Re: [TLS] SCSVs and SSLv3 fallback
"Yngve N. Pettersen" <yngve@spec-work.net> Fri, 05 April 2013 23:18 UTC
Return-Path: <yngve@spec-work.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3D24921F8F86 for <tls@ietfa.amsl.com>; Fri, 5 Apr 2013 16:18:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0oviQNIF7Q1X for <tls@ietfa.amsl.com>; Fri, 5 Apr 2013 16:18:38 -0700 (PDT)
Received: from smtp.domeneshop.no (smtp.domeneshop.no [194.63.252.54]) by ietfa.amsl.com (Postfix) with ESMTP id 2F16921F8F33 for <tls@ietf.org>; Fri, 5 Apr 2013 16:18:38 -0700 (PDT)
Received: from 239.171.251.212.customer.cdi.no ([212.251.171.239]:57990 helo=killashandra.invalid.invalid) by smtp.domeneshop.no with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.72) (envelope-from <yngve@spec-work.net>) id 1UOFu0-0003ZC-BH for tls@ietf.org; Sat, 06 Apr 2013 01:18:36 +0200
Content-Type: text/plain; charset="iso-8859-15"; format="flowed"; delsp="yes"
To: tls@ietf.org
References: <CAGZ8ZG0i4-ZDPu=O1+Qy1DJ8oV80_eMz5J9NZrn2UC1-zYu4Sw@mail.gmail.com> <op.wu1f2u2n3dfyax@killashandra.invalid.invalid> <CAGZ8ZG1JzgnCNqfPueKr3wrvMzZKUi7mfvcAdRc-NnCDr33aLg@mail.gmail.com> <515F428E.2010900@gnutls.org> <CAGZ8ZG2OqLz8NymWzR0WNWsHz7qHLA+8eq95WFTLVFGaTK=RCA@mail.gmail.com> <D4CC5248-B1F1-498E-8058-5E17BADB3CE6@vpnc.org> <CAGZ8ZG2uvKs8-Sn9bvQyaP9t_E3BhkZFoi7Sq9wbxaHNpf_NDg@mail.gmail.com>
Date: Sat, 06 Apr 2013 01:18:19 +0200
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: "Yngve N. Pettersen" <yngve@spec-work.net>
Message-ID: <op.wu3cctbc3dfyax@killashandra.invalid.invalid>
In-Reply-To: <CAGZ8ZG2uvKs8-Sn9bvQyaP9t_E3BhkZFoi7Sq9wbxaHNpf_NDg@mail.gmail.com>
User-Agent: Opera Mail/12.14 (Win32)
Subject: Re: [TLS] SCSVs and SSLv3 fallback
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Apr 2013 23:18:39 -0000
On Sat, 06 Apr 2013 00:47:16 +0200, Trevor Perrin <trevp@trevp.net> wrote: > On Fri, Apr 5, 2013 at 3:19 PM, Paul Hoffman <paul.hoffman@vpnc.org> > wrote: >> On Apr 5, 2013, at 3:11 PM, Trevor Perrin <trevp@trevp.net> wrote: >>> On Fri, Apr 5, 2013 at 2:30 PM, Nikos Mavrogiannopoulos >>> <nmav@gnutls.org> wrote: >>>> >>>> I wouldn't expect the problem of failed TLS connections due to middle >>>> boxes or bad implementations to disappear by making a complex protocol >>>> even more complex. >>> >>> If the problem is TLS-intolerant middleboxes, then allowing necessary >>> handshake data to flow via SSLv3, using a mechanism that has worked >>> for other extension data, should make the problem better. No? >> >> No. You assume that the "TLS-intolerant middleboxes" actually >> understand real SSLv3, not some very limited and old picture of it. You >> might fix the problem for *some* middleboxes, at the cost of making the >> protocol even more fragile. > > Well, we're agreed this might fix the problem for some middleboxes. :-) > > The alternative, in the TLS-intolerant middlebox case, is... what, > exactly? Fail to connect? Given that we don't know what these middleboxes react to, using SCSVs might work for some, but not others, because those could be checking for "known" cipher suites; some might even consider a unknown cipher suite to be an "attack". (Note: There are apparently middleboxes that do not allow TLS 1.1 or TLS 1.2 connections to be established, so if these middleboxes block on "unknown" protocol