IETF Logo Mail Archive

Re: [TLS] Working Group Last Call for draft-ietf-tls-downgrade-scsv-00

Brian Smith <brian@briansmith.org> Fri, 26 September 2014 18:58 UTC

Return-Path: <brian@briansmith.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D4761A6FAB for <tls@ietfa.amsl.com>; Fri, 26 Sep 2014 11:58:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.979
X-Spam-Level:
X-Spam-Status: No, score=-1.979 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kqNgIEljsZol for <tls@ietfa.amsl.com>; Fri, 26 Sep 2014 11:58:55 -0700 (PDT)
Received: from mail-oi0-f49.google.com (mail-oi0-f49.google.com [209.85.218.49]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7D1271A6F9F for <tls@ietf.org>; Fri, 26 Sep 2014 11:58:55 -0700 (PDT)
Received: by mail-oi0-f49.google.com with SMTP id e131so512340oig.36 for <tls@ietf.org>; Fri, 26 Sep 2014 11:58:54 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=HHouj9joNtL9ml6I8G4yI2b16dmr9xWKmMFpLw9nxaQ=; b=lbm0I3cJgmZzng6ncV0ARhxG0g7b4wHYvbnNItw7JVqiyJ4AMZp+8bd689QX17zZ1L Vj8UMT/kd921oiOcFGOSrjw5Miml6M/5P9OizVbTChIlMN97Dr2vkKy6Erll68YJYDoe 2ZaZNY7E0ynANsjjdDQ277BPyX9GtNxqVoYM0ekft4eCocuB5tBpy+3XK1IKj+7CQpaG xlh9lMxjzck9xTiKuIeIVGvTtLMJ7dLEzUg3QtdPRbDuOCnFPbXrUDhQHUQ6y9H9lZxm VjHaD2MU7aZt2joj4V+xnZ5GA5b1L2FNNhgSVtky2K6XztQyIwSsm568pMQGKTAIlklF NGXA==
X-Gm-Message-State: ALoCoQmyD3RvuCmOnnAngMWwhh966wiNYGBngw+163SdiE0kL3WpXdiY3zebcB8KC4vMSbCwpnQD
MIME-Version: 1.0
X-Received: by 10.60.58.36 with SMTP id n4mr24095404oeq.73.1411757934321; Fri, 26 Sep 2014 11:58:54 -0700 (PDT)
Received: by 10.76.74.36 with HTTP; Fri, 26 Sep 2014 11:58:54 -0700 (PDT)
In-Reply-To: <CADMpkc+wXf=SG3=C==SV77YXZdbXnbXspJLRZ1UORPF-WbVMEw@mail.gmail.com>
References: <2112FCAD-4820-49D9-9871-6501C83A554D@cisco.com> <CABkgnnUxeouqDNhYFGDC2xqUaT8r7zFvAT5U1OUGJwHwCOuOwA@mail.gmail.com> <CADMpkcJKJiTCQXdDbepyiAf22J9VC03DDgiE521n3NsNnFmALA@mail.gmail.com> <CABkgnnWo9KGMkRrmA0wkJ5Dfnzh2Vo-cveCe_UeH71F8K_4oWw@mail.gmail.com> <CADMpkcJpHeKGV-xc4Uon8KWj=+p=6nQO1_rxb6sRN04nFX--gQ@mail.gmail.com> <CABkgnnU8DyzRvvq1e24bUsZdwx48mFOC6KstZaUCbvyQ-WwesQ@mail.gmail.com> <CADMpkc+wXf=SG3=C==SV77YXZdbXnbXspJLRZ1UORPF-WbVMEw@mail.gmail.com>
Date: Fri, 26 Sep 2014 11:58:54 -0700
Message-ID: <CAFewVt5mEodyqB6TWCmvOUBek9Bnb43bmw5mAqph-hQU=F=EpA@mail.gmail.com>
From: Brian Smith <brian@briansmith.org>
To: Bodo Moeller <bmoeller@acm.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/rXIskUjEJuL5rhPk6kEutO7dQ-c
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] Working Group Last Call for draft-ietf-tls-downgrade-scsv-00
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Sep 2014 18:58:58 -0000

On Fri, Sep 26, 2014 at 12:34 AM, Bodo Moeller <bmoeller@acm.org> wrote:
>> I'm OK with that, but if this is the real reason for the MUST, then
>> it's not particularly clear.
>
> Hm, maybe so. I can add a brief note showing how the handshake would fail if
> the server acts on the SCSV in this case, but I don't think the document
> should have to explain why we require the client to omit the SCSV rather
> than having the server ignore it. (Why would you want to send it if nothing
> follows from that?)

Here is what the draft actually says:

      However, as an exception to the above, when the client intends to
      perform an abbreviated handshake to resume a previously negotiated
      session and sets ClientHello.client_version to the protocol
      version negotiated for that session, the client MUST NOT include
      TLS_FALLBACK_SCSV in ClientHello.cipher_suites.

So, if the client does NOT set ClientHello.client_version to the
version negotiated for that session, then the client MAY send the SCSV
in the resumption handshake.

Now, if the server could indicate that it supports the SCSV somehow in
its ServerHello, then the client could save that acknowledgement in
the session state, and then make sure that it always sets
ClientHello.client_version to the highest version it supports,
regardless of the version that it negotiated for the session it is
trying to resume. That would be a very worthwhile addition to the
mechanism.

Cheers,
Brian

v2.23.0 | Report a Bug | By Email