[TLS] Broken browser behaviour with SCADA TLS

Peter Gutmann <pgut001@cs.auckland.ac.nz> Wed, 04 July 2018 06:52 UTC

Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 64CCA130ED4 for <tls@ietfa.amsl.com>; Tue, 3 Jul 2018 23:52:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=auckland.ac.nz
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IW4y1wg1RXX6 for <tls@ietfa.amsl.com>; Tue, 3 Jul 2018 23:52:41 -0700 (PDT)
Received: from mx4-int.auckland.ac.nz (mx4-int.auckland.ac.nz [130.216.125.246]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AC222130EC8 for <tls@ietf.org>; Tue, 3 Jul 2018 23:52:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=mail; t=1530687160; x=1562223160; h=from:to:subject:date:message-id: content-transfer-encoding:mime-version; bh=JWiVpGla0jBZyAMrKdpW/Mk7F0K/6oLCDv+QEu5/17Y=; b=YPrilavKQwSFicX7A5deF5tIHmPR/GudpRwR0mk2LH+JzogXbbYL3iCE RDMikLYamNyHVe+ZtwVb+qxRKGUiTwBlFnQe7G1d9GSITT8ZBHUrqm64t x9qxScrN6sQaPdqvH0j5UuPELeSMZzALyx5iZrNGDhpmSTOSDY/K1Asq7 k8rBNH2Ugyec9a7Rh1hlbGnqfCwZk6z4vKcWpAXcUVcZnlGHOnGTQfMMt DKcFB4d9PdVENJ2zsbodDuBZ5TCU0kyUiU7K/Isml2TcBv9z9I/yCcJT5 FljNuEaO2EcGtJ/DRXJadkqxWOlIaVu+2rfVtjE7qbnLG45ylXnV4itA6 Q==;
X-IronPort-AV: E=Sophos;i="5.51,306,1526299200"; d="scan'208";a="19528805"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 10.6.2.3 - Outgoing - Outgoing
Received: from smtp.uoa.auckland.ac.nz (HELO uxcn13-ogg-b.UoA.auckland.ac.nz) ([10.6.2.3]) by mx4-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 04 Jul 2018 18:52:35 +1200
Received: from uxcn13-tdc-d.UoA.auckland.ac.nz (10.6.3.5) by uxcn13-ogg-b.UoA.auckland.ac.nz (10.6.2.23) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Wed, 4 Jul 2018 18:52:34 +1200
Received: from uxcn13-tdc-d.UoA.auckland.ac.nz ([fe80::ccab:7bf5:3d4a:aed8]) by uxcn13-tdc-d.UoA.auckland.ac.nz ([fe80::ccab:7bf5:3d4a:aed8%14]) with mapi id 15.00.1263.000; Wed, 4 Jul 2018 18:52:34 +1200
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: "<tls@ietf.org>" <tls@ietf.org>
Thread-Topic: Broken browser behaviour with SCADA TLS
Thread-Index: AQHUE2JmEGgXYKCP9EqF19k6tdX1YA==
Date: Wed, 4 Jul 2018 06:52:33 +0000
Message-ID: <1530687136897.97792@cs.auckland.ac.nz>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/MCFNPC6KVVYtjIL3KNrVgYFGiok>
Subject: [TLS] Broken browser behaviour with SCADA TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Jul 2018 06:52:44 -0000

The following is an attempt to condense some off-list discussions with SCADA
folks about the broken behaviour of some browsers when it comes to interaction
with SCADA devices running TLS.  tl;dr: Chrome is practically unusable, at the
other end of the scale Firefox is fine, and there's something weird happening
with IE, possibly due to the use of non-CA-bought certificates.

A disclaimer for the following: This involved a lot of fiddling with server
configs to exercise all the different options and recreate what people were
reporting, so there may be some anomalies arising from getting a particular
combination of browser+server config wrong.  I can post a full trace of cipher
suites offered and accepted if anyone's interested.

Browser versions

IE = 11.0.9600.18538
Chrome = 67.0.3396.87
Firefox = last version before they broke all the extensions

DHE + RSA, ECDHE + ECDSA, ECDHE + RSA, RSA only:
Chrome:
[Connects correctly]
Firefox:
[Connects correctly]
IE:
[Does some weird fallback dance where it reconnects using TLS 1.0 several
 times when the cert is unrecognised and you click OK to accept it, then
 closes the connection after negotiating DHE at the point where the server has
 sent its Server Hello Done]

DHE + RSA, ECDHE + ECDSA, RSA only (using RSA server key, so in effect no ECDSA):
Chrome:
[Client negotiates non-PFS pure-RSA and ignores PFS DHE, then disconnects
 after sending/receiving Finished, then reconnects and repeats]
Firefox:
[Connects correctly]
IE:
[Does some weird fallback dance where it reconnects using TLS 1.0 several
 times when the cert is unrecognised and you click OK to accept it, then
 closes the connection after negotiating DHE at the point where the server has
 sent its Server Hello Done]

DHE + RSA, RSA only:

Chrome:
[Client negotiates non-PFS pure-RSA and ignores PFS DHE]
Firefox:
[Connects correctly]
IE:
[Does some weird fallback dance where it reconnects using TLS 1.0 several
 times when the cert is unrecognised and you click OK to accept it, then
 closes the connection after negotiating DHE at the point where the server has
 sent its Server Hello Done]

DHE + RSA only:

Chrome:
[Unable to connect, "The client and server don't support a common SSL protocol
 version or cipher suite"]
Firefox:
[Connects correctly]
IE:
[Does some weird fallback dance where it reconnects using TLS 1.0 several
 times when the cert is unrecognised and you click OK to accept it, then
 closes the connection after negotiating DHE at the point where the server has
 sent its Server Hello Done]

Summary:

Most broken browser unless exactly the right cipher suite is available: Chrome
Least broken browser: Firefox (at least for the last proper version they released)

Peter.