IETF Logo Mail Archive

Re: [TLS] SCSVs and SSLv3 fallback

mrex@sap.com (Martin Rex) Tue, 23 April 2013 23:33 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3C9E421F9631 for <tls@ietfa.amsl.com>; Tue, 23 Apr 2013 16:33:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.249
X-Spam-Level:
X-Spam-Status: No, score=-10.249 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id huD21qGdP6fp for <tls@ietfa.amsl.com>; Tue, 23 Apr 2013 16:33:33 -0700 (PDT)
Received: from smtpde02.sap-ag.de (smtpde02.sap-ag.de [155.56.68.140]) by ietfa.amsl.com (Postfix) with ESMTP id 7D59C21F962E for <tls@ietf.org>; Tue, 23 Apr 2013 16:33:33 -0700 (PDT)
Received: from mail06.wdf.sap.corp by smtpde02.sap-ag.de (26) with ESMTP id r3NNXWmC018464 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 24 Apr 2013 01:33:32 +0200 (MEST)
In-Reply-To: <op.wv0n4xqg3dfyax@killashandra.invalid.invalid>
To: "Yngve N. Pettersen" <yngve@spec-work.net>
Date: Wed, 24 Apr 2013 01:33:31 +0200
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20130423233331.EB4451A6CF@ld9781.wdf.sap.corp>
From: mrex@sap.com
X-SAP: out
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] SCSVs and SSLv3 fallback
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Apr 2013 23:33:34 -0000

Yngve N. Pettersen wrote:
> >>
> >> I hope my proposal might manage that, but I don't think EKR and Adam's
> >> proposals will, since they try to work around the broken servers and
> >> middleboxes, and do not confront them.
> >
> > Not sure that's true.  From Eric's draft [3]:
> > """
> > If the SCSV value is present and is not equal to
> > ClientHello.client_version, then the server MUST terminate the
> > handshake with a fatal "handshake_failure" alert.
> > """
> >
> > From Adam's post [4]:
> > """
> > the semantics of TLS_CAPABLE_SCSV would be that servers would reject
> > any SSLv3 handshakes that included this ciphersuite with a fatal
> > error.
> > """

What I extremely dislike about both of these ideas is

(a) they both try to actively increase the interop failures,
    rather than decrease it

(b) they both ignore the various kinds of breakage out there
    in the installed base that may require ClientHello.client_version
    to have a specific value to make broken servers happy, rather than
    the value actually desired by the client.

(c) Keep in mind that there is not just old breakage out there,
    e.g. Microsoft shipped new breakage with Win7/Win2008R2 where
    they goofed the RSA premaster protocol version check on the
    renegotiation handshake.

For any kind of alternative TLS version negotiation, the server ought to
entirely ignore the existing ClientHello.client_version, and use the
new version signaling alone for determining the highest common protocol
version.


-Martin

v2.23.0 | Report a Bug | By Email