IETF Logo Mail Archive

Re: [TLS] Working Group Last Call for draft-ietf-tls-downgrade-scsv-00

Brian Smith <brian@briansmith.org> Tue, 21 October 2014 20:33 UTC

Return-Path: <brian@briansmith.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D508E1A01BA for <tls@ietfa.amsl.com>; Tue, 21 Oct 2014 13:33:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.678
X-Spam-Level:
X-Spam-Status: No, score=-1.678 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IdVfD6Cwfheg for <tls@ietfa.amsl.com>; Tue, 21 Oct 2014 13:33:30 -0700 (PDT)
Received: from mail-oi0-f52.google.com (mail-oi0-f52.google.com [209.85.218.52]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 319981A6FB2 for <tls@ietf.org>; Tue, 21 Oct 2014 13:33:30 -0700 (PDT)
Received: by mail-oi0-f52.google.com with SMTP id a3so1614469oib.39 for <tls@ietf.org>; Tue, 21 Oct 2014 13:33:29 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=b5syxALpdEdMRIE9l45wIzEjPcOBvEfJEQNFwNtk5vU=; b=eRrokqRHKNGzArbhJl1CWLtmAVk1NBG+tLGuNHGIGu6ULCsURiovtpmfHC4F3S5hni /qrLa2uDJs6w2yAsA5zq9lfDIBGA+sDPWGDROPEXyMYseY3dRJBbGFBq8vRDfML5b4i7 kvJNOmeBJqcmuYnUZdm7/lV5Mw7U+/xr7IOsyPQ1YDDZxKaKEaqaVfAGrygnXB1R5367 Qxu1b3LCD2jskNctP45euDkk/F19TOnI7ZkI5GyAbwPo/whfZFCL8q1ugVRC03pE1Rl6 80QsxcmP5z+LssyOlfan+ovElGQ3jiqo8bpnIsqsRiBhDlJ5f0RI++ziKPDSl51VQOFM ZxBQ==
X-Gm-Message-State: ALoCoQlQ5gN3SutFHHO8kDcAIKEedH7jAJVJbgSHxLoiLKxH0OZ1WwY4eWoglpI9KkCAQCZ6uMsv
MIME-Version: 1.0
X-Received: by 10.202.3.70 with SMTP id 67mr4282126oid.69.1413923609481; Tue, 21 Oct 2014 13:33:29 -0700 (PDT)
Received: by 10.76.93.9 with HTTP; Tue, 21 Oct 2014 13:33:29 -0700 (PDT)
In-Reply-To: <54455AFB.1060401@polarssl.org>
References: <2112FCAD-4820-49D9-9871-6501C83A554D@cisco.com> <54450068.5020101@polarssl.org> <CADMpkcJkiGX3oyV6tmHgZoc1skPJOfoakxE37Tyspn3qvSSCMQ@mail.gmail.com> <CAFewVt5pptVSctVkqubTB=2WvFivNr+i2ivoRuw59Umay3aYiw@mail.gmail.com> <54455AFB.1060401@polarssl.org>
Date: Tue, 21 Oct 2014 13:33:29 -0700
Message-ID: <CAFewVt7fh37-5+iHd7ADKdfZHuqTnOAbmkyfki2V2UUQyTUeJQ@mail.gmail.com>
From: Brian Smith <brian@briansmith.org>
To: Manuel Pégourié-Gonnard <mpg@polarssl.org>
Content-Type: multipart/alternative; boundary="001a113b9bba7baaad0505f4beba"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/wdcczmK2GADCZUuq4Nl19ta4te0
Cc: "Joseph Salowey (jsalowey)" <jsalowey@cisco.com>, "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] Working Group Last Call for draft-ietf-tls-downgrade-scsv-00
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Oct 2014 20:33:32 -0000

On Mon, Oct 20, 2014 at 11:56 AM, Manuel Pégourié-Gonnard <mpg@polarssl.org>
wrote:

> On 20/10/2014 19:32, Brian Smith wrote:
> > For compatibility reasons, clients should put the renegotiation info and
> > TLS_FALLBACK_SCSV at the end of the cipher suite list, to avoid this bug
> > and similar bugs in other server software. This should be added to the
> > draft too.
> >
> Currently, PolarSSL puts the renego SCSV at the beginning of the list and
> we
> didn't get any report of interop issues so far. However, if there's
> consensus
> that it's safer to put the SCSV at the end, I'll follow your advice and
> change that.
>
> (For the fallback scsv, obviously I added it at the end since we want to
> interop
> with the current version of OpenSSL.)
>

I am not sure if it is problematic to put the renegotiation_info SCSV
anywhere except the end. In NSS, it has always been at the end, as far as I
know. Not too long ago, NSS was changed to always use the TLS extension
instead of the SCSV except for SSL 3.0; see [1] for why. However, in
retrospect, this might have increased the amount of TLS extension
intolerance seen by NSS-based applications, if some servers are intolerant
to the renegotation_info extension but not other ones sent by NSS.

In the case of TLS_FALLBACK_SCSV, it was assigned the value { 0x56, 0x00 }.
>From past experience, we know that some implementations only look at the
second byte of the value. This means that some implementations may confuse
TLS_FALLBACK_SCSV with { 0x00, 0x00 }, which is TLS_NULL_WITH_NULL_NULL.  Thus,
if you put TLS_FALLBACK_SCSV ahead of any real cipher suites, some
implementations may attempt to negotiation TLS_NULL_WITH_NULL_NULL,
especially if that implementation is attempting to honor the client's
cipher suite preference order. If that were to happen, the best case
scenerio is that your client will refuse the server's choice of
TLS_NULL_WITH_NULL_NULL,
which is not good. By putting TLS_FALLBACK_SCSV at the end, you avoid this
problem with these broken servers, assuming you offer some cipher suite
that they actually support. See [2]. Note that these kind of broken servers
are the reason you'd be doing TLS intolerance fallback in the first place.

Cheers,
Brian

[1] https://bugzilla.mozilla.org/show_bug.cgi?id=549042#c4
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=946147#c5

v2.23.0 | Report a Bug | By Email