Re: [TLS] SCSVs and SSLv3 fallback
Trevor Perrin <trevp@trevp.net> Fri, 05 April 2013 22:11 UTC
Return-Path: <trevp@trevp.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A58B721F98EB for <tls@ietfa.amsl.com>; Fri, 5 Apr 2013 15:11:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.426
X-Spam-Level:
X-Spam-Status: No, score=-0.426 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, FM_FORGED_GMAIL=0.622, RDNS_NONE=0.1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZlaK27pqwKX0 for <tls@ietfa.amsl.com>; Fri, 5 Apr 2013 15:11:35 -0700 (PDT)
Received: from mail-wi0-x235.google.com (mail-wi0-x235.google.com [IPv6:2a00:1450:400c:c05::235]) by ietfa.amsl.com (Postfix) with ESMTP id E07A721F98DC for <tls@ietf.org>; Fri, 5 Apr 2013 15:11:34 -0700 (PDT)
Received: by mail-wi0-f181.google.com with SMTP id hj8so1036464wib.2 for <tls@ietf.org>; Fri, 05 Apr 2013 15:11:33 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-received:x-originating-ip:in-reply-to:references :date:message-id:subject:from:to:cc:content-type:x-gm-message-state; bh=62smQxB2IuCYSJQEUfNXDvGwImzdg7X6ANMTV92Dqpk=; b=iqLrSb4QjJMDSIH6HuA8UcDvCY49fMLn4XDbjm3CI0qY04qZ4wxPkzo6BOlqel6Vuj oVwKWBt/XnDk5H7Y0hiqUIH6K5y+y2EGQqd+D604B68PsB+zuj8KT4954/fP0eGonv9/ v9KBLDwEIdD9ulPPel4lcGtcuGO008S4B6YThSk5Md3NrexLprHbwR4im5sPbQ4DmJTY Yb8D3Dx8DGUzAEDJuFIbbHZ+8GGMdAaIC2bOPVWCdTUiFUOO/iDgISrs0DKgOY3XVxKO jR+mCSHwTfZLBSarV1zwp4CDdBaBX57HOptLvat0a0ldxyr4qyoFBuvcXPM7/1yNHEXy CpXQ==
MIME-Version: 1.0
X-Received: by 10.194.123.168 with SMTP id mb8mr19024247wjb.24.1365199893203; Fri, 05 Apr 2013 15:11:33 -0700 (PDT)
Received: by 10.217.119.134 with HTTP; Fri, 5 Apr 2013 15:11:32 -0700 (PDT)
X-Originating-IP: [173.11.71.218]
In-Reply-To: <515F428E.2010900@gnutls.org>
References: <CAGZ8ZG0i4-ZDPu=O1+Qy1DJ8oV80_eMz5J9NZrn2UC1-zYu4Sw@mail.gmail.com> <op.wu1f2u2n3dfyax@killashandra.invalid.invalid> <CAGZ8ZG1JzgnCNqfPueKr3wrvMzZKUi7mfvcAdRc-NnCDr33aLg@mail.gmail.com> <515F428E.2010900@gnutls.org>
Date: Fri, 05 Apr 2013 15:11:32 -0700
Message-ID: <CAGZ8ZG2OqLz8NymWzR0WNWsHz7qHLA+8eq95WFTLVFGaTK=RCA@mail.gmail.com>
From: Trevor Perrin <trevp@trevp.net>
To: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Content-Type: text/plain; charset="ISO-8859-1"
X-Gm-Message-State: ALoCoQkAY2X3jrYoSWH6850bikNiuAntbaDWdJ3nHDY1i79dg6gU9+ApPUXkdzeoBDJdFW2w0wh6
Cc: tls@ietf.org
Subject: Re: [TLS] SCSVs and SSLv3 fallback
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Apr 2013 22:11:35 -0000
On Fri, Apr 5, 2013 at 2:30 PM, Nikos Mavrogiannopoulos <nmav@gnutls.org> wrote: > On 04/05/2013 09:46 PM, Trevor Perrin wrote: > > >> (c) This proposal is guaranteed to fail with TLS-intolerant >> middleboxes, whereas the SCSV proposal has a good chance of working. > > [...] >> I'd be interested in hearing more about why people oppose the SCSV >> approach. We're nowhere close to exhaustion of the ciphersuite (or >> extension) registries. Is there some real problem with SCSVs, or does >> it just offend people's sense of the "proper way" to do things? > > I wouldn't expect the problem of failed TLS connections due to middle > boxes or bad implementations to disappear by making a complex protocol > even more complex. If the problem is TLS-intolerant middleboxes, then allowing necessary handshake data to flow via SSLv3, using