Re: [TLS] Working Group Last Call for draft-ietf-tls-downgrade-scsv-00

[Hubert Kario <hkario@redhat.com>]

----- Original Message -----
> From: "Hubert Kario" <hkario@redhat.com>
> To: "Manuel Pégourié-Gonnard" <mpg@polarssl.org>
> Cc: "Florian Weimer" <fweimer@redhat.com>, tls@ietf.org
> Sent: Thursday, 16 October, 2014 4:28:25 PM
> Subject: Re: [TLS] Working Group Last Call for	draft-ietf-tls-downgrade-scsv-00
> 
> ----- Original Message -----
> > From: "Manuel Pégourié-Gonnard" <mpg@polarssl.org>
> > To: "Florian Weimer" <fweimer@redhat.com>, "Martin Thomson"
> > <martin.thomson@gmail.com>, "Bodo Moeller"
> > <bmoeller@acm.org>
> > Cc: tls@ietf.org
> > Sent: Thursday, 16 October, 2014 3:48:00 PM
> > Subject: Re: [TLS] Working Group Last Call for
> > 	draft-ietf-tls-downgrade-scsv-00
> > 
> > On 16/10/2014 15:41, Florian Weimer wrote:
> > > On 10/16/2014 12:40 PM, Manuel Pégourié-Gonnard wrote:
> > >> On 16/10/2014 12:06, Florian Weimer wrote:
> > >>> Interesting things will start to happen once there is TLS 1.3.
> > >>> TLS_FALLBACK_SCSV could really complicate its deployment.
> > >>>
> > >> I'm afraid I don't understand which interesting things you're referring
> > >> to.
> > >> Could you please elaborate on that?
> > >>
> > > A widely-deployed client might use TLS 1.2 with FALLBACK_SCSV
> > > unconditionally.  This client would break once servers start supporting
> > > TLS 1.3.  That's just one example of what could go wrong which could not
> > > go wrong before.
> > > 
> > I'm sorry, but wouldn't that be very stupid of the client? Maybe the draft
> > could
> > include wording that clients MUST NOT do that, to be extra clear, but IMHO
> > it's
> > already quite clear.
> > 
> > Besides clients doing this stupid thing, do you see other bad things
> > related
> > to
> > FALLBACK_SCSV that could happen when TLS 1.3 will start being deployed?
> 
> I don't see any.
> 
> Both NSS and OpenSSL when they receive TLS1.2 client hello with this SCSV
> accept and continue connection.
> 
> Both NSS and OpenSSL when they are limited by configuration to a lower
> protocol
> version (e.g. TLS1.0) and receive Client Hello with the same or higher
> version
> and this SCSV accept the connection.
> 
> In other words. If, for any reason, a future client (one that supports
> TLS1.3)
> decides that it needs to downgrade the connection (and indicate that by
> adding
> the SCSV) to interoperate with current implementations, it will work
> correctly.
> 
> Of course, if a client sets this SCSV always, even on first connection
> attempt,
> then it will fail after the server upgrades to TLS1.3, or it uses the library
> that doesn't support higher protocol versions (like 0.9.8), but that's

like openssl 0.9.8*

> incorrect use of the SCSV.
> --
> Regards,
> Hubert Kario
> Quality Engineer, QE BaseOS Security team
> Email: hkario@redhat.com
> Web: www.cz.redhat.com
> Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
> 

-- 
Regards,
Hubert Kario
Quality Engineer, QE BaseOS Security team
Email: hkario@redhat.com
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic