IETF Logo Mail Archive

Re: [TLS] Deprecating SSLv3

Hubert Kario <hkario@redhat.com> Mon, 24 November 2014 16:33 UTC

Return-Path: <hkario@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8EE481A6EEF for <tls@ietfa.amsl.com>; Mon, 24 Nov 2014 08:33:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.91
X-Spam-Level:
X-Spam-Status: No, score=-6.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, WEIRD_PORT=0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WRglEXm81_cD for <tls@ietfa.amsl.com>; Mon, 24 Nov 2014 08:33:09 -0800 (PST)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AC7CA1A870C for <tls@ietf.org>; Mon, 24 Nov 2014 08:32:51 -0800 (PST)
Received: from int-mx14.intmail.prod.int.phx2.redhat.com (int-mx14.intmail.prod.int.phx2.redhat.com [10.5.11.27]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id sAOGWl3a003673 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Mon, 24 Nov 2014 11:32:50 -0500
Received: from pintsize.usersys.redhat.com (dhcp-0-150.brq.redhat.com [10.34.0.150]) by int-mx14.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id sAOGWjTb007382 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NO); Mon, 24 Nov 2014 11:32:47 -0500
From: Hubert Kario <hkario@redhat.com>
To: tls@ietf.org
Date: Mon, 24 Nov 2014 17:32:45 +0100
Message-ID: <1713002.kBYARvl7be@pintsize.usersys.redhat.com>
User-Agent: KMail/4.14.2 (Linux/3.16.7-200.fc20.x86_64; KDE/4.14.2; x86_64; ; )
In-Reply-To: <20141124155935.51E0C1B004@ld9781.wdf.sap.corp>
References: <20141124155935.51E0C1B004@ld9781.wdf.sap.corp>
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.27
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/gd_4U_ng12P7b-lJjdx0JFv2HM4
Subject: Re: [TLS] Deprecating SSLv3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Nov 2014 16:33:11 -0000

On Monday 24 November 2014 16:59:35 Martin Rex wrote:
> Hubert Kario wrote:
> > I've extended the scanner to try more fallbacks when testing (retry with a
> > much smaller client hello) and the stats for this month look like this:
> > 
> > Supported Protocols       Count     Percent
> > -------------------------+---------+-------
> > SSL2                      38835     8.7934
> > SSL2 Only                 100       0.0226
> > SSL3                      204062    46.2059
> > SSL3 Only                 2195      0.497
> > SSL3 or TLS1 Only         108575    24.5847
> > SSL3 or lower Only        2293      0.5192
> > TLS1                      438481    99.2856
> > TLS1 Only                 46428     10.5127
> > TLS1 or lower Only        143729    32.5447
> > TLS1.1                    281522    63.7453
> > TLS1.1 Only               25        0.0057
> > TLS1.1 or up Only         443       0.1003
> > TLS1.2                    292517    66.2349
> > TLS1.2 Only               337       0.0763
> > TLS1.2, 1.0 but not 1.1   13585     3.0761
> 
> How do TLS extension support fit into your picture?

I don't know.

That is: I'm using openssl command line binary (albeit with few changes, 
modifications and additions compared to upstream) and as such I don't believe 
I can send TLS1.0/1.1/1.2 Client Hello without extensions.

In other words, all those servers that report TLS1.0 as supported mean also 
support for typical extensions (server_name, curves, signature_algorithms, 
etc.). The amount of servers which are TLS extension intolerant and either 
have SSLv3 disabled or are V2 client hello compatible is under 0.1%.

What I have no idea about is the amount of servers that are V2 ClientHello 
*and* TLS-extension intolerant.

> Just a few days ago I was working on a customer message about interop
> problems with a Business-2-Business scenario, and the Server that is used
> seems to be an extensions-intolerant TLSv1.0 server.  The server is OK
> with ClientHello.client_version = { 3, 3 }, but when ClientHello includes
> any TLS extensions, it will abort with a fatal unexpected_message(10) alert.
> 
>  (the Website is http://www.elemica.com,
>    the service(s) are on https://preprod.connect.elemica.com:5443
>                      and https://connect.elemica.com:5443
>    authentication is by TLS client certificate, but you'll see the
>    TLS extensions intolerance by the fatal alert response to ClientHello.
> 
> > I think we can safely banish a protocol that only 0.5% of servers require
> > for interoperability.
> 
> Maybe you can, but I can not.  The support load would still be prohibitive.

In the case you're talking about you can connect using TLS1.0 without 
extensions, and while that is suboptimal in general it is allowed under 
current draft (and supported with TLS_FALLBACK_SCSV).

Anyway, you should file a complaint to the manufacturer that it haven't 
addressed the POODLE vulnerability in their product (or that it doesn't 
implement advertised protocols properly).
If you don't have a contract under which you can do that or can't change the 
TLS library yourself, you have much bigger problems anyway...
 
> > Regarding the SSLv3 MUST NOT: we have to remember that we're talking about
> > a security protocol *used* for security. In such context SSLv3 should not
> > be used.
> > 
> > Just like MD5 use for digital signatures is completely broken but is
> > completely fine to use it as a checksum to verify proper download of a
> > file
> > over internet (people use CRC32 for that!), use of SSLv3 for interop is
> > fine, but not if it is used for confidentiality.
> 
> You might not be aware of it, but there is only one TLS protocol version
> that allows digital signatures with md5WithRsaEncryption, and that is
> TLSv1.2.

yes, I am aware about that. Quite a few servers will in fact happily sign the 
key exchange with MD5. But that will happen only if the client advertises 
support for it (I did found 3 that will sign using only MD5 but I haven't 
checked if it's not a false positive). And most will fallback to either non 
(EC)DHE cipher or just force SHA1 on the client if it doesn't advertise RSA 
key signature algorithms.

-- 
Regards,
Hubert Kario

v2.14.0 | Report a Bug | By Email