IETF Logo Mail Archive

Re: [TLS] Working Group Last Call for draft-ietf-tls-downgrade-scsv-00

Bodo Moeller <bmoeller@acm.org> Fri, 24 October 2014 09:58 UTC

Return-Path: <SRS0=P+xR=7P=acm.org=bmoeller@srs.kundenserver.de>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8864C1A8963 for <tls@ietfa.amsl.com>; Fri, 24 Oct 2014 02:58:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.938
X-Spam-Level:
X-Spam-Status: No, score=-0.938 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gvMQLOE_2T9W for <tls@ietfa.amsl.com>; Fri, 24 Oct 2014 02:58:52 -0700 (PDT)
Received: from mout.kundenserver.de (mout.kundenserver.de [212.227.126.130]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 033C21A894D for <tls@ietf.org>; Fri, 24 Oct 2014 02:58:51 -0700 (PDT)
Received: from mail-qa0-f51.google.com (mail-qa0-f51.google.com [209.85.216.51]) by mrelayeu.kundenserver.de (node=mreue005) with ESMTP (Nemesis) id 0LwmZo-1YAOw53qHY-016LIg; Fri, 24 Oct 2014 11:58:50 +0200
Received: by mail-qa0-f51.google.com with SMTP id k15so639434qaq.24 for <tls@ietf.org>; Fri, 24 Oct 2014 02:58:47 -0700 (PDT)
MIME-Version: 1.0
X-Received: by 10.170.220.8 with SMTP id m8mr4920218ykf.48.1414144727716; Fri, 24 Oct 2014 02:58:47 -0700 (PDT)
Received: by 10.170.194.15 with HTTP; Fri, 24 Oct 2014 02:58:47 -0700 (PDT)
In-Reply-To: <5449E969.9000800@brainhub.org>
References: <2112FCAD-4820-49D9-9871-6501C83A554D@cisco.com> <5449E969.9000800@brainhub.org>
Date: Fri, 24 Oct 2014 11:58:47 +0200
Message-ID: <CADMpkc+cLJNMYZb4OqukM7qT1aPsqEmCF0JxOyuLYe=78BEcgQ@mail.gmail.com>
From: Bodo Moeller <bmoeller@acm.org>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="001a11390932281ccb0506283a0d"
X-Provags-ID: V02:K0:BtcrtUfcKDC/2hWOSfATOTGnNiPqsWTGYi/5v0t8JG9 UYvmW9Ep7hM2wWb9K20f7FF+TWUpx5Xiv5k4eUQxrY2Jr80gNt hOKC8OKt7wKy7vOf9J3n+9d03n5iYSaEnxW/1BhC9jcZNGuYf+ rjRCLBcSOwMz969hZgMzZ6COJCfxq6vLCVAMnLpkinGcuNh1Mt d9PJDCTW245/+njJrY+GUHsrIfD51J8ocbx8PnEnHTogGn2DMx jGtJRcR27G5Dw9pttsVXmHjXYEiWDiOeERb7wyvyG0BRC29hew I9gJciOVr1+7en/vi45jO2oOzKJBNJCKvPOmXZYuS7K1zf4CEM xwCChzl9kCMtIp+ofAiyz5E/1ufGKGAm4G8UlbpkTB6WJhzbN0 GohTyKUua9mm60sJAUgkplaYftWRuzDdRvP92oYUwz9htgoCMO 0D8AV
X-UI-Out-Filterresults: notjunk:1;
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/b8qcMEGRwlM0w-ghv13WAqnprtc
Subject: Re: [TLS] Working Group Last Call for draft-ietf-tls-downgrade-scsv-00
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Oct 2014 10:01:13 -0000

Andrey Jivsov <crypto@brainhub.org>:

Client decides to drop to TLS1.1 (due to network glitch, etc). [...] The
> server MUST fail with inappropriate_fallback per sec 3.
>
> Is it a good idea to reject a more secure protocol than the server can
> possibly negotiate with this client?


In this case, the connection really fails due to the network glitch. If the
client wasn't attempting fallback retries, it would similarly fail. (This
could happen independently of the cipher suites that the server accepts.)

In the kind of hypothetical scenario that you describe, it indeed wouldn't
cause a reduction in security to accept the connection instead of failing,
but optimizing for corner cases like this one doesn't seem reasonable: it
necessarily would make the mechanism more complex overall.

(The server behavior that you describe also would be really odd. The CBC
cipher suites are more broken in SSL 3.0 than in TLS 1.0, and more broken
in TLS 1.0 than in TLS 1.1. If the server *does* support one of the newer
protocol versions, why would it only support the most broken incarnation of
that cipher suite?

Also note that in the *specific* hypothetical scenario that you describe,
the server actually would accept the fallback retry: you said that TLS 1.0
is the highest protocol version supported by the server; this is not higher
than ClientHello.client_version in the TLS 1.1 retry, so the server
wouldn't reject.)

Bodo

v2.23.0 | Report a Bug | By Email