IETF Logo Mail Archive

Re: [TLS] Working Group Last Call for draft-ietf-tls-downgrade-scsv-00

Andrey Jivsov <crypto@brainhub.org> Fri, 17 October 2014 08:00 UTC

Return-Path: <crypto@brainhub.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7B5EE1A9107 for <tls@ietfa.amsl.com>; Fri, 17 Oct 2014 01:00:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aqM4ClnBiUnl for <tls@ietfa.amsl.com>; Fri, 17 Oct 2014 01:00:02 -0700 (PDT)
Received: from resqmta-ch2-09v.sys.comcast.net (resqmta-ch2-09v.sys.comcast.net [IPv6:2001:558:fe21:29:69:252:207:41]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 195C21A90FC for <tls@ietf.org>; Fri, 17 Oct 2014 01:00:01 -0700 (PDT)
Received: from resomta-ch2-16v.sys.comcast.net ([69.252.207.112]) by resqmta-ch2-09v.sys.comcast.net with comcast id 48001p0022S2Q5R01800xz; Fri, 17 Oct 2014 08:00:00 +0000
Received: from [192.168.1.2] ([71.202.164.227]) by resomta-ch2-16v.sys.comcast.net with comcast id 47zz1p0044uhcbK017zzEg; Fri, 17 Oct 2014 08:00:00 +0000
Message-ID: <5440CC7F.1020608@brainhub.org>
Date: Fri, 17 Oct 2014 00:59:59 -0700
From: Andrey Jivsov <crypto@brainhub.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.1.1
MIME-Version: 1.0
To: tls@ietf.org
References: <2112FCAD-4820-49D9-9871-6501C83A554D@cisco.com> <5438CFEA.7000401@brainhub.org>
In-Reply-To: <5438CFEA.7000401@brainhub.org>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20140121; t=1413532800; bh=YhssBP6FDii5AHGA7c+ujbCFDCrZZYHJgUYO1LGHKME=; h=Received:Received:Message-ID:Date:From:MIME-Version:To:Subject: Content-Type; b=IzjtB18KiZlzbXj7PMK+TmFLkTspjdpfX9dObhDh0TnsXEkk6tBh1j0iPoPXyGKQj Icmvi+NbyN6PbvOflL5EVrSQB1YyX0j1jT4UHkkUdPWpgOLaeoXuYYqWVb0gWc0ysY s45TOBfY8vmKhGfBSpvWkANnzTaoAJHhQE6v9KkUzhrohHrWdwWhTghym3tPH/m9QV t7aVysQa5rBOlVSP5caEZ5liCs0/jfD6fLPC85+KSnU7LHiBmRNAANjTyRho3eOWY2 0MTwET65OWm0tsMyEUSQgVuYAAncssmdDdONSAE1K2agCs83vaC+Y5Uf7ZiB3ObYzs fFxRjjB/5I8Qw==
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/w6wfGpjsimx99gMvbgVxnLtSnJ8
Subject: Re: [TLS] Working Group Last Call for draft-ietf-tls-downgrade-scsv-00
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Oct 2014 08:00:04 -0000

(On handling of the downgrade to a recent versions of the protocols, 
i.e. TLS1.3 to 1.2 or TLS1.2 to TLS1.1.)

Today, for example,

    www.wellsfargo.com, citibank.com, and bankofamerica.com don't 
support TLS 1.1 and

    mozilla.com doesn't support TLS 1.2.

The draft -00 asks the server supporting TLS 1.2 to fail the TLS 1.1 in 
some cases, while significant amount of traffic on the Internet goes 
over TLS 1.0.

I propose the following change that allows to do exactly what rev -00 
says, but now enables more tolerant server behaviour.

The text captures the need to be more forceful on the lower (insecure) 
end of the SSL2.0 - TLS1.2 range, while being more tolerant with more 
recent (secure) versions.

 > 3. Server behaviour
 >
 > This section specifies server behaviour when receiving the
 > TLS_FALLBACK_SCSV cipher suite from a client in
 > ClientHello.cipher_suites.
 >
> When TLS_FALLBACK_SCSV appears in ClientHello.cipher_suites and the
> highest version of the protocol supported by the server is greater
> than the version indicated in ClientHello.client_version, this is an
> indication to the server that the client chose lower version of the
> protocol in its ClientHello message than the client is capable of
> negotiating.
 >
> When the server detects the above scenario, it MUST respond with an
> inappropriate_fallback alert when ClientHello.client_version
> indicates version <XXX> or lower and MAY respond with an
> inappropriate_fallback alert for higher versions of the protocol.

I would further propose to set <XXX> = SSL 3.0 and I accept to have it 
at TLS 1.0 as a second choice.

In the first case, it's easy to notice that if the server has disabled 
SSLv3 (and SSLv2) and tolerates TLS 1.0 and TLS 1.1, the server is 
compliant with the TLS_FALLBACK_SCSV.

If <XXX> = TLS 1.0, SSL3.0, SSL2.0 are disabled, the server may consider 
TLS 1.1 as acceptable (but also may choose to be intolerant of it + 
SCSV, although IMO this is undesirable today) but the server is required 
to issue inappropriate_fallback for TLS 1.0+SCSV. The server will need 
to implement parsing of SCSV in this case because it is required to 
distinguish TLS 1.0 from TLS 1.0+SCSV and have code to issue 
inappropriate_fallback.

Thank you.

v2.23.0 | Report a Bug | By Email