Re: [TLS] MS14-066 and the TLS premaster secret version check
Andrei Popov <Andrei.Popov@microsoft.com> Wed, 26 November 2014 01:14 UTC
Return-Path: <Andrei.Popov@microsoft.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 610971A86E1 for <tls@ietfa.amsl.com>; Tue, 25 Nov 2014 17:14:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B_gjXc_-l7LN for <tls@ietfa.amsl.com>; Tue, 25 Nov 2014 17:14:21 -0800 (PST)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1bon0735.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::1:735]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5B5381A6FAC for <tls@ietf.org>; Tue, 25 Nov 2014 17:14:21 -0800 (PST)
Received: from BN3PR0301MB1250.namprd03.prod.outlook.com (25.161.207.26) by BN3PR0301MB1251.namprd03.prod.outlook.com (25.161.207.27) with Microsoft SMTP Server (TLS) id 15.1.26.15; Wed, 26 Nov 2014 01:13:58 +0000
Received: from BN3PR0301MB1250.namprd03.prod.outlook.com ([25.161.207.26]) by BN3PR0301MB1250.namprd03.prod.outlook.com ([25.161.207.26]) with mapi id 15.01.0026.003; Wed, 26 Nov 2014 01:13:58 +0000
From: Andrei Popov <Andrei.Popov@microsoft.com>
To: Yuhong Bao <yuhongbao_386@hotmail.com>, "tls@ietf.org" <tls@ietf.org>, "mrex@sap.com" <mrex@sap.com>
Thread-Topic: [TLS] MS14-066 and the TLS premaster secret version check
Thread-Index: AQHQCKANe9uQDUMNukKycgPp/+r+z5xxrSOggABj/oCAAAAcQA==
Date: Wed, 26 Nov 2014 01:13:58 +0000
Message-ID: <BN3PR0301MB1250AA21EFB9649DD8AE40858C700@BN3PR0301MB1250.namprd03.prod.outlook.com>
References: <BLU177-W41509B9090B70F71C074CAC3730@phx.gbl>, <BN3PR0301MB12502D23F123924A138DB3F48C730@BN3PR0301MB1250.namprd03.prod.outlook.com> <BLU177-W29DCCEF437786974F9584C3700@phx.gbl>
In-Reply-To: <BLU177-W29DCCEF437786974F9584C3700@phx.gbl>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [2001:4898:80e8:ed31::2]
x-microsoft-antispam: BCL:0;PCL:0;RULEID:;SRVR:BN3PR0301MB1251;
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:; SRVR:BN3PR0301MB1251;
x-forefront-prvs: 04073E895A
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(51704005)(199003)(3905003)(377454003)(52314003)(13464003)(189002)(46102003)(99286002)(21056001)(92566001)(2201001)(106116001)(105586002)(92726001)(33656002)(95666004)(106356001)(120916001)(86362001)(101416001)(2656002)(15975445006)(54206007)(50986999)(15202345003)(122556002)(76176999)(54356999)(107886001)(87936001)(4396001)(54606007)(107046002)(99396003)(76576001)(62966003)(77096003)(77156002)(40100003)(97736003)(2501002)(31966008)(74316001)(64706001)(19580395003)(19580405001)(86612001)(20776003)(7059030)(3826002)(219293001); DIR:OUT; SFP:1102; SCL:1; SRVR:BN3PR0301MB1251; H:BN3PR0301MB1250.namprd03.prod.outlook.com; FPR:; SPF:None; MLV:sfv; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.onmicrosoft.com
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/iuVYkH30rY6uF0KoXo7u4ciJIJE
Subject: Re: [TLS] MS14-066 and the TLS premaster secret version check
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Nov 2014 01:14:23 -0000
> I asked because it backported a lot of Win8.1 SChannel in addition to the security fixes. In addition to security fixes, MS14-066 includes a back-port of cipher suites added by KB 2919355 (http://support.microsoft.com/kb/2919355) Unfortunately, MS14-066 includes the wrong version of a kernel binary, so it only adds the new ciphers for user-mode SSPI callers. When a kermel-mode SSPI caller (e.g. HTTP.SYS) negotiates one of the newly added cipher suites, the connection fails at the end of the handshake. Update 3018238 disables these new cipher suites, for now. > To be honest, they screwed up the backport of the new GCM cipher suites anyway, and to fix this will require a new SChannel, right? I expect that there will be a new update that will include the correct binaries, so the new cipher suites will work for the kernel-mode SSPI callers. Cheers, Andrei -----Original Message----- From: Yuhong Bao [mailto:yuhongbao_386@hotmail.com] Sent: Tuesday, November 25, 2014 4:38 PM To: Andrei Popov; tls@ietf.org; mrex@sap.com Subject: RE: [TLS] MS14-066 and the TLS premaster secret version check I asked because it backported a lot of Win8.1 SChannel in addition to the security fixes. To be honest, they screwed up the backport of the new GCM cipher suites anyway, and to fix this will require a new SChannel, right? ---------------------------------------- > From: Andrei.Popov@microsoft.com > To: yuhongbao_386@hotmail.com; tls@ietf.org; mrex@sap.com > Subject: RE: [TLS] MS14-066 and the TLS premaster secret version check > Date: Tue, 25 Nov 2014 23:43:03 +0000 > > Hi Yuhong, > > The interop problem related to premaster secret version check is resolved in Win8 and above. > > MS14-066 is not related: it fixes a few security issues we found internally. > > Cheers, > > Andrei > > -----Original Message----- > From: TLS [mailto:tls-bounces@ietf.org] On Behalf Of Yuhong Bao > Sent: Tuesday, November 25, 2014 3:07 AM > To: tls@ietf.org; mrex@sap.com > Subject: [TLS] MS14-066 and the TLS premaster secret version check > > Has the incorrect premaster secret version check described in this been fixed in MS14-066: > http://www.ietf.org/mail-archive/web/tls/current/msg08139.html > > Yuhong Bao > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls
- [TLS] MS14-066 and the TLS premaster secret versi… Yuhong Bao
- Re: [TLS] MS14-066 and the TLS premaster secret v… Yuhong Bao
- Re: [TLS] MS14-066 and the TLS premaster secret v… Andrei Popov
- Re: [TLS] MS14-066 and the TLS premaster secret v… Yuhong Bao
- Re: [TLS] MS14-066 and the TLS premaster secret v… Andrei Popov
- Re: [TLS] MS14-066 and the TLS premaster secret v… Yuhong Bao
- Re: [TLS] MS14-066 and the TLS premaster secret v… Andrei Popov
- Re: [TLS] MS14-066 and the TLS premaster secret v… Yuhong Bao