IETF Logo Mail Archive

Re: [TLS] Fallback SCSV summary

Hubert Kario <hkario@redhat.com> Mon, 10 November 2014 16:48 UTC

Return-Path: <hkario@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A38FB1A0146 for <tls@ietfa.amsl.com>; Mon, 10 Nov 2014 08:48:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.096
X-Spam-Level:
X-Spam-Status: No, score=-6.096 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.594, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VLPmbNfb-7VB for <tls@ietfa.amsl.com>; Mon, 10 Nov 2014 08:48:29 -0800 (PST)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1C19D1A014C for <tls@ietf.org>; Mon, 10 Nov 2014 08:48:28 -0800 (PST)
Received: from int-mx11.intmail.prod.int.phx2.redhat.com (int-mx11.intmail.prod.int.phx2.redhat.com [10.5.11.24]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id sAAGmQv6028738 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Mon, 10 Nov 2014 11:48:27 -0500
Received: from pintsize.usersys.redhat.com (dhcp-0-150.brq.redhat.com [10.34.0.150]) by int-mx11.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id sAAGmOWL020415 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NO); Mon, 10 Nov 2014 11:48:25 -0500
From: Hubert Kario <hkario@redhat.com>
To: tls@ietf.org
Date: Mon, 10 Nov 2014 17:48:24 +0100
Message-ID: <4414621.ICZNB95z47@pintsize.usersys.redhat.com>
User-Agent: KMail/4.14.1 (Linux/3.16.6-203.fc20.x86_64; KDE/4.14.1; x86_64; ; )
In-Reply-To: <op.xozlpdnx3dfyax@killashandra.invalid.invalid>
References: <CAOgPGoDr-UyBHpY3TMfPA8b_b3Brtpj3iYRt7a86ZNR8LunfuA@mail.gmail.com> <op.xozlpdnx3dfyax@killashandra.invalid.invalid>
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.24
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/p6WxWjaeKp16czm-OSgCf-lLIf4
Subject: Re: [TLS] Fallback SCSV summary
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Nov 2014 16:48:30 -0000

On Saturday 08 November 2014 04:37:51 Yngve N. Pettersen wrote:
> Hello all,
> 
> Below is some statistics that I did not complete gathering until this
> week, related to something I think was mentioned in the SCSV discussion
> thread a couple of weeks ago: Some servers are apparently intolerant to
> the SCSV, and attempts to connect using the SCSV will fail.
> 
> My TLS Prober runs indicates that 2.5% of servers will fail a connection
> using the SCSV when it is placed at the last position in the cipher suite
> list, and 4.9% will fail if it is placed at the beginning of the list.

I'm assuming you mean a test with ClientHello that otherwise includes ciphers 
that were verified as supported by server, includes the RC4 ciphers in the 
first 64 ciphers and is smaller than 256 bytes.

In other words, tested in a way that won't trigger other common bugs.
-- 
Regards,
Hubert Kario

v2.23.0 | Report a Bug | By Email