Re: [TLS] Call for acceptance of draft-moeller-tls-downgrade-scsv

[mrex@sap.com (Martin Rex)]

Watson Ladd wrote:
> 
> If a server is buggy it shouldn't pretend to offer TLS 1.2 support.
> If you don't notice this bug, what are you doing when testing?
>   [...]
>
> Furthermore, I think we should have a name-and-shame lab if we are
> going to be considering not addressing security issues because of
> interop.
>   [...]
>
> If you don't want to do this, then you shouldn't offer your product
> as supporting TLS.
>   [...]
> 
> Why exactly wouldn't a serious implementor be doing this already?


I don't know why vendors are not testing in any reasonable fashion
before shipping, but I know that it is happening regularly.

Microsoft goofed the RSA premaster secret version check for
the renegotiation handshake in Windows 7 (the first version of
SChannel that supports TLSv1.2):

  http://www.ietf.org/mail-archive/web/tls/current/msg08139.html


The TLS WG knew very well that there were serious interop problems in the
installed base about the RSA Premaster secret version check and that
these interop problems lead to handshake failures.  The TLS WG also knew
that the security of TLS does not depend on RSA premaster secret
client_version number, because it this additional version number appears
only in static RSA key exchanges, it does not appear in DH and DHE key
exchanges.

Now in spite of knowing this, the TLS WG added s not-well-baked text
to the TLSv1.2 specification recommending that servers be anal about
the RSA premaster secret and abort the TLS handshake in a knee-jerk reaction:

  https://tools.ietf.org/html/rfc5246#page-59

and Microsoft's SChannel is (a) anal about the check and (b) got the
check wrong for the renegotiation handshake in Windows 7 and is actively
causing painful and unnecessary interop problems at zero benefit:

  http://www.ietf.org/mail-archive/web/tls/current/msg09417.html


-Martin