Return-Path: X-Original-To: tls@ietfa.amsl.com Delivered-To: tls@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8864C1A8963 for ; Fri, 24 Oct 2014 02:58:53 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.938 X-Spam-Level: X-Spam-Status: No, score=-0.938 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gvMQLOE_2T9W for ; Fri, 24 Oct 2014 02:58:52 -0700 (PDT) Received: from mout.kundenserver.de (mout.kundenserver.de [212.227.126.130]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 033C21A894D for ; Fri, 24 Oct 2014 02:58:51 -0700 (PDT) Received: from mail-qa0-f51.google.com (mail-qa0-f51.google.com [209.85.216.51]) by mrelayeu.kundenserver.de (node=mreue005) with ESMTP (Nemesis) id 0LwmZo-1YAOw53qHY-016LIg; Fri, 24 Oct 2014 11:58:50 +0200 Received: by mail-qa0-f51.google.com with SMTP id k15so639434qaq.24 for ; Fri, 24 Oct 2014 02:58:47 -0700 (PDT) MIME-Version: 1.0 X-Received: by 10.170.220.8 with SMTP id m8mr4920218ykf.48.1414144727716; Fri, 24 Oct 2014 02:58:47 -0700 (PDT) Received: by 10.170.194.15 with HTTP; Fri, 24 Oct 2014 02:58:47 -0700 (PDT) In-Reply-To: <5449E969.9000800@brainhub.org> References: <2112FCAD-4820-49D9-9871-6501C83A554D@cisco.com> <5449E969.9000800@brainhub.org> Date: Fri, 24 Oct 2014 11:58:47 +0200 Message-ID: From: Bodo Moeller To: "tls@ietf.org" Content-Type: multipart/alternative; boundary=001a11390932281ccb0506283a0d X-Provags-ID: V02:K0:BtcrtUfcKDC/2hWOSfATOTGnNiPqsWTGYi/5v0t8JG9 UYvmW9Ep7hM2wWb9K20f7FF+TWUpx5Xiv5k4eUQxrY2Jr80gNt hOKC8OKt7wKy7vOf9J3n+9d03n5iYSaEnxW/1BhC9jcZNGuYf+ rjRCLBcSOwMz969hZgMzZ6COJCfxq6vLCVAMnLpkinGcuNh1Mt d9PJDCTW245/+njJrY+GUHsrIfD51J8ocbx8PnEnHTogGn2DMx jGtJRcR27G5Dw9pttsVXmHjXYEiWDiOeERb7wyvyG0BRC29hew I9gJciOVr1+7en/vi45jO2oOzKJBNJCKvPOmXZYuS7K1zf4CEM xwCChzl9kCMtIp+ofAiyz5E/1ufGKGAm4G8UlbpkTB6WJhzbN0 GohTyKUua9mm60sJAUgkplaYftWRuzDdRvP92oYUwz9htgoCMO 0D8AV X-UI-Out-Filterresults: notjunk:1; Archived-At: http://mailarchive.ietf.org/arch/msg/tls/b8qcMEGRwlM0w-ghv13WAqnprtc Subject: Re: [TLS] Working Group Last Call for draft-ietf-tls-downgrade-scsv-00 X-BeenThere: tls@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Oct 2014 10:01:13 -0000 --001a11390932281ccb0506283a0d Content-Type: text/plain; charset=UTF-8 Andrey Jivsov : Client decides to drop to TLS1.1 (due to network glitch, etc). [...] The > server MUST fail with inappropriate_fallback per sec 3. > > Is it a good idea to reject a more secure protocol than the server can > possibly negotiate with this client? In this case, the connection really fails due to the network glitch. If the client wasn't attempting fallback retries, it would similarly fail. (This could happen independently of the cipher suites that the server accepts.) In the kind of hypothetical scenario that you describe, it indeed wouldn't cause a reduction in security to accept the connection instead of failing, but optimizing for corner cases like this one doesn't seem reasonable: it necessarily would make the mechanism more complex overall. (The server behavior that you describe also would be really odd. The CBC cipher suites are more broken in SSL 3.0 than in TLS 1.0, and more broken in TLS 1.0 than in TLS 1.1. If the server *does* support one of the newer protocol versions, why would it only support the most broken incarnation of that cipher suite? Also note that in the *specific* hypothetical scenario that you describe, the server actually would accept the fallback retry: you said that TLS 1.0 is the highest protocol version supported by the server; this is not higher than ClientHello.client_version in the TLS 1.1 retry, so the server wouldn't reject.) Bodo --001a11390932281ccb0506283a0d Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Andr= ey Jivsov <crypto@brainhub.org>:

Client decides to drop to TLS1.1 (due to network glitch, etc). [...]=C2=A0T= he server MUST fail with inappropriate_fallback per sec 3.

Is it a good idea to reject a more secure protocol than the server can poss= ibly negotiate with this client?

In this ca= se, the connection really fails due to the network glitch. If the client wa= sn't attempting fallback retries, it would similarly fail. (This could = happen independently of the cipher suites that the server accepts.)=C2=A0

In the kind of hypothetical scenario that you descr= ibe, it indeed wouldn't cause a reduction in security to accept the con= nection instead of failing, but optimizing for corner cases like this one d= oesn't seem reasonable: it necessarily would make the mechanism more co= mplex overall.

(The server behavior that you descr= ibe also would be really odd. The CBC cipher suites are more broken in SSL = 3.0 than in TLS 1.0, and more broken in TLS 1.0 than in TLS 1.1. If the ser= ver *does* support one of the newer protocol versions, why would it only su= pport the most broken incarnation of that cipher suite?

Also note that in the *specific* hypothetical scenario that you descr= ibe, the server actually would accept the fallback retry: you said that TLS= 1.0 is the highest protocol version supported by the server; this is not h= igher than ClientHello.client_version in the TLS 1.1 retry, so the server w= ouldn't reject.)

Bodo
--001a11390932281ccb0506283a0d--