IETF Logo Mail Archive

Re: [TLS] inappropriate_fallback

Eric Rescorla <ekr@rtfm.com> Wed, 08 August 2018 14:22 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 16159130E20 for <tls@ietfa.amsl.com>; Wed, 8 Aug 2018 07:22:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, T_DKIMWL_WL_MED=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZwKNOnN2KBRZ for <tls@ietfa.amsl.com>; Wed, 8 Aug 2018 07:22:13 -0700 (PDT)
Received: from mail-lf1-x136.google.com (mail-lf1-x136.google.com [IPv6:2a00:1450:4864:20::136]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E29B2130E0D for <tls@ietf.org>; Wed, 8 Aug 2018 07:22:12 -0700 (PDT)
Received: by mail-lf1-x136.google.com with SMTP id f18-v6so1721007lfc.2 for <tls@ietf.org>; Wed, 08 Aug 2018 07:22:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=PkNP9AqDEt2Bt3wVolWQmlKAGh3p+JmQVwbrrNz28tA=; b=EGnC/L9DuuuHPibl692CqG40GD+giJzSFNkts6P0vR1bh68YCDwq2wwt/UxbqCkNep qBjfzgRdQgaOL361GqCn7vCXKCQJVbyxfz2cd075ivpnAUaZ1wmUyhP/6WZPLoK8Zq1L Rt9lQNhmslIaHJE2nKQa0d0odbKzsQyFdQyn08kVvbjYfezyWbuTIwHDgXmI3DTzbNqe odw7g4FdStv8QMZ+sbpPxM6fjTnHi50vAuzcTZOwicSzHhWpHyM/Ten5TPDNoMoWCPzl etsGL+h9hnMEag2wERUj+XQhF7o/XMQ7sPzLxwuVr/W9ILOCBq3HvUsELxdPvW8nAC4b AxZg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=PkNP9AqDEt2Bt3wVolWQmlKAGh3p+JmQVwbrrNz28tA=; b=iLC0PlgCtbKuVbbowI2X2t8L9WPtne2bvYfnATtrI2ywh7FUrSrMp0O6QqhM7tPHbZ z/bnOYdenAnm4p211Ob/vUjYvzpLDEhlYrS08DRhUOLMu3lCpVABPPgP3RhX4dIPCyjP twThbRLlJE4fP3Su0XWcJ8F/hwuQAEHiSMsQDIyATZRyNSKdcistG6A9Rsk7J8tzawoR 9GpdHYdoLKr0RZ5opXsJvuO7n3SeP6Y/H4gtp4vSk+9HpfUNf1iKuaT5CXAXyTn+KsYT m1Q1PnxO3wypXIjmN5sJzPBgDo/clVPsfPDCfAx+CTGXcJolnMi2rlK5ICmrAbKKRHi4 liuA==
X-Gm-Message-State: AOUpUlGbInXkimExkxby2a7pn3106Eja+Ej1iHOWDBi1ymMYbKO0LMEp oAe50djbEpqHGtvazGyqqRRBFCvE8ifr+HiAr5jHe8PU
X-Google-Smtp-Source: AA+uWPzzqINrFju7Y+ayjzY4n1tk6kaigcl20UFplikv+utZcR9spUJwEBMDawN4lTrXjVuxnFLVM9didS7IYdA9i9s=
X-Received: by 2002:a19:7403:: with SMTP id v3-v6mr597309lfe.97.1533738131183; Wed, 08 Aug 2018 07:22:11 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:ab3:4091:0:0:0:0:0 with HTTP; Wed, 8 Aug 2018 07:21:30 -0700 (PDT)
In-Reply-To: <5fca0e59-1649-9a49-766b-adacf9e4ea60@openssl.org>
References: <2fd24f64-bee5-18ed-cf0d-0fc999add395@openssl.org> <20180808132151.GQ28516@akamai.com> <4fe1cef1-2dd2-3838-9019-a97dd4dbe776@openssl.org> <CABcZeBM2Fmo03S=acb=ouZcyV=5-H5dV3is6TJjAJj-SDeRmBw@mail.gmail.com> <b18313b5-ca58-cf66-be72-46ad9ffb4ae0@openssl.org> <20180808140159.GR28516@akamai.com> <CABcZeBOgg0=1G4ENBF+wqZNFLfD6Q60674_G8cJqPZr7oQ9FMw@mail.gmail.com> <5fca0e59-1649-9a49-766b-adacf9e4ea60@openssl.org>
From: Eric Rescorla <ekr@rtfm.com>
Date: Wed, 08 Aug 2018 07:21:30 -0700
Message-ID: <CABcZeBOOHqvprQaCj47xgmsRZbD6jJLzVchDo4PfGOhHQQEoxg@mail.gmail.com>
To: Matt Caswell <matt@openssl.org>
Cc: Benjamin Kaduk <bkaduk@akamai.com>, "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000007cea380572ed3c3d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/eNA8i-JHxSadF-EBnmbWKVTSt-o>
Subject: Re: [TLS] inappropriate_fallback
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Aug 2018 14:22:15 -0000

On Wed, Aug 8, 2018 at 7:11 AM, Matt Caswell <matt@openssl.org> wrote:

>
>
> On 08/08/18 15:06, Eric Rescorla wrote:
> > The spec is actually extremely clear on this point
> > https://tools.ietf.org/html/draft-ietf-tls-tls13-28#section-4.1.3
> > <https://tools.ietf.org/html/draft-ietf-tls-tls13-28#section-4.1.3>
> >
> >    TLS 1.3 clients receiving a ServerHello indicating TLS 1.2 or below
> >    MUST check that the last 8 bytes are not equal to either of these
> >    values.  TLS 1.2 clients SHOULD also check that the last 8 bytes are
> >    not equal to the second value if the ServerHello indicates TLS 1.1 or
> >    below.  If a match is found, the client MUST abort the handshake with
> >    an "illegal_parameter" alert.
>
> In this case the client is acting as a TLS 1.2 client so I don't think
> that this paragraph applies.
>

Well, not quite. It's a TLS 1.3 implementation that has sent a TLS 1.2 CH,
but that looks the same to the server as an active downgrade. This text was
is in fact intended to cover this case -- and that's how NSS interprets it
--  though perhaps it's not as explicit as one would like.

Regardless, I think illegal_parameter is a reasonable alert to send,
especially as sending a separate alert in the case of fallback and of
active downgrade is a pain.

-Ekr


> Matt
>
>

v2.23.0 | Report a Bug | By Email