versions, I would not be surprised if some don't fail to pass "unknown" cipher suites, as well) That the Renego SCSV *seem* to have worked, does not mean that a new SCSV will work equally well. As Paul says, adding an SCSV system will add complexity, which might cause other problems, including differences between how implementations behave when seeing them. Example: There are a number of servers, F5 BigIP among them, that does not tolerate a combination of the Renego Information Extension and the Renego SCSV in the same handshake. The danger is that by using an SCSV we might "fix" the problem for one group of users, and completely break SSL/TLS for another group of users, the size of which might conceivably be substantially larger than the other group, and there is no way to find out which it is going to be before the system is deployed. For that matter, using an SCSV to indicate an extension and to bypass an interfering middlebox assumes that the middlebox will permit the associated handshake extension to be passed back to the client. I don't think that is a certainty, even if it seems to have worked for Renego (but worst case: that might be due to the middle boxes being updated to handle that particular extension, since it was a security protocol patch) Bottom line: Assume that Murphy's Law applies; if something can be done wrong, then somebody will do it wrong. And in terms of these middleboxes, somebody have, but we don't know how many ways they have done it wrong. -- Sincerely, Yngve N. Pettersen Using Opera's mail client: http://www.opera.com/mail/
- Re: [TLS] SCSVs and SSLv3 fallback Martin Rex
- [TLS] SCSVs and SSLv3 fallback Trevor Perrin
- Re: [TLS] SCSVs and SSLv3 fallback Hanno Böck
- Re: [TLS] SCSVs and SSLv3 fallback Geoffrey Keating
- Re: [TLS] SCSVs and SSLv3 fallback Yngve N. Pettersen
- Re: [TLS] SCSVs and SSLv3 fallback Joseph Birr-Pixton
- Re: [TLS] SCSVs and SSLv3 fallback Trevor Perrin
- Re: [TLS] SCSVs and SSLv3 fallback Nikos Mavrogiannopoulos
- Re: [TLS] SCSVs and SSLv3 fallback Trevor Perrin
- Re: [TLS] SCSVs and SSLv3 fallback Paul Hoffman
- Re: [TLS] SCSVs and SSLv3 fallback Trevor Perrin
- Re: [TLS] SCSVs and SSLv3 fallback Yngve N. Pettersen
- Re: [TLS] SCSVs and SSLv3 fallback Trevor Perrin
- Re: [TLS] SCSVs and SSLv3 fallback Nikos Mavrogiannopoulos
- Re: [TLS] SCSVs and SSLv3 fallback Yngve N. Pettersen
- Re: [TLS] SCSVs and SSLv3 fallback Trevor Perrin
- Re: [TLS] SCSVs and SSLv3 fallback Yngve N. Pettersen
- Re: [TLS] SCSVs and SSLv3 fallback Adam Langley
- Re: [TLS] SCSVs and SSLv3 fallback Trevor Perrin
- Re: [TLS] SCSVs and SSLv3 fallback Martin Rex
- Re: [TLS] SCSVs and SSLv3 fallback Martin Rex
- Re: [TLS] SCSVs and SSLv3 fallback Martin Rex
- Re: [TLS] SCSVs and SSLv3 fallback Martin Rex
- Re: [TLS] SCSVs and SSLv3 fallback Yngve N. Pettersen
- Re: [TLS] SCSVs and SSLv3 fallback Martin Rex
- Re: [TLS] SCSVs and SSLv3 fallback Yngve N. Pettersen
- Re: [TLS] SCSVs and SSLv3 fallback Martin Rex
- Re: [TLS] SCSVs and SSLv3 fallback Yngve N. Pettersen
- Re: [TLS] SCSVs and SSLv3 fallback Trevor Perrin
- Re: [TLS] SCSVs and SSLv3 fallback Martin Rex
- Re: [TLS] SCSVs and SSLv3 fallback Yngve N. Pettersen
- Re: [TLS] SCSVs and SSLv3 fallback Yngve N. Pettersen
- Re: [TLS] SCSVs and SSLv3 fallback Martin Rex
- Re: [TLS] SCSVs and SSLv3 fallback Yoav Nir