IETF Logo Mail Archive

Re: [TLS] SCSVs and SSLv3 fallback

mrex@sap.com (Martin Rex) Mon, 08 April 2013 19:00 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9A52221F9771 for <tls@ietfa.amsl.com>; Mon, 8 Apr 2013 12:00:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.053
X-Spam-Level:
X-Spam-Status: No, score=-10.053 tagged_above=-999 required=5 tests=[AWL=-0.104, BAYES_00=-2.599, HELO_EQ_DE=0.35, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ClnPMKRgIm91 for <tls@ietfa.amsl.com>; Mon, 8 Apr 2013 12:00:32 -0700 (PDT)
Received: from smtpde01.sap-ag.de (smtpde01.sap-ag.de [155.56.68.170]) by ietfa.amsl.com (Postfix) with ESMTP id D613A21F9762 for <tls@ietf.org>; Mon, 8 Apr 2013 12:00:30 -0700 (PDT)
Received: from mail05.wdf.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id r38J0QiL002346 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Mon, 8 Apr 2013 21:00:26 +0200 (MEST)
In-Reply-To: <20130404233402.6c91a9bf@melee>
To: Hanno Böck <hanno@hboeck.de>
Date: Mon, 08 Apr 2013 21:00:26 +0200
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="ISO-8859-1"
Message-Id: <20130408190026.0CA491A698@ld9781.wdf.sap.corp>
From: mrex@sap.com
X-SAP: out
Cc: tls@ietf.org
Subject: Re: [TLS] SCSVs and SSLv3 fallback
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Apr 2013 19:00:35 -0000

Hanno Böck wrote:
>
> Trevor Perrin <trevp@trevp.net> wrote:
>>
>> I've heard (anecdotally) that HTTPS between browsers and webservers
>> who are both TLS-capable sometimes results in SSLv3 connections.
>> Presumably this is due to firewall interference with the TLS
>> handshake, causing browsers to retry an SSLv3 handshake.
> 
> This happens pretty often if you have a unreliable (e.g. mobile)
> internet connection. Mozilla/nss-Bug about it:
> https://bugzilla.mozilla.org/show_bug.cgi?id=450280
> 
> And it's a serious problem if you're using Server Name
> Indication (SNI) for more than one SSL cert on one IP. The "solution" I
> found for our case was that I found it tolerable today to disable SSLv3
> on the server side. However, I'm not really happy with that browser
> fallback behaviour, it's a serious pitfall for the use of SNI.


Looking at the discussion under the above bugzilla URL (and how long
this has been dragging along) is quite disappointing.

I've seen vaguely similar breakage in Microsoft SChannel when used by
WinHTTP with lots of active scripting, occasionally causing white pages,
stateful apps to get out-of-sync with the frontend and users to loose
their input.

I believe, that the effect is already properly described here:
  https://bugzilla.mozilla.org/show_bug.cgi?id=450280#c3

in that it can even happen with <Ctrl-F5> (reload).

and "some" light in this response:
  https://bugzilla.mozilla.org/show_bug.cgi?id=450280#c13

mentioning that "reload" is technically a "stop+reload".


The issue that seems to affect Firefox in the same fashion that it
affects SChannel is that the fallback driving logic fails to distinguish
between locally triggered aborts of a TLS handshake and aborts caused
by the remote peer (unexpected remote connection closure, fatal TLS alert
or MAC error during the TLS handshake).  A timeout during the TLS handshake
is **seperate** and harder to deal with.

Active scripting, Users hitting <Ctrl-F5> or Reload, User navigation before
a page has completed loading of all elements, (meta-)refresh before a
page has completed loading of all elements and event-based active content
that causes replacement of page data or navigation to other locations
may all **LOCALLY** cause termination of an active TLS socket, and
in arbitrary states of the communication -- sometimes during the handshake.

When the TLS socket is locally aborted, this ought to neither invalidate
the client-side TLS session cache entry, nor ought this to cause a
fallback to a lower TLS protocol version.  From what is described in
the above bugzilla entry, it appears that FF might inappropriately
perform a fallback when the connection is locally aborted (potentially
limited to aborting during an active TLS handshake).


Depending on what the TLS client memorizes about (prior) connections,
a first change might be to make the purging of TLS sessions from the
client-side TLS session cache less agressive, and not perform a protocol
fallback to SSLv3 when there is an existing TLS session in the TLS session
cache that was successfully established with TLS extensions in the
ClientHello.


-Martin

v2.23.0 | Report a Bug | By Email