IETF Logo Mail Archive

Re: [TLS] inappropriate_fallback

Eric Rescorla <ekr@rtfm.com> Wed, 08 August 2018 14:06 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1771C130DC2 for <tls@ietfa.amsl.com>; Wed, 8 Aug 2018 07:06:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, T_DKIMWL_WL_MED=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NqHa0ROCerwa for <tls@ietfa.amsl.com>; Wed, 8 Aug 2018 07:06:43 -0700 (PDT)
Received: from mail-lf1-x134.google.com (mail-lf1-x134.google.com [IPv6:2a00:1450:4864:20::134]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A818F127598 for <tls@ietf.org>; Wed, 8 Aug 2018 07:06:42 -0700 (PDT)
Received: by mail-lf1-x134.google.com with SMTP id f135-v6so1659321lfg.10 for <tls@ietf.org>; Wed, 08 Aug 2018 07:06:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=fGg8w1x6SQEy+zSjVmk+gDzlKIW+q9ALnCo9vsOeafY=; b=XZwL/xSuO29ur+NFXUh/rl4aO77MLmkAcmpWYuUe2q4fG1mFk4sDeU3EBnxeRrj5T+ VzEZumPnwkbpSQC+ByALkm7M1FeC9fZxqttFGKZjeUgkwHJ3U90kasEbRqiTwLIBqTcp nNTws9ei3E7f/9389WxG1oAEgYECTuQPslIKoE5gPtfUjXIlRkP/7B31vjKP1EXiP6uv OlusVUCH3I2A8rD9yU1o4Hmx2eGNvkN+v0lNWdx59ik9WgtxKvAxH+Kl6mX5BLFI3NpF pjSbgD1vhnn6pMAGJD60I0iR228CwC4v4aAWbkjPMbA+MV4AvVBuV5oJu8dTrt6a1nhu b5ew==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=fGg8w1x6SQEy+zSjVmk+gDzlKIW+q9ALnCo9vsOeafY=; b=brvRngsu5SSr03dM309qQnyPpFSKlbvu0w12vfRKksVvr8B7/LAhJxOlYN/quC8oyd CsE6qc+i6stSsG9MjQr08VrAnM/Z6GuuI61xm7czQIoBk+EcSzYKIj9QyXrkuD8Sbx2i 2evaNedcJMBNQMq4pNv2LDP/0RwoKzGF8Ii3jNjVTUJOb4zP3IQme8Jy+AyTZIdLlMIy PyTBK+Bt2Iw26+vX5JobtbpMx+nI9rpCkg9dC13+FAN6kMCTPu+Q7131perqAC+Jbs3w hh68HVvSOEnkXA/ZdpdiH/oh7Oe5w+MnjHlI57Mjgyj1rZ7cy+cdjC06wCwyrhHluZRS IZfw==
X-Gm-Message-State: AOUpUlGskXWTXihutSJq6s3KqsRtt2FjGwzOmu2vNi5pW9VDvKLoh85X RRpjhlykRDIrQ3P1GzRZ53GZz6w+sPcZAikXf6mAyuZX
X-Google-Smtp-Source: AA+uWPzellpBed0trX/LYYowzLx5sJUM+qIhdCYwlKsrmzol+L2lfvm3pYKxBph4ATFTWj0j5Dm0Lgcrh4IhWWuPZXY=
X-Received: by 2002:a19:7403:: with SMTP id v3-v6mr562766lfe.97.1533737200981; Wed, 08 Aug 2018 07:06:40 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:ab3:4091:0:0:0:0:0 with HTTP; Wed, 8 Aug 2018 07:06:00 -0700 (PDT)
In-Reply-To: <20180808140159.GR28516@akamai.com>
References: <2fd24f64-bee5-18ed-cf0d-0fc999add395@openssl.org> <20180808132151.GQ28516@akamai.com> <4fe1cef1-2dd2-3838-9019-a97dd4dbe776@openssl.org> <CABcZeBM2Fmo03S=acb=ouZcyV=5-H5dV3is6TJjAJj-SDeRmBw@mail.gmail.com> <b18313b5-ca58-cf66-be72-46ad9ffb4ae0@openssl.org> <20180808140159.GR28516@akamai.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Wed, 08 Aug 2018 07:06:00 -0700
Message-ID: <CABcZeBOgg0=1G4ENBF+wqZNFLfD6Q60674_G8cJqPZr7oQ9FMw@mail.gmail.com>
To: Benjamin Kaduk <bkaduk@akamai.com>
Cc: Matt Caswell <matt@openssl.org>, "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000000b2e900572ed0524"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/mOiMDusQGWDI8f51ZXrHWkhDf3w>
Subject: Re: [TLS] inappropriate_fallback
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Aug 2018 14:06:45 -0000

