Re: [TLS] SCSVs and SSLv3 fallback
Geoffrey Keating <geoffk@geoffk.org> Thu, 04 April 2013 21:54 UTC
Return-Path: <geoffk@geoffk.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0D5BC21F8712 for <tls@ietfa.amsl.com>; Thu, 4 Apr 2013 14:54:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8cPP-mL1AJ7x for <tls@ietfa.amsl.com>; Thu, 4 Apr 2013 14:54:27 -0700 (PDT)
Received: from dragaera.releasedominatrix.com (dragaera.releasedominatrix.com [216.129.118.138]) by ietfa.amsl.com (Postfix) with ESMTP id DA9A021F86DC for <tls@ietf.org>; Thu, 4 Apr 2013 14:54:27 -0700 (PDT)
Received: by dragaera.releasedominatrix.com (Postfix, from userid 501) id 5F5A733D122; Thu, 4 Apr 2013 21:54:25 +0000 (UTC)
Sender: geoffk@localhost.localdomain
To: Trevor Perrin <trevp@trevp.net>
References: <CAGZ8ZG0i4-ZDPu=O1+Qy1DJ8oV80_eMz5J9NZrn2UC1-zYu4Sw@mail.gmail.com>
From: Geoffrey Keating <geoffk@geoffk.org>
Date: Thu, 04 Apr 2013 14:54:25 -0700
In-Reply-To: <CAGZ8ZG0i4-ZDPu=O1+Qy1DJ8oV80_eMz5J9NZrn2UC1-zYu4Sw@mail.gmail.com>
Message-ID: <m2a9permge.fsf@localhost.localdomain>
Lines: 51
User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.4
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Cc: tls@ietf.org
Subject: Re: [TLS] SCSVs and SSLv3 fallback
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Apr 2013 21:54:29 -0000
Trevor Perrin <trevp@trevp.net> writes: > Hi, > > I've heard (anecdotally) that HTTPS between browsers and webservers > who are both TLS-capable sometimes results in SSLv3 connections. > Presumably this is due to firewall interference with the TLS > handshake, causing browsers to retry an SSLv3 handshake. The name of one firewall which is confirmed to do this would make it a lot more convincing... It's likely that some TLS connections failed due to packet loss or a busy server and so the 'fallback' was a mistake. > I believe TLS Extensions are generally not sent in the SSLv3 > ClientHello (?). This isn't a major problem for TLS Extensions as > optimizations (e.g. session tickets or OCSP stapling). > > However, there are proposals that *require* a TLS Extension response, > for security: > - TACK's "TackExtension" [1] > - Certificate Transparency's "SignedCertificateTimestampList" [2] > - OCSP stapling in the presence of an X.509 "must-staple" extension [3] > > How should these work in the case of a network-triggered SSLv3 fallback? I would phrase this as "how should these work when under attack and the attacker is blocking extensions". In the case of TACK, I think it should work by saying that if you've previously negotiated TACK, therefore the server must previously have supported at least TLSv1+extensions, so you SHOULD NOT fall back to a SSLv3 ClientHello for that server, and if you do, you MUST continue to apply any active pin. > One proposal would note that some browsers do, I think, send the > RFC5746 TLS_EMPTY_RENEGOTIATION_INFO_SCSV ciphersuite in an SSLv3 > ClientHello, and receive a "renegotiation_info" ServerHello extension > in return. I don't believe sending the ServerHello extension is the important part of that protocol, the key part is that the server rejects any renegotiation where the ciphersuite is included. > So there's evidence that this idiom of a "special ciphersuite value" > in an SSLv3 ClientHello, and a TLS Extension in ServerHello, is > "compatible-enough" with the horrible middleboxes triggering these > fallbacks. For counter-evidence, see <https://bugzilla.mozilla.org/show_bug.cgi?id=672749>.
- Re: [TLS] SCSVs and SSLv3 fallback Martin Rex
- [TLS] SCSVs and SSLv3 fallback Trevor Perrin
- Re: [TLS] SCSVs and SSLv3 fallback Hanno Böck
- Re: [TLS] SCSVs and SSLv3 fallback Geoffrey Keating
- Re: [TLS] SCSVs and SSLv3 fallback Yngve N. Pettersen
- Re: [TLS] SCSVs and SSLv3 fallback Joseph Birr-Pixton
- Re: [TLS] SCSVs and SSLv3 fallback Trevor Perrin
- Re: [TLS] SCSVs and SSLv3 fallback Nikos Mavrogiannopoulos
- Re: [TLS] SCSVs and SSLv3 fallback Trevor Perrin
- Re: [TLS] SCSVs and SSLv3 fallback Paul Hoffman
- Re: [TLS] SCSVs and SSLv3 fallback Trevor Perrin
- Re: [TLS] SCSVs and SSLv3 fallback Yngve N. Pettersen
- Re: [TLS] SCSVs and SSLv3 fallback Trevor Perrin
- Re: [TLS] SCSVs and SSLv3 fallback Nikos Mavrogiannopoulos
- Re: [TLS] SCSVs and SSLv3 fallback Yngve N. Pettersen
- Re: [TLS] SCSVs and SSLv3 fallback Trevor Perrin
- Re: [TLS] SCSVs and SSLv3 fallback Yngve N. Pettersen
- Re: [TLS] SCSVs and SSLv3 fallback Adam Langley
- Re: [TLS] SCSVs and SSLv3 fallback Trevor Perrin
- Re: [TLS] SCSVs and SSLv3 fallback Martin Rex
- Re: [TLS] SCSVs and SSLv3 fallback Martin Rex
- Re: [TLS] SCSVs and SSLv3 fallback Martin Rex
- Re: [TLS] SCSVs and SSLv3 fallback Martin Rex
- Re: [TLS] SCSVs and SSLv3 fallback Yngve N. Pettersen
- Re: [TLS] SCSVs and SSLv3 fallback Martin Rex
- Re: [TLS] SCSVs and SSLv3 fallback Yngve N. Pettersen
- Re: [TLS] SCSVs and SSLv3 fallback Martin Rex
- Re: [TLS] SCSVs and SSLv3 fallback Yngve N. Pettersen
- Re: [TLS] SCSVs and SSLv3 fallback Trevor Perrin
- Re: [TLS] SCSVs and SSLv3 fallback Martin Rex
- Re: [TLS] SCSVs and SSLv3 fallback Yngve N. Pettersen
- Re: [TLS] SCSVs and SSLv3 fallback Yngve N. Pettersen
- Re: [TLS] SCSVs and SSLv3 fallback Martin Rex
- Re: [TLS] SCSVs and SSLv3 fallback Yoav Nir