IETF Logo Mail Archive

Re: [TLS] The TLS_FALLBACK_SCSV time bomb (was: Re: Working Group Last Call for draft-ietf-tls-downgrade-scsv-00)

Andrei Popov <Andrei.Popov@microsoft.com> Fri, 17 October 2014 20:35 UTC

Return-Path: <Andrei.Popov@microsoft.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EFAEB1A6EDA for <tls@ietfa.amsl.com>; Fri, 17 Oct 2014 13:35:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HnQ0Trmx1yF0 for <tls@ietfa.amsl.com>; Fri, 17 Oct 2014 13:35:29 -0700 (PDT)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1on0765.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::765]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3BF011A1B5D for <tls@ietf.org>; Fri, 17 Oct 2014 13:35:29 -0700 (PDT)
Received: from BL2PR03MB419.namprd03.prod.outlook.com (10.141.92.18) by BL2PR03MB418.namprd03.prod.outlook.com (10.141.92.13) with Microsoft SMTP Server (TLS) id 15.0.1054.13; Fri, 17 Oct 2014 20:35:05 +0000
Received: from BL2PR03MB419.namprd03.prod.outlook.com ([10.141.92.18]) by BL2PR03MB419.namprd03.prod.outlook.com ([10.141.92.18]) with mapi id 15.00.1054.004; Fri, 17 Oct 2014 20:35:05 +0000
From: Andrei Popov <Andrei.Popov@microsoft.com>
To: Martin Thomson <martin.thomson@gmail.com>, Bodo Moeller <bmoeller@acm.org>
Thread-Topic: [TLS] The TLS_FALLBACK_SCSV time bomb (was: Re: Working Group Last Call for draft-ietf-tls-downgrade-scsv-00)
Thread-Index: AQHP6g/vkqpMmvBKoUCxL3G2jHnzlpw0TqsAgABoBICAAAgfwA==
Date: Fri, 17 Oct 2014 20:35:05 +0000
Message-ID: <d8ce6c7437404bcbbea3a17e5c0b1582@BL2PR03MB419.namprd03.prod.outlook.com>
References: <2112FCAD-4820-49D9-9871-6501C83A554D@cisco.com> <543F9893.806@redhat.com> <543FA0A0.1030205@polarssl.org> <543FCAED.50502@redhat.com> <2A0EFB9C05D0164E98F19BB0AF3708C71D39ECECB4@USMBX1.msg.corp.akamai.com> <5440E005.6000607@redhat.com> <180027849.13041583.1413544466157.JavaMail.zimbra@redhat.com> <CADMpkcL2mntDd0dOruziqF0F=xURnqGgd_YkpF+ONzz8v-wQ9Q@mail.gmail.com> <1354095824.13104897.1413553221955.JavaMail.zimbra@redhat.com> <CADMpkcLRCsfQSr0=f97kXJw3RwHN5A79MYQ2j7XaxPxUy2MCLg@mail.gmail.com> <CABkgnnUBYtWUY-CZDDzFiDpMWYbca74o6kejh2Q3L+FHVaHoOA@mail.gmail.com>
In-Reply-To: <CABkgnnUBYtWUY-CZDDzFiDpMWYbca74o6kejh2Q3L+FHVaHoOA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [2001:4898:80e8:ed31::3]
x-microsoft-antispam: BCL:0;PCL:0;RULEID:;SRVR:BL2PR03MB418;
x-exchange-antispam-report-test: UriScan:;
x-forefront-prvs: 0367A50BB1
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(199003)(189002)(377454003)(13464003)(24454002)(85306004)(86362001)(31966008)(50986999)(76176999)(54356999)(101416001)(92566001)(20776003)(108616004)(64706001)(4396001)(122556002)(40100003)(33646002)(15975445006)(93886004)(230783001)(86612001)(2656002)(87936001)(95666004)(99286002)(105586002)(85852003)(120916001)(99396003)(97736003)(74316001)(21056001)(76576001)(19580405001)(19580395003)(46102003)(80022003)(106356001)(107046002)(76482002)(106116001)(24736002)(3826002); DIR:OUT; SFP:1102; SCL:1; SRVR:BL2PR03MB418; H:BL2PR03MB419.namprd03.prod.outlook.com; FPR:; MLV:sfv; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.onmicrosoft.com
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/XT7aXuMsWGUV93SIAJjlpk42Cgg
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] The TLS_FALLBACK_SCSV time bomb (was: Re: Working Group Last Call for draft-ietf-tls-downgrade-scsv-00)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Oct 2014 20:35:32 -0000

Now that SSL's days are counted, why use SCSV (rather than a TLS extension)?

Cheers,

Andrei

-----Original Message-----
From: TLS [mailto:tls-bounces@ietf.org] On Behalf Of Martin Thomson
Sent: Friday, October 17, 2014 1:03 PM
To: Bodo Moeller
Cc: tls@ietf.org
Subject: Re: [TLS] The TLS_FALLBACK_SCSV time bomb (was: Re: Working Group Last Call for draft-ietf-tls-downgrade-scsv-00)

On 17 October 2014 06:51, Bodo Moeller <bmoeller@acm.org> wrote:
> I know. This is exactly why OpenSSL does honor 
> SSL_MODE_SEND_FALLBACK_SCSV even when the highest supported protocol 
> version is enabled. (So the best way to make the API less fragile 
> might be to create an additional setting that makes 
> SSL_MODE_SEND_FALLBACK_SCSV behavior unconditional, such as
> SSL_MODE_SEND_FALLBACK_SCSV_FOR_TESTING.)

I considered building this sort of feature, but it comes down to this:
if you are doing the fallback thing, such that setting this option is even a possibility, then you are already tall enough to work out when to send the SCSV and when not to.

Furthermore, we have situations where clients are configured to send less than the highest version initially, such that it would not be appropriate to set the SCSV.  And, we now have experimental TLS 1.3 code in NSS, all of which makes the question of  what the actual highest version that is supported quite murky.

Another alternative is to have a value that is set to the highest version permitted.  Handshakes that go out with lower version numbers get marked with the SCSV.  Set this to a low value and the SCSV is suppressed.

_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email