Re: [TLS] version downgrade protection (was: inappropriate_fallback)
Peter Gutmann <pgut001@cs.auckland.ac.nz> Thu, 09 August 2018 13:00 UTC
Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3833F128B14 for <tls@ietfa.amsl.com>; Thu, 9 Aug 2018 06:00:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=auckland.ac.nz
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Zt5QZDDPUNRz for <tls@ietfa.amsl.com>; Thu, 9 Aug 2018 06:00:07 -0700 (PDT)
Received: from mx4-int.auckland.ac.nz (mx4-int.auckland.ac.nz [130.216.125.246]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C4D41127598 for <tls@ietf.org>; Thu, 9 Aug 2018 06:00:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=mail; t=1533819607; x=1565355607; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=ICTQZQ9eH5LPFhXS+jh1GIhIV+2ufsp/w1w7PNc+uaU=; b=XLXQI7Sn6fePZ4xeWypgnHXiSs06In4WvttnPqTMFsT0mXeqVukRHAs0 LvO6w5GVVCt4Zfc16i9ZEoagDdAaqDrrfDF67kxVQfsLULGjqM3zq62gj 0mBHPaxQtC3b328cSQ3uYL3rZOtUpd4rAbFrMfa/Oaa4H/0f3foiXGVXw V0jw3uIvz1H8NzmhlpUdygkNDU1jkUVCZ+jn4aFe7zPtmY8L4TWDXlccU qJYim/xWSeqLSDEYsx79X6qX98W3BGDsKns6v8BmGHgPKramsbx/9/MRj J8MpPeRVEdEQmgTiC09yI5MQwbgvAGjtk8uWatHuunpc+hVHWc4IfWmJK Q==;
X-IronPort-AV: E=Sophos;i="5.53,215,1531742400"; d="scan'208";a="25486795"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 10.6.3.9 - Outgoing - Outgoing
Received: from exchangemx.uoa.auckland.ac.nz (HELO uxcn13-tdc-e.UoA.auckland.ac.nz) ([10.6.3.9]) by mx4-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 10 Aug 2018 01:00:05 +1200
Received: from uxcn13-ogg-d.UoA.auckland.ac.nz (10.6.2.5) by uxcn13-tdc-e.UoA.auckland.ac.nz (10.6.3.9) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Fri, 10 Aug 2018 01:00:04 +1200
Received: from uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.25]) by uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.25]) with mapi id 15.00.1263.000; Fri, 10 Aug 2018 01:00:04 +1200
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: Hubert Kario <hkario@redhat.com>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] version downgrade protection (was: inappropriate_fallback)
Thread-Index: AQHUL9ewh8ZI3Sk9XUOeYnwfdrk8f6S3UHA4//9BY4CAANAi2w==
Date: Thu, 09 Aug 2018 13:00:04 +0000
Message-ID: <1533819591122.83293@cs.auckland.ac.nz>
References: <2fd24f64-bee5-18ed-cf0d-0fc999add395@openssl.org> <20180809115339.GW28516@akamai.com> <1533815828087.10749@cs.auckland.ac.nz>, <1721604.ZefVVjBoKc@pintsize.usersys.redhat.com>
In-Reply-To: <1721604.ZefVVjBoKc@pintsize.usersys.redhat.com>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/b23ZUL58N7iL8GyZUljD7Asni20>
Subject: Re: [TLS] version downgrade protection (was: inappropriate_fallback)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Aug 2018 13:00:08 -0000
Hubert Kario <hkario@redhat.com> writes: >the signalling bytes must be included only if server has support for higher >protocol versions enabled; if TLS 1.2 and TLS 1.3 is explicitly disabled on >the server, it must not include those signalling bytes Ah, OK. In that case the text should probably make clear that "TLS 1.2 server" isn't "a server that implements RFC 5246" but "a server that's currently configured to run TLS 1.2". Peter.
- [TLS] inappropriate_fallback Matt Caswell
- Re: [TLS] inappropriate_fallback Benjamin Kaduk
- Re: [TLS] inappropriate_fallback Matt Caswell
- Re: [TLS] inappropriate_fallback Eric Rescorla
- Re: [TLS] inappropriate_fallback Matt Caswell
- Re: [TLS] inappropriate_fallback Benjamin Kaduk
- Re: [TLS] inappropriate_fallback Matt Caswell
- Re: [TLS] inappropriate_fallback Eric Rescorla
- Re: [TLS] inappropriate_fallback Matt Caswell
- Re: [TLS] inappropriate_fallback Eric Rescorla
- Re: [TLS] inappropriate_fallback Matt Caswell
- Re: [TLS] inappropriate_fallback Peter Gutmann
- Re: [TLS] inappropriate_fallback Peter Gutmann
- Re: [TLS] version downgrade protection (was: inap… Peter Gutmann
- Re: [TLS] version downgrade protection (was: inap… Benjamin Kaduk
- Re: [TLS] version downgrade protection (was: inap… Peter Gutmann
- Re: [TLS] inappropriate_fallback Eric Rescorla
- Re: [TLS] version downgrade protection (was: inap… Eric Rescorla
- Re: [TLS] version downgrade protection (was: inap… Hubert Kario
- Re: [TLS] inappropriate_fallback Matt Caswell
- Re: [TLS] inappropriate_fallback Short, Todd
- Re: [TLS] inappropriate_fallback Hubert Kario
- Re: [TLS] inappropriate_fallback Short, Todd