnutls.org> wrote:
> On 04/05/2013 09:46 PM, Trevor Perrin wrote:
>
>
>>  (c) This proposal is guaranteed to fail with TLS-intolerant
>> middleboxes, whereas the SCSV proposal has a good chance of working.
>
> [...]
>> I'd be interested in hearing more about why people oppose the SCSV
>> approach.  We're nowhere close to exhaustion of the ciphersuite (or
>> extension) registries.  Is there some real problem with SCSVs, or does
>> it just offend people's sense of the "proper way" to do things?
>
> I wouldn't expect the problem of failed TLS connections due to middle
> boxes or bad implementations to disappear by making a complex protocol
> even more complex.

If the problem is TLS-intolerant middleboxes, then allowing necessary
handshake data to flow via SSLv3, using a mechanism that has worked
for other extension data, should make the problem better.  No?


> By having a protocol that offers more than a way to do things I'd expect
> an increase to the interoperability and failed connection issues we see
> today. More options for the same thing pretty much guarantees that there
> will be at least one implementation that will ship the non mainstream
> options untested.

This is pretty easy to test, the logic is simple:
 - client sends SCSV and/or empty ClientHello extension
 - on receiving SCSV and/or empty ClientHello extension, server sends
ServerHello extension.

This is even simpler than RFC5746, since for (CT, TACK, OCSP
"must-staple") the ClientHello Extension could just be an empty
signal, and the ServerHello contains a static response.

This idiom is so simple it could be handled by an "extender file"
interface:  The site administrator could specify an "extender file"
containing PEM-encoded TLS Extensions in the server config.  Each
PEM-encoded blob would contain a prefix specifying the TLS extension
number and (optional) SCSV number.  This would avoid the need for
server-side code changes for any Extension that follows this idiom.

So, we would only need to deploy this once into (OpenSSL, Apache,
nginx, etc.).  Does that alleviate your concern?

I've discussed this with Ben Laurie and begun an OpenSSL patch, which
at least CT and TACK could take advantage of.  It doesn't allow SCSV
specification yet, but I'm wondering if it should:

https://github.com/trevp/openssl_extender


Trevor

v2.23.0 | Report a Bug | By Email