Re: [TLS] Broken browser behaviour with SCADA TLS

Peter Gutmann <> Wed, 04 July 2018 07:45 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 06802130DF0 for <>; Wed, 4 Jul 2018 00:45:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id CUw1JB6bmxhF for <>; Wed, 4 Jul 2018 00:45:41 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 05904130DF9 for <>; Wed, 4 Jul 2018 00:45:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;;; q=dns/txt; s=mail; t=1530690341; x=1562226341; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=7a9TuacCOXbVZzVWiHr9mGoIDXfqgWnIO4CrgaF04ZA=; b=bfpJ+0Rzn8L9mugmFG3a3QUAAw0PKs9FiRbZiZVYqRI3blJcTsJxlfp7 FWpKoy7RTwca489eije9VAtJBLN5i27CiRKPKYAcMxA+CJ3lwSOeZhwpx 5gRtTztRSpbFOg0f2U8M3q9APLMSQCsYAKyDSI8c5HQOrI0juWEv7Ffue VF1k+R/EeW5s4gxrTG2Wce1cJrF4a9HF0tPqMFtAWNV9YzZfuhbG7Xj2+ uScjvZUf+iX4Ja1VL391rpJmfOrvLKy0t+w0A479bkusvX5H6O/TOSTo1 m2fYYUCRbs0FI4gUABIlYnbWOEVQQwndMc7iwrn/YuPCLnscCRtwpzy5h Q==;
X-IronPort-AV: E=Sophos;i="5.51,306,1526299200"; d="scan'208";a="19534687"
X-Ironport-Source: - Outgoing - Outgoing
Received: from ([]) by with ESMTP/TLS/AES256-SHA; 04 Jul 2018 19:45:38 +1200
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1263.5; Wed, 4 Jul 2018 19:45:37 +1200
Received: from ([fe80::ccab:7bf5:3d4a:aed8]) by ([fe80::ccab:7bf5:3d4a:aed8%14]) with mapi id 15.00.1263.000; Wed, 4 Jul 2018 19:45:37 +1200
From: Peter Gutmann <>
To: Martin Thomson <>
CC: "<>" <>
Thread-Topic: [TLS] Broken browser behaviour with SCADA TLS
Thread-Index: AQHUE2JmEGgXYKCP9EqF19k6tdX1YKR92r8AgADQEJ8=
Date: Wed, 4 Jul 2018 07:45:36 +0000
Message-ID: <>
References: <>, <>
In-Reply-To: <>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [TLS] Broken browser behaviour with SCADA TLS
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 04 Jul 2018 07:45:44 -0000

Martin Thomson <> writes:

>How is the client doing any of this?  The server picks the cipher suite.

Sorry, I meant the client only offers pure-RSA, not DHE+RSA, so the server is
forced to pick pure-RSA, e.g.:


Offered suite: TLS_RSA_WITH_AES_128_CBC_SHA.
Accepted suite: TLS_RSA_WITH_AES_128_CBC_SHA.
Offered suite: TLS_RSA_WITH_AES_256_CBC_SHA.

This is on a system without ECDHE present, so the server is looking for DHE
(preferentially) or RSA (if it really has to), the ECDHE suites are skipped.
This was noticed on systems which had disabled the pure-RSA suites because
some industry compliance thing required it, and found that Chrome was now
unusable for any of their devices.

(My suggestion that they might consider QQ Browser didn't go down too

>Newer versions might not have DHE, which I hope is consistent with your

Well, that'd bring FF closer to Chrome's brokenness.  I guess I could add a
comment about FF copying everything Chrome does as being consistent with my
expectations :-).

>As of the latest version, things should be the same - extensions shouldn't
>affect whether connections work.

Sure, the only reason for mentioning the "last version with extensions" is
that apparently some of the systems require browser extensions, and they
aren't going to be rewritten for current versions of Firefox.  So it was
whatever the last version with extensions was, either 52ESR or 56 (I didn't
ask, I'm on FF 56).

>The problem with DHE of course being that it uses the TLS 1.0 suites with the
>SHA1 MAC and with the MAC and encrypt in the wrong order. 

Given that SHA-1 is used in the HMAC form it doesn't really matter security-
wise... the order of MAC and encrypt also depends on EtM/LTS support, I didn't
check for who does what there, the real issue was to report on browser issues
when used in a SCADA environment and to poke vendors with a bit of a WTF?! for
their cipher suite support, or lack thereof.  Currently the best by a long
shot is FF.