a mechanism that has worked for other extension data, should make the problem better. No? > By having a protocol that offers more than a way to do things I'd expect > an increase to the interoperability and failed connection issues we see > today. More options for the same thing pretty much guarantees that there > will be at least one implementation that will ship the non mainstream > options untested. This is pretty easy to test, the logic is simple: - client sends SCSV and/or empty ClientHello extension - on receiving SCSV and/or empty ClientHello extension, server sends ServerHello extension. This is even simpler than RFC5746, since for (CT, TACK, OCSP "must-staple") the ClientHello Extension could just be an empty signal, and the ServerHello contains a static response. This idiom is so simple it could be handled by an "extender file" interface: The site administrator could specify an "extender file" containing PEM-encoded TLS Extensions in the server config. Each PEM-encoded blob would contain a prefix specifying the TLS extension number and (optional) SCSV number. This would avoid the need for server-side code changes for any Extension that follows this idiom. So, we would only need to deploy this once into (OpenSSL, Apache, nginx, etc.). Does that alleviate your concern? I've discussed this with Ben Laurie and begun an OpenSSL patch, which at least CT and TACK could take advantage of. It doesn't allow SCSV specification yet, but I'm wondering if it should: https://github.com/trevp/openssl_extender Trevor
- Re: [TLS] SCSVs and SSLv3 fallback Martin Rex
- [TLS] SCSVs and SSLv3 fallback Trevor Perrin
- Re: [TLS] SCSVs and SSLv3 fallback Hanno Böck
- Re: [TLS] SCSVs and SSLv3 fallback Geoffrey Keating
- Re: [TLS] SCSVs and SSLv3 fallback Yngve N. Pettersen
- Re: [TLS] SCSVs and SSLv3 fallback Joseph Birr-Pixton
- Re: [TLS] SCSVs and SSLv3 fallback Trevor Perrin
- Re: [TLS] SCSVs and SSLv3 fallback Nikos Mavrogiannopoulos
- Re: [TLS] SCSVs and SSLv3 fallback Trevor Perrin
- Re: [TLS] SCSVs and SSLv3 fallback Paul Hoffman
- Re: [TLS] SCSVs and SSLv3 fallback Trevor Perrin
- Re: [TLS] SCSVs and SSLv3 fallback Yngve N. Pettersen
- Re: [TLS] SCSVs and SSLv3 fallback Trevor Perrin
- Re: [TLS] SCSVs and SSLv3 fallback Nikos Mavrogiannopoulos
- Re: [TLS] SCSVs and SSLv3 fallback Yngve N. Pettersen
- Re: [TLS] SCSVs and SSLv3 fallback Trevor Perrin
- Re: [TLS] SCSVs and SSLv3 fallback Yngve N. Pettersen
- Re: [TLS] SCSVs and SSLv3 fallback Adam Langley
- Re: [TLS] SCSVs and SSLv3 fallback Trevor Perrin
- Re: [TLS] SCSVs and SSLv3 fallback Martin Rex
- Re: [TLS] SCSVs and SSLv3 fallback Martin Rex
- Re: [TLS] SCSVs and SSLv3 fallback Martin Rex
- Re: [TLS] SCSVs and SSLv3 fallback Martin Rex
- Re: [TLS] SCSVs and SSLv3 fallback Yngve N. Pettersen
- Re: [TLS] SCSVs and SSLv3 fallback Martin Rex
- Re: [TLS] SCSVs and SSLv3 fallback Yngve N. Pettersen
- Re: [TLS] SCSVs and SSLv3 fallback Martin Rex
- Re: [TLS] SCSVs and SSLv3 fallback Yngve N. Pettersen
- Re: [TLS] SCSVs and SSLv3 fallback Trevor Perrin
- Re: [TLS] SCSVs and SSLv3 fallback Martin Rex
- Re: [TLS] SCSVs and SSLv3 fallback Yngve N. Pettersen
- Re: [TLS] SCSVs and SSLv3 fallback Yngve N. Pettersen
- Re: [TLS] SCSVs and SSLv3 fallback Martin Rex
- Re: [TLS] SCSVs and SSLv3 fallback Yoav Nir