Re: [TLS] Broken browser behaviour with SCADA TLS

Martin Thomson <martin.thomson@gmail.com> Wed, 04 July 2018 07:05 UTC

Return-Path: <martin.thomson@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 80826130DD7 for <tls@ietfa.amsl.com>; Wed, 4 Jul 2018 00:05:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U9kq-VuAZ_5i for <tls@ietfa.amsl.com>; Wed, 4 Jul 2018 00:05:20 -0700 (PDT)
Received: from mail-oi0-x22d.google.com (mail-oi0-x22d.google.com [IPv6:2607:f8b0:4003:c06::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 75505130E44 for <tls@ietf.org>; Wed, 4 Jul 2018 00:05:20 -0700 (PDT)
Received: by mail-oi0-x22d.google.com with SMTP id k81-v6so8785385oib.4 for <tls@ietf.org>; Wed, 04 Jul 2018 00:05:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=0qWK92xYsRvsgjdDZnaCnZAACbu16i3G49VumJgulPA=; b=h8DiKFu5SFveigYPXBxt0ztiNtXvPiI5MImNbqUpyj1v4JLfucbU2p4wJBCpEjUaJN KKd6NAZpmFafUJWXpfBUX9A++Brzt/9p0pT2YAL9jyfFFWG2k/TaHesarc0sxRqJVfjy ydSO+tQJUsIgsRKDG89nyDZjmQUADkgeaaKXQo/B/T4Wa/qgRtm1ErFCgX20II4ebQtQ uM2ctDzxR/dWPytYuCueK9uulkUVH5uvGKo9cxkvD6bK0YzBZB2qTbEREO7iQtE8vwlv 7cHEeE0lt6P1+ENNdqhXNVfFx53/tDeZl7/ghxTyhzs2W3kb9LArbc3mmZD+RKkUlQDE OaUA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=0qWK92xYsRvsgjdDZnaCnZAACbu16i3G49VumJgulPA=; b=fa/jWp90eUHwkIz/PbOaoqvc2FBTIpjiYTMB2LudGx2+6GYSDaez4inU1L3fukblQe 0of5wAcXjB169q34uOmkqY79sny/A0nwkrTDhQRff2b9BKiHS9Z+Qycqwh0phT5jwsdC 44+gFkwOd4SOn9qgN/9K0eccHJTadsRhJ2fe9u6WwOnWyVUUDPvIa7tJEEim+NMa93Ax Wx4c5p/+VYOX8y5w32smXTRqhu1CYdVl18/SWRuElUVBVmg2F1SRtJ7w+Wx+rdpJ1GpW Q/LEZfD0yOKguZgIloLTwoXdAmAvbXd68ua1aiOYucYhhJwiItVApvIbjdZ5jTZeHnaM QaCQ==
X-Gm-Message-State: APt69E38jFKHwi4qPXdlUkJiJkAjlxK/LjViM4PW6x9ViBi2Cd9JdGVD 0I0OJyac8TodBaIjjvo4WBPtTrHrkzCA9L45j9pEs4ol
X-Google-Smtp-Source: AAOMgpck7hMhXT3KBKOOeJ6laE2qzrKew3Zn9iruN+FRGohzyC8zbUDUqOEND99s/5+PzixJM6u5oVUpNYvqQvn3NoY=
X-Received: by 2002:aca:d592:: with SMTP id m140-v6mr961888oig.346.1530687919681; Wed, 04 Jul 2018 00:05:19 -0700 (PDT)
MIME-Version: 1.0
References: <1530687136897.97792@cs.auckland.ac.nz>
In-Reply-To: <1530687136897.97792@cs.auckland.ac.nz>
From: Martin Thomson <martin.thomson@gmail.com>
Date: Wed, 4 Jul 2018 17:05:08 +1000
Message-ID: <CABkgnnXsM2_PsL_YsuNEh6eDyp-R2d2JRm6OmGFh9nRAV5Lukg@mail.gmail.com>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/JuRu_Pwx49K3eVDbHRAXI3P-WLw>
Subject: Re: [TLS] Broken browser behaviour with SCADA TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Jul 2018 07:05:23 -0000

On Wed, Jul 4, 2018 at 4:53 PM Peter Gutmann <pgut001@cs.auckland.ac.nz>; wrote:
> ... Client negotiates non-PFS pure-RSA and ignores PFS DHE ...

How is the client doing any of this?  The server picks the cipher suite.

> Least broken browser: Firefox (at least for the last proper version they released)

Newer versions might not have DHE, which I hope is consistent with
your expectations.  But we haven't started on those plans.  As of the
latest version, things should be the same - extensions shouldn't
affect whether connections work.

The problem with DHE of course being that it uses the TLS 1.0 suites
with the SHA1 MAC and with the MAC and encrypt in the wrong order.
And that it is subject to small subgroup attacks from the server
unless it negotiates the FFDHE extension.