IETF Logo Mail Archive

Re: [TLS] SCSVs and SSLv3 fallback

"Yngve N. Pettersen" <yngve@spec-work.net> Fri, 05 April 2013 23:18 UTC

Return-Path: <yngve@spec-work.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3D24921F8F86 for <tls@ietfa.amsl.com>; Fri, 5 Apr 2013 16:18:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0oviQNIF7Q1X for <tls@ietfa.amsl.com>; Fri, 5 Apr 2013 16:18:38 -0700 (PDT)
Received: from smtp.domeneshop.no (smtp.domeneshop.no [194.63.252.54]) by ietfa.amsl.com (Postfix) with ESMTP id 2F16921F8F33 for <tls@ietf.org>; Fri, 5 Apr 2013 16:18:38 -0700 (PDT)
Received: from 239.171.251.212.customer.cdi.no ([212.251.171.239]:57990 helo=killashandra.invalid.invalid) by smtp.domeneshop.no with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.72) (envelope-from <yngve@spec-work.net>) id 1UOFu0-0003ZC-BH for tls@ietf.org; Sat, 06 Apr 2013 01:18:36 +0200
Content-Type: text/plain; charset="iso-8859-15"; format="flowed"; delsp="yes"
To: tls@ietf.org
References: <CAGZ8ZG0i4-ZDPu=O1+Qy1DJ8oV80_eMz5J9NZrn2UC1-zYu4Sw@mail.gmail.com> <op.wu1f2u2n3dfyax@killashandra.invalid.invalid> <CAGZ8ZG1JzgnCNqfPueKr3wrvMzZKUi7mfvcAdRc-NnCDr33aLg@mail.gmail.com> <515F428E.2010900@gnutls.org> <CAGZ8ZG2OqLz8NymWzR0WNWsHz7qHLA+8eq95WFTLVFGaTK=RCA@mail.gmail.com> <D4CC5248-B1F1-498E-8058-5E17BADB3CE6@vpnc.org> <CAGZ8ZG2uvKs8-Sn9bvQyaP9t_E3BhkZFoi7Sq9wbxaHNpf_NDg@mail.gmail.com>
Date: Sat, 06 Apr 2013 01:18:19 +0200
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: "Yngve N. Pettersen" <yngve@spec-work.net>
Message-ID: <op.wu3cctbc3dfyax@killashandra.invalid.invalid>
In-Reply-To: <CAGZ8ZG2uvKs8-Sn9bvQyaP9t_E3BhkZFoi7Sq9wbxaHNpf_NDg@mail.gmail.com>
User-Agent: Opera Mail/12.14 (Win32)
Subject: Re: [TLS] SCSVs and SSLv3 fallback
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Apr 2013 23:18:39 -0000

On Sat, 06 Apr 2013 00:47:16 +0200, Trevor Perrin <trevp@trevp.net> wrote:

> On Fri, Apr 5, 2013 at 3:19 PM, Paul Hoffman <paul.hoffman@vpnc.org>  
> wrote:
>> On Apr 5, 2013, at 3:11 PM, Trevor Perrin <trevp@trevp.net> wrote:
>>> On Fri, Apr 5, 2013 at 2:30 PM, Nikos Mavrogiannopoulos  
>>> <nmav@gnutls.org> wrote:
>>>>
>>>> I wouldn't expect the problem of failed TLS connections due to middle
>>>> boxes or bad implementations to disappear by making a complex protocol
>>>> even more complex.
>>>
>>> If the problem is TLS-intolerant middleboxes, then allowing necessary
>>> handshake data to flow via SSLv3, using a mechanism that has worked
>>> for other extension data, should make the problem better.  No?
>>
>> No. You assume that the "TLS-intolerant middleboxes" actually  
>> understand real SSLv3, not some very limited and old picture of it. You  
>> might fix the problem for *some* middleboxes, at the cost of making the  
>> protocol even more fragile.
>
> Well, we're agreed this might fix the problem for some middleboxes. :-)
>
> The alternative, in the TLS-intolerant middlebox case, is... what,
> exactly?  Fail to connect?

Given that we don't know what these middleboxes react to, using SCSVs  
might work for some, but not others, because those could be checking for  
"known" cipher suites; some might even consider a unknown cipher suite to  
be an "attack". (Note: There are apparently middleboxes that do not allow  
TLS 1.1 or TLS 1.2 connections to be established, so if these middleboxes  
block on "unknown" protocol versions, I would not be surprised if some  
don't fail to pass "unknown" cipher suites, as well)

That the Renego SCSV *seem* to have worked, does not mean that a new SCSV  
will work equally well.

As Paul says, adding an SCSV system will add complexity, which might cause  
other problems, including differences between how implementations behave  
when seeing them. Example: There are a number of servers, F5 BigIP among  
them, that does not tolerate a combination of the Renego Information  
Extension and the Renego SCSV in the same handshake.

The danger is that by using an SCSV we might "fix" the problem for one  
group of users, and completely break SSL/TLS for another group of users,  
the size of which might conceivably be substantially larger than the other  
group, and there is no way to find out which it is going to be before the  
system is deployed.

For that matter, using an SCSV to indicate an extension and to bypass an  
interfering middlebox assumes that the middlebox will permit the  
associated handshake extension to be passed back to the client. I don't  
think that is a certainty, even if it seems to have worked for Renego (but  
worst case: that might be due to the middle boxes being updated to handle  
that particular extension, since it was a security protocol patch)

Bottom line: Assume that Murphy's Law applies; if something can be done  
wrong, then somebody will do it wrong. And in terms of these middleboxes,  
somebody have, but we don't know how many ways they have done it wrong.

-- 
Sincerely,
Yngve N. Pettersen

Using Opera's mail client: http://www.opera.com/mail/

v2.23.0 | Report a Bug | By Email