Re: [TLS] Comments/Questions on draft-gutmann-tls-encrypt-then-mac-00.txt (Martin Rex) Wed, 25 September 2013 20:54 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E272E21F9E40 for <>; Wed, 25 Sep 2013 13:54:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -10.156
X-Spam-Status: No, score=-10.156 tagged_above=-999 required=5 tests=[AWL=0.093, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id HmHlnA2dBgVe for <>; Wed, 25 Sep 2013 13:54:44 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 8F43B21F9D95 for <>; Wed, 25 Sep 2013 13:54:31 -0700 (PDT)
Received: from by (26) with ESMTP id r8PKsO2s013741 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 25 Sep 2013 22:54:24 +0200 (MEST)
In-Reply-To: <>
To: Bodo Moeller <>
Date: Wed, 25 Sep 2013 22:54:24 +0200 (CEST)
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <>
From: (Martin Rex)
X-SAP: out
Cc: "" <>
Subject: Re: [TLS] Comments/Questions on draft-gutmann-tls-encrypt-then-mac-00.txt
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 25 Sep 2013 20:55:01 -0000

Bodo Moeller wrote:
> > Instead of particular versions, it seems to me that an indicator of "I
> >> tried to connect using a higher version than I'm using now but had to
> >> fall back to this verion" would cover any case now or later.
> >>
> >
> > Indeed that's what I ended up writing down for an Internet Draft.
> >
> Now here:

OH NO, not again!!

Any kind of specification for TLS, that suggests to the server
to apply heuristics and make (often flawed or unjustified) assumptions
about what the client may want or may not want and have the _server_
abort the handshake rather than the client, are a REALLY BAD IDEA and
squarely against the IETF spirit to promote interop.

Fatal SSL alerts in particular, are worst of all, because they do often
do not give any clue, are not ever sent by a number of TLS implementations
(you just see the connection close/reset), and are hardly/poorly visualized
or not even accessible on many TLS clients.

If anything, then such a "downgrade protection discovery" signaling
cihper suites should cause the server to respond with a ServerHelloExtension
listing the features that the server supports and would be capable
of processing properly when present in ClientHello, and leave the
decision, whether to abort the handshake and whether to tell or ask
the user about any perceived problems first, entirely up to the client.