Re: [TLS] no fallbacks please [was: Downgrade protection, fallbacks, and server time]

David Benjamin <> Fri, 03 June 2016 18:20 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 1908D12D5FC for <>; Fri, 3 Jun 2016 11:20:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.125
X-Spam-Status: No, score=-4.125 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-1.426, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id agFZN4wP_ChE for <>; Fri, 3 Jun 2016 11:20:03 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4001:c06::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id AFCC112D0AE for <>; Fri, 3 Jun 2016 11:20:03 -0700 (PDT)
Received: by with SMTP id o189so71818739ioe.2 for <>; Fri, 03 Jun 2016 11:20:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=a8tNtndgfZ1z2c6K4tXj+K/ebWAha8WgwjMz3cFfzNM=; b=NXNJgQMnTNEf4baaDIwVtXxOVLu/LH9Ai430/RyxVMorMG21XfPF4nlBHTCDTDtxX3 rCu65Yc2yYIY62hA7hqyHCzh5rPwQ48jDu00GBCkhribmDLwkcWwn7savobyPRxBIBCQ /UoPYDvEX7R5FByb5X98fu/T0h6IpFp17qWuQ=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=a8tNtndgfZ1z2c6K4tXj+K/ebWAha8WgwjMz3cFfzNM=; b=WNliJa9+wvaPHuL78zGQoJS7I20yaRnYRUg08/1E+DDLj3NsofuAm4+QQZikHn+cyO recl9oV+MlL6mQC/H/xYtqxTN0eZVKd0LQsMDa9iZ7tuvtXBnjYZRkdkAPeC2kB3994G PXfsJgnH+xVBVZAqFYcuSoVh65l3wWdePGLtdU5C16t7hQH5Qm2pstKOV34+UPBq1ZOe gb4i3jVGmtSKG7N/aRqFVsQYyS4l0y4xiq/7BQY2MQY3GBHvX3rkNhlXDtxtrc1sAThp l4jagR9MQYB913+M66VFwg7UwZO56t+3wNAifYZnXrLsjrhm2XIUV7BHBLuq1mcZYeFV tMWw==
X-Gm-Message-State: ALyK8tKjHE9hFNY0zhkhcoYTaJ/47Gbk1H+ScQnZrvRRw9enwdbu53wfpt6TovxbiQliUCTJuB6MT0JPTiwPma5K
X-Received: by with SMTP id b16mr7507374ioa.6.1464978002788; Fri, 03 Jun 2016 11:20:02 -0700 (PDT)
MIME-Version: 1.0
References: <> <> <> <> <> <>
In-Reply-To: <>
From: David Benjamin <>
Date: Fri, 03 Jun 2016 18:19:52 +0000
Message-ID: <>
Content-Type: multipart/alternative; boundary=001a1144180e761584053463c521
Archived-At: <>
Subject: Re: [TLS] no fallbacks please [was: Downgrade protection, fallbacks, and server time]
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 03 Jun 2016 18:20:06 -0000

I think I could be convinced in either direction right now.

It is definitely ugly and more of a nuisance to implement. The alternative
is a fallback and then painfully driving it out later. We've done that
before and we have FALLBACK_SCSV and the server_random trick now.

At the same time, I am rather bored of this fallback game. We can actually
avoid the intolerance problem with this mechanism. Suppose we used empty
indicator extensions, one for each new version. Then as long as servers
tolerate unknown extensions, we'll be fine. So far this has not rusted yet,
and we can defend it from rust by having clients send random fake
extensions out of a range of values we burn for this purpose[*] (or private
use area). If one extension with a list of values, we can do something

(Strictly speaking, the version already does not appear at a fixed position
because a ClientHello may be pathologically fragmented. OpenSSL even had
CVE-2014-3511 here. I believe the master branch no longer has a sniff-based
version negotiation. BoringSSL hasn't for a while now. But rejecting such
pathologically fragmented ClientHellos is reasonable and OpenSSL 1.0.x does
it now.)


[*] I'm planning on writing something up here soon.

On Fri, Jun 3, 2016 at 1:40 PM Viktor Dukhovni <>;

> On Fri, Jun 03, 2016 at 06:39:58AM -0700, Eric Rescorla wrote:
> > My opinion on this hasn't really changed since the last time. This seems
> > like it's more complicated and it's not clear to me why it won't lead to
> > exactly the same version intolerance problem in future.
> Doing version negotiation through extensions would be a major
> implementation burden.  At present the client version appears early
> in the ClientHello at a fixed position in the packet, and the server
> can quickly grab the version, compute the highest shared version
> and branch to the protocol implementation for that version to parse
> the rest of the ClientHello.
> Putting the client version in an extension dramatically complicates
> server-side processing.  So my view is that this would not be
> progress.  This is IMNSHO even less likely to interoperate than
> what we have now.
> --
>         Viktor.
> _______________________________________________
> TLS mailing list