IETF Logo Mail Archive

Re: [TLS] SCSVs and SSLv3 fallback

Nikos Mavrogiannopoulos <nmav@gnutls.org> Sat, 06 April 2013 09:23 UTC

Return-Path: <n.mavrogiannopoulos@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 05B7A21F8D8C for <tls@ietfa.amsl.com>; Sat, 6 Apr 2013 02:23:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.846
X-Spam-Level:
X-Spam-Status: No, score=-0.846 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, RDNS_DYNAMIC=0.1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Pl9P40pSniRZ for <tls@ietfa.amsl.com>; Sat, 6 Apr 2013 02:23:04 -0700 (PDT)
Received: from mail-ea0-x236.google.com (mail-ea0-x236.google.com [IPv6:2a00:1450:4013:c01::236]) by ietfa.amsl.com (Postfix) with ESMTP id 2D2E621F8D86 for <tls@ietf.org>; Sat, 6 Apr 2013 02:23:03 -0700 (PDT)
Received: by mail-ea0-f182.google.com with SMTP id q15so1657103ead.41 for <tls@ietf.org>; Sat, 06 Apr 2013 02:23:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:sender:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:x-enigmail-version:openpgp :content-type:content-transfer-encoding; bh=FgIHue/huZUoO4G2oMnkqDZuyq6jVBtljY/UymnVUDc=; b=bRSw+UYluHnkk0+8dUIzWdWrciAhOtQC9NMb+d2wgqvyOztfl99ybc6NhAVwtvvk+1 A1Xj2RgjQY6diTRQBLhpqYM4/ycBo8+Gp7ZvSXp+Nry3XZYhVUlIezDsbA4kuYbYFskp S3VLSIV1tlTt1Fewlhrw4v84nge19I4T6oUHR2J6IfO1OQs80rZ9R5iWaxO87wOJsWFg oISKNvltmdpIEo6RxKAypMNVgI44SkEoJquMQDhTFmX+kKbHAZbY0l62OcWiys1/eWkP bsYI2we+znQL7MGgYV+L7axWWJ5DoBN1gPtFyjK8/XKYb0F5U01fydUygcrDGH8D4ybs tTDQ==
X-Received: by 10.15.76.132 with SMTP id n4mr8249237eey.16.1365240182399; Sat, 06 Apr 2013 02:23:02 -0700 (PDT)
Received: from [10.100.2.17] (94-224-100-5.access.telenet.be. [94.224.100.5]) by mx.google.com with ESMTPS id cd3sm10089340eeb.6.2013.04.06.02.23.00 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sat, 06 Apr 2013 02:23:01 -0700 (PDT)
Sender: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
Message-ID: <515FE96F.4000007@gnutls.org>
Date: Sat, 06 Apr 2013 11:22:55 +0200
From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.12) Gecko/20130116 Icedove/10.0.12
MIME-Version: 1.0
To: Trevor Perrin <trevp@trevp.net>
References: <CAGZ8ZG0i4-ZDPu=O1+Qy1DJ8oV80_eMz5J9NZrn2UC1-zYu4Sw@mail.gmail.com> <op.wu1f2u2n3dfyax@killashandra.invalid.invalid> <CAGZ8ZG1JzgnCNqfPueKr3wrvMzZKUi7mfvcAdRc-NnCDr33aLg@mail.gmail.com> <515F428E.2010900@gnutls.org> <CAGZ8ZG2OqLz8NymWzR0WNWsHz7qHLA+8eq95WFTLVFGaTK=RCA@mail.gmail.com>
In-Reply-To: <CAGZ8ZG2OqLz8NymWzR0WNWsHz7qHLA+8eq95WFTLVFGaTK=RCA@mail.gmail.com>
X-Enigmail-Version: 1.4.1
OpenPGP: id=96865171
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: tls@ietf.org
Subject: Re: [TLS] SCSVs and SSLv3 fallback
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 06 Apr 2013 09:23:05 -0000

On 04/06/2013 12:11 AM, Trevor Perrin wrote:

>>>  (c) This proposal is guaranteed to fail with TLS-intolerant
>>> middleboxes, whereas the SCSV proposal has a good chance of working.
>> [...]
>>> I'd be interested in hearing more about why people oppose the SCSV
>>> approach.  We're nowhere close to exhaustion of the ciphersuite (or
>>> extension) registries.  Is there some real problem with SCSVs, or does
>>> it just offend people's sense of the "proper way" to do things?
>>
>> I wouldn't expect the problem of failed TLS connections due to middle
>> boxes or bad implementations to disappear by making a complex protocol
>> even more complex.
> If the problem is TLS-intolerant middleboxes, then allowing necessary
> handshake data to flow via SSLv3, using a mechanism that has worked
> for other extension data, should make the problem better.  No?


It may reduce the error failures in some middle-boxes. We cannot be sure
about that because we don't know the actual reason for failure, we just
speculate.

Nevertheless your focus on SSL 3.0 is also wrong. Given the number of
security flaws known to that protocol it may be more productive for the
WG to work towards phasing it out.

>> By having a protocol that offers more than a way to do things I'd expect
>> an increase to the interoperability and failed connection issues we see
>> today. More options for the same thing pretty much guarantees that there
>> will be at least one implementation that will ship the non mainstream
>> options untested.
> This is pretty easy to test, the logic is simple:
>  - client sends SCSV and/or empty ClientHello extension
>  - on receiving SCSV and/or empty ClientHello extension, server sends
> ServerHello extension.


What would you do at the case a middle box only accepts extension A
using SCSV but extension B is only accepted as ClientHello extension?

Since what are you countering of is bugs, you can never be sure what the
next bug would be. Bugs should be treated as bugs.

> This idiom is so simple it could be handled by an "extender file"

The previous extension mechanism was even simpler but still there were
several middle-boxes that got it wrong.

regards,
Nikos

v2.23.0 | Report a Bug | By Email