IETF Logo Mail Archive

Re: [TLS] SCSVs and SSLv3 fallback

Trevor Perrin <trevp@trevp.net> Sat, 06 April 2013 16:59 UTC

Return-Path: <trevp@trevp.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 20AC321F8499 for <tls@ietfa.amsl.com>; Sat, 6 Apr 2013 09:59:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.426
X-Spam-Level:
X-Spam-Status: No, score=-0.426 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, FM_FORGED_GMAIL=0.622, RDNS_NONE=0.1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7snQlVCv5Zsa for <tls@ietfa.amsl.com>; Sat, 6 Apr 2013 09:59:07 -0700 (PDT)
Received: from mail-we0-x22d.google.com (mail-we0-x22d.google.com [IPv6:2a00:1450:400c:c03::22d]) by ietfa.amsl.com (Postfix) with ESMTP id 4FA8521F8498 for <tls@ietf.org>; Sat, 6 Apr 2013 09:59:06 -0700 (PDT)
Received: by mail-we0-f173.google.com with SMTP id t57so3538117wey.32 for <tls@ietf.org>; Sat, 06 Apr 2013 09:59:06 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-received:x-originating-ip:in-reply-to:references :date:message-id:subject:from:to:cc:content-type:x-gm-message-state; bh=9UUzkT7x9CQM/SPER8Rjrb/LYmoBMtTsC+aSV5BoY3Q=; b=OHmHhXwbgzexigZRIWv9vNPZYgM3q7NAaLBSi7ouxM3BAJsfZQQRZHuRK7I3Ass4O/ P3FPggZ2cLVRMYns69zbkiQvFFRSHWgXiBzjMWPwZsS8E8bUZcVFFLiGNLmuk7rUJJCh 5SwGVbERW3WDF2yqY3HzqkBTI8ScmNjaIyY6hUrS+tXIbjHK5uEazu5Iz2B9GPus7vYV C2XP1YTPWbs01eC6RZXIJnKEp1+v8ZQ+5npGNyxHjIJeiRgocq8uKeilp2IZDYhlrpDf n1okFXEEyaYM85X2eVNmev9gHHSiFhJkKy2ZmH/pM0ofMJcWzN6Iq1MsxNOiKEzK5NMm nu7g==
MIME-Version: 1.0
X-Received: by 10.180.105.99 with SMTP id gl3mr4888662wib.22.1365267546242; Sat, 06 Apr 2013 09:59:06 -0700 (PDT)
Received: by 10.217.119.134 with HTTP; Sat, 6 Apr 2013 09:59:06 -0700 (PDT)
X-Originating-IP: [173.164.206.245]
In-Reply-To: <op.wu4b9sxq3dfyax@killashandra.invalid.invalid>
References: <CAGZ8ZG0i4-ZDPu=O1+Qy1DJ8oV80_eMz5J9NZrn2UC1-zYu4Sw@mail.gmail.com> <op.wu1f2u2n3dfyax@killashandra.invalid.invalid> <CAGZ8ZG1JzgnCNqfPueKr3wrvMzZKUi7mfvcAdRc-NnCDr33aLg@mail.gmail.com> <515F428E.2010900@gnutls.org> <CAGZ8ZG2OqLz8NymWzR0WNWsHz7qHLA+8eq95WFTLVFGaTK=RCA@mail.gmail.com> <D4CC5248-B1F1-498E-8058-5E17BADB3CE6@vpnc.org> <CAGZ8ZG2uvKs8-Sn9bvQyaP9t_E3BhkZFoi7Sq9wbxaHNpf_NDg@mail.gmail.com> <op.wu3cctbc3dfyax@killashandra.invalid.invalid> <CAGZ8ZG3H6wPnLZE3CkBGHMiMXvdA-VBM911t+tzPqW5ggJr2PA@mail.gmail.com> <op.wu4b9sxq3dfyax@killashandra.invalid.invalid>
Date: Sat, 06 Apr 2013 09:59:06 -0700
Message-ID: <CAGZ8ZG2yVYPkOFFvSKF0Q18CREHtzfeeTdZpi0Cxhi-OQBr8nA@mail.gmail.com>
From: Trevor Perrin <trevp@trevp.net>
To: "Yngve N. Pettersen" <yngve@spec-work.net>
Content-Type: text/plain; charset="ISO-8859-1"
X-Gm-Message-State: ALoCoQks8FTnhERcCKasMzxPTwPzI2U3bOR9bP2IDnImZ8KjLYRsQOhj8Qd0CNKxOYkDLr+eoIPd
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] SCSVs and SSLv3 fallback
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 06 Apr 2013 16:59:08 -0000

On Sat, Apr 6, 2013 at 5:14 AM, Yngve N. Pettersen <yngve@spec-work.net> wrote:
> On Sat, 06 Apr 2013 06:41:33 +0200, Trevor Perrin <trevp@trevp.net> wrote:
>>
>> Suppose the SCSV is only allowed in the specific case of an SSLv3
>> fallback where an extension response is required or the connection
>> will fail (due to a requirement for TACK, CT, or OCSP).
>>
>> In this case, it can't break anything because the connection is
>> already going to be broken.  It's not guaranteed to work, but there's
>> evidence it might.
>>
>> Does that address this concern?
>
>
> No, it does not.
[...]
> we do not at present know if the SCSV
> variant will work in all cases.
[...]
> So, using an SCSV in the SSL v3 handshake do risk breaking a handshake that
> would otherwise have completed.

No, you missed my point.

I was proposing using SCSVs only in the case that an SSLv3 fallback is
necessary, and the browser *REQUIRES* some data from the server (TACK,
CT, OCSP), or the browser will refuse the connection.

Example:  Suppose a browser has an active TACK pin for a domain, but
sending a TLS ClientHello to that domain results in a TCP reset.

Since the TACK pin exists, the browser can assume it is not contacting
a TLS-intolerant server.  But a TLS-intolerant middlebox seems like a
possibility (though we still need more data on prevalence).  I believe
current browsers would want to try an SSLv3 fallback in this case, to
attempt to work around the interference.

However!  SSLv3 fallback is pointless here unless the browser has some
chance of signalling that it requires a tack, and receiving it.

I am proposing giving this a chance of working, by using the same SCSV
/ ServerHello Extension idiom that has worked for RFC 5746.

Of course, this might not work for any specific middlebox!  But if the
middlebox allows unknown ciphersuites and data at the end of the SSL
ServerHello, then it will.  And if the middlebox has been patched to
whitelist the specific 5746 SCSV and ServerHello extension, that
implies it could be upgraded for new uses of this idiom as well.


Trevor

v2.23.0 | Report a Bug | By Email