IETF Logo Mail Archive

Re: [TLS] Working Group Last Call for draft-ietf-tls-downgrade-scsv-00

Brian Smith <brian@briansmith.org> Fri, 26 September 2014 20:02 UTC

Return-Path: <brian@briansmith.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 662CC1A01EE for <tls@ietfa.amsl.com>; Fri, 26 Sep 2014 13:02:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.979
X-Spam-Level:
X-Spam-Status: No, score=-1.979 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bYjzCN7rOB5y for <tls@ietfa.amsl.com>; Fri, 26 Sep 2014 13:02:53 -0700 (PDT)
Received: from mail-ob0-f176.google.com (mail-ob0-f176.google.com [209.85.214.176]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A5EDC1A00A3 for <tls@ietf.org>; Fri, 26 Sep 2014 13:02:53 -0700 (PDT)
Received: by mail-ob0-f176.google.com with SMTP id vb8so1262934obc.7 for <tls@ietf.org>; Fri, 26 Sep 2014 13:02:53 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=dqp2/18ieb6cr0KNQ9zK3q2CQxHFU/pWTAFSP3XsCtw=; b=RM8Zf0d63Yj/JqIISgm5uGXKcQg/Atwf1oCu19htYk4OX2gdKkcyz6IV8//TM4chR0 9LlOMwZIcnR+eWDB/27hVDorwV9qsT+V67SoouXaIhiul6KO1ZfMi+4JveJzeiGEDRQf EWRSKttcuQrpYfY8vIPZjzsIFkDYn0dBNbx8mMongeX/DLQwp5M5upK31jTpsazx8EFj SehwFWvhOfHhqyYgn9o4L+0yn9spYZDrrnzGSXbcvkws8PGL2vBAQ/gtLIrQpeZUnS5a zzj01a56/2P2Q7WUVVULpdHGCwYMIzmxGVYGu7OMjUBvRE48l1FMCb75kMAOpitoB3k7 AcZQ==
X-Gm-Message-State: ALoCoQmfI72JhL9fQTSOgHhukq0u11DUwBaoVqMxuPH5CVUD1VAO23JeUad9HvINf1A/fQsp1Wzy
MIME-Version: 1.0
X-Received: by 10.182.126.233 with SMTP id nb9mr23823370obb.46.1411761772953; Fri, 26 Sep 2014 13:02:52 -0700 (PDT)
Received: by 10.76.74.36 with HTTP; Fri, 26 Sep 2014 13:02:52 -0700 (PDT)
In-Reply-To: <CADMpkcJL8U2cQQATykL8ygEaJzPEuUkzAr1uNGcMqN6abCYUHA@mail.gmail.com>
References: <2112FCAD-4820-49D9-9871-6501C83A554D@cisco.com> <CABkgnnUxeouqDNhYFGDC2xqUaT8r7zFvAT5U1OUGJwHwCOuOwA@mail.gmail.com> <CADMpkcJKJiTCQXdDbepyiAf22J9VC03DDgiE521n3NsNnFmALA@mail.gmail.com> <CABkgnnWo9KGMkRrmA0wkJ5Dfnzh2Vo-cveCe_UeH71F8K_4oWw@mail.gmail.com> <CADMpkcJpHeKGV-xc4Uon8KWj=+p=6nQO1_rxb6sRN04nFX--gQ@mail.gmail.com> <CABkgnnU8DyzRvvq1e24bUsZdwx48mFOC6KstZaUCbvyQ-WwesQ@mail.gmail.com> <CADMpkc+wXf=SG3=C==SV77YXZdbXnbXspJLRZ1UORPF-WbVMEw@mail.gmail.com> <CAFewVt5mEodyqB6TWCmvOUBek9Bnb43bmw5mAqph-hQU=F=EpA@mail.gmail.com> <CADMpkcJL8U2cQQATykL8ygEaJzPEuUkzAr1uNGcMqN6abCYUHA@mail.gmail.com>
Date: Fri, 26 Sep 2014 13:02:52 -0700
Message-ID: <CAFewVt7e6Na5dk9D505-GyBrbM=5tqkaOj+_=bKMc3_FHL+unA@mail.gmail.com>
From: Brian Smith <brian@briansmith.org>
To: Bodo Moeller <bmoeller@acm.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/fTtQFE4TeBRfyuK6R3Vyr3z4kCA
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] Working Group Last Call for draft-ietf-tls-downgrade-scsv-00
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Sep 2014 20:02:55 -0000

On Fri, Sep 26, 2014 at 12:38 PM, Bodo Moeller <bmoeller@acm.org> wrote:
> Brian Smith <brian@briansmith.org>:
>> On Fri, Sep 26, 2014 at 12:34 AM, Bodo Moeller <bmoeller@acm.org> wrote:

<snip>

> *Could* fail, sorry. (As already explained by Martin, the problem appears if
> by the time you try to resume, the server supports additional protocol
> versions. Of course that could also happen for an immediate retry, and
> you'll have to live with it then; so I wonder if that "MUST" isn't too
> strict after all: if you're willing to start over on inappropriate_fallback,
> you might actually prefer to send TLS_FALLBACK_SCSV *in order* to get a
> connection failure if the server has been updated.)

Right. In general, a resumption ClientHello SHOULD be just like a
non-resumption ClientHello, except for the presence of the session ID
and/or session ticket, because a resumption ClientHello is potentially
the start of a full handshake.

The TLS specs (TLS 1.2, in this case) say:

   Whenever a client already knows the highest protocol version known to
   a server (for example, when resuming a session), it SHOULD initiate
   the connection in that native protocol.

However, actually the client does not ever know the highest protocol
version the server supports, because the server may have expanded its
version support since the last time the client contacted it. But, the
consequence of that sentence is that at least NSS sends the session
version as client_version instead of its actual max supported version.
I think that is wrong. However, it isn't clear if there are
compatibility issues with changing that.

>> Here is what the draft actually says:
>>
>>       However, as an exception to the above, when the client intends to
>>       perform an abbreviated handshake to resume a previously negotiated
>>       session and sets ClientHello.client_version to the protocol
>>       version negotiated for that session, the client MUST NOT include
>>       TLS_FALLBACK_SCSV in ClientHello.cipher_suites.
>>
>> So, if the client does NOT set ClientHello.client_version to the
>> version negotiated for that session, then the client MAY send the SCSV
>> in the resumption handshake.
>>
>> Now, if the server could indicate that it supports the SCSV somehow in
>> its ServerHello, then the client could save that acknowledgement in
>> the session state, and then make sure that it always sets
>> ClientHello.client_version to the highest version it supports,
>> regardless of the version that it negotiated for the session it is
>> trying to resume.
>
> Hm, if you can set ClientHello.client_version to the highest version
> supported by the client and the server tolerates that, you shouldn't be
> employing the fallback mechanism with this server in the first place.

I had thought that NSS was changed to use the session version for
ClientHello.client_version during resumption for compatibility
reasons. However, looking at the change history, it appears to be the
case that that change was made coincidentally with a compatibility fix
for renegotiation, not initial resumption handshakes. So, it may be
the case that it is already safe to always send the max supported
version as client_version in an initial resumption handshake, without
any indication from the server, even in the non-secure fallback case.
It would require some implementation to make that change and test the
compatibility to know for sure.

Cheers,
Brian

v2.23.0 | Report a Bug | By Email