IETF Logo Mail Archive

Re: [TLS] Working Group Last Call for draft-ietf-tls-downgrade-scsv-00

Andrey Jivsov <crypto@brainhub.org> Fri, 24 October 2014 20:21 UTC

Return-Path: <crypto@brainhub.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CB3D21A6F3C for <tls@ietfa.amsl.com>; Fri, 24 Oct 2014 13:21:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8vpBKBjv8eB5 for <tls@ietfa.amsl.com>; Fri, 24 Oct 2014 13:21:11 -0700 (PDT)
Received: from resqmta-ch2-09v.sys.comcast.net (resqmta-ch2-09v.sys.comcast.net [IPv6:2001:558:fe21:29:69:252:207:41]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7AA241A1A27 for <tls@ietf.org>; Fri, 24 Oct 2014 13:21:10 -0700 (PDT)
Received: from resomta-ch2-14v.sys.comcast.net ([69.252.207.110]) by resqmta-ch2-09v.sys.comcast.net with comcast id 78K81p0032PT3Qt018M9b9; Fri, 24 Oct 2014 20:21:09 +0000
Received: from [IPv6:::1] ([71.202.164.227]) by resomta-ch2-14v.sys.comcast.net with comcast id 78M81p00A4uhcbK018M814; Fri, 24 Oct 2014 20:21:09 +0000
Message-ID: <544AB4B4.2010305@brainhub.org>
Date: Fri, 24 Oct 2014 13:21:08 -0700
From: Andrey Jivsov <crypto@brainhub.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.1.1
MIME-Version: 1.0
To: Bodo Moeller <bmoeller@acm.org>, "tls@ietf.org" <tls@ietf.org>
References: <2112FCAD-4820-49D9-9871-6501C83A554D@cisco.com> <5449E969.9000800@brainhub.org> <CADMpkc+cLJNMYZb4OqukM7qT1aPsqEmCF0JxOyuLYe=78BEcgQ@mail.gmail.com>
In-Reply-To: <CADMpkc+cLJNMYZb4OqukM7qT1aPsqEmCF0JxOyuLYe=78BEcgQ@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20140121; t=1414182069; bh=tBhzzdfYKnYU2hIhTzQAHhybVgrU7Dwbq3QgSQgRMKY=; h=Received:Received:Message-ID:Date:From:MIME-Version:To:Subject: Content-Type; b=ReBXB0eadXi6iltPn/VL84PCWtjVCzacRXQy0JlJUH9MGZWEcoTmJj3iQzjBLxpg5 7KqZ21WnQLdRxLvngC21Mz62ADvFYblrUT1X4TYieMfXTMsweKHjnCLsNcqj17Z5wB eP8Ts2EzvjbhkW/nq4vF7vGQ8rNslrIsznbQfvsm/N6eZOKZNOFLTiEoQ1HeameFaZ e6XCoTyT6btzUTGYcjafITB0VDKgZr+VxPdxHo1k5fPROsgH+xYlXMGwQgdPncC/3K zM6BB1wMQ/B+LOsc/jGYWhzxpD+uiB9JnTOAIzIk9/D0aCSiqjCFWE1V2G0tL92NfV z0lGvC0JsxcDw==
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/QBSZmjb0Z_gOQ3IiNwewRG2ETuk
Subject: Re: [TLS] Working Group Last Call for draft-ietf-tls-downgrade-scsv-00
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Oct 2014 20:21:14 -0000

On 10/24/2014 02:58 AM, Bodo Moeller wrote:
> Andrey Jivsov <crypto@brainhub.org <mailto:crypto@brainhub.org>>:
>
>     Client decides to drop to TLS1.1 (due to network glitch, etc).
>     [...] The server MUST fail with inappropriate_fallback per sec 3.
>
>     Is it a good idea to reject a more secure protocol than the server
>     can possibly negotiate with this client?
>
>
> In this case, the connection really fails due to the network glitch. 
> If the client wasn't attempting fallback retries, it would similarly 
> fail. (This could happen independently of the cipher suites that the 
> server accepts.)

In this scenario the client would succeed with the same server if the 
server doesn't implement draft-ietf-tls-downgrade-scsv but will fail if 
the server implements draft-ietf-tls-downgrade-scsv-03. Interestingly, 
regardless of draft-ietf-tls-downgrade-scsv-03 implementation the 
negotiated ciphersuite will be the same (when the pair succeeds with the 
handshake, that is)


>
> In the kind of hypothetical scenario that you describe, it indeed 
> wouldn't cause a reduction in security to accept the connection 
> instead of failing, but optimizing for corner cases like this one 
> doesn't seem reasonable: it necessarily would make the mechanism more 
> complex overall.
>
> (The server behavior that you describe also would be really odd. The 
> CBC cipher suites are more broken in SSL 3.0 than in TLS 1.0, and more 
> broken in TLS 1.0 than in TLS 1.1. If the server *does* support one of 
> the newer protocol versions, why would it only support the most broken 
> incarnation of that cipher suite?
>

This configuration of the server may be driven by the logic that "we 
will use legacy algorithms (RC4, SHA1, etc) with legacy protocols (SSL*, 
TLS1.0) for legacy clients".

> Also note that in the *specific* hypothetical scenario that you 
> describe, the server actually would accept the fallback retry: you 
> said that TLS 1.0 is the highest protocol version supported by the 
> server; this is not higher than ClientHello.client_version in the TLS 
> 1.1 retry, so the server wouldn't reject.)

No, this is not what I was saying.

In my scenario the server supports TLS1.2 in general with some 
ciphersuites (and will support TLS1.3 in the future). The server is 
configured in a way that the ciphersuite that it can negotiate with the 
client requires SSLv3.

What does draft-ietf-tls-downgrade-scsv-03 want the server to do here: 
assume it's highest version is TLS1.2 or SSL 3.0?  I.e. is the max. 
version a static property on the server or dynamic based on ciphers in 
ClientHello?

v2.23.0 | Report a Bug | By Email