The spec is actually extremely clear on this point
https://tools.ietf.org/html/draft-ietf-tls-tls13-28#section-4.1.3

   TLS 1.3 clients receiving a ServerHello indicating TLS 1.2 or below
   MUST check that the last 8 bytes are not equal to either of these
   values.  TLS 1.2 clients SHOULD also check that the last 8 bytes are
   not equal to the second value if the ServerHello indicates TLS 1.1 or
   below.  If a match is found, the client MUST abort the handshake with
   an "illegal_parameter" alert.

I think it's way late to change it.

-Ekr





On Wed, Aug 8, 2018 at 7:01 AM, Benjamin Kaduk <bkaduk@akamai.com> wrote:

> On Wed, Aug 08, 2018 at 02:52:27PM +0100, Matt Caswell wrote:
> >
> >
> > On 08/08/18 14:45, Eric Rescorla wrote:
> > >
> > >
> > > On Wed, Aug 8, 2018 at 6:26 AM, Matt Caswell <matt@openssl.org
> > > <mailto:matt@openssl.org>> wrote:
> > >
> > >
> > >
> > >     On 08/08/18 14:21, Benjamin Kaduk wrote:
> > >     > On Wed, Aug 08, 2018 at 02:05:00PM +0100, Matt Caswell wrote:
> > >     >> Draft 28 defines the inappropriate_fallback alert as follows:
> > >     >>
> > >     >> inappropriate_fallback  Sent by a server in response to an
> invalid
> > >     >>       connection retry attempt from a client
> > >     >>
> > >     >> With the introduction of the downgrade protection sentinels it
> now seems
> > >     >> that an inappropriate fallback could also be detected by the
> client.
> > >     >> Should this wording be changed?
> > >     >
> > >     > Well, *fallback* specifically is inherently client-driven; the
> things the
> > >     > client could detect would be more of an incorrectly negotiated
> version
> > >     > (presumably due to an active attack).
> > >
> > >     Consider the scenario where a server supports TLSv1.3/TLSv1.2 but
> does
> > >     not support RFC7507 (TLS Fallback Signalling Cipher Suite Value).
> > >
> > >     If the client attempts a TLSv1.3 connection first and fails (e.g.
> an
> > >     active attacker prevented it) and then falls back to TLSv1.2 it
> would be
> > >     able to detect that its fallback attempt was inappropriate when it
> sees
> > >     the downgrade protection sentinels. In that case
> inappropriate_fallback
> > >     seems reasonable.
> > >
> > >
> > > I don't think that is the alert I would choose in this circumstance.
> > > Probably "illegal_parameter"
> >
> > illegal_parameter suggests to me that the peer is misbehaving in some
> > way - which isn't the case here? Also it seems strange that we would
> > have a more explicit alert than the generic illegal_parameter, that
> > seems to precisely describe the scenario (a fallback occurred, and it
> > turns out it was inappropriate) but not be able to use it.
>
> Aren't the semantics here "whoops, I made a new connection attempt that
> I shouldn't have; let me go back out of that"?  In which case one could
> argue even for close_notify...
>
> -Ben
>

v2.23.0 | Report a Bug | By Email