IETF Logo Mail Archive

Re: [TLS] Working Group Last Call for draft-ietf-tls-downgrade-scsv-00

Andrey Jivsov <crypto@brainhub.org> Sat, 25 October 2014 08:21 UTC

Return-Path: <crypto@brainhub.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4047A1A8029 for <tls@ietfa.amsl.com>; Sat, 25 Oct 2014 01:21:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X953IeL3PB0Z for <tls@ietfa.amsl.com>; Sat, 25 Oct 2014 01:21:24 -0700 (PDT)
Received: from resqmta-po-09v.sys.comcast.net (resqmta-po-09v.sys.comcast.net [IPv6:2001:558:fe16:19:96:114:154:168]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 375611A70E2 for <tls@ietf.org>; Sat, 25 Oct 2014 01:21:24 -0700 (PDT)
Received: from resomta-po-17v.sys.comcast.net ([96.114.154.241]) by resqmta-po-09v.sys.comcast.net with comcast id 7LMP1p0045Clt1L01LMPWs; Sat, 25 Oct 2014 08:21:23 +0000
Received: from [192.168.1.2] ([71.202.164.227]) by resomta-po-17v.sys.comcast.net with comcast id 7LMN1p00K4uhcbK01LMP8D; Sat, 25 Oct 2014 08:21:23 +0000
Message-ID: <544B5D82.2080900@brainhub.org>
Date: Sat, 25 Oct 2014 01:21:22 -0700
From: Andrey Jivsov <crypto@brainhub.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.1.1
MIME-Version: 1.0
To: Martin Thomson <martin.thomson@gmail.com>, Andrey Jivsov <crypto@brainhub.org>
References: <2112FCAD-4820-49D9-9871-6501C83A554D@cisco.com> <5449E969.9000800@brainhub.org> <CADMpkc+cLJNMYZb4OqukM7qT1aPsqEmCF0JxOyuLYe=78BEcgQ@mail.gmail.com> <544AB4B4.2010305@brainhub.org> <CADMpkc+cku0G6SKs7ZX6oHidiP2X8x8KfB9+E7mjYcNDXrPw9w@mail.gmail.com> <544B5764.9020006@brainhub.org> <CABkgnnVcNgC0SXFkfLYJHyxWe0uxDDShfgPgH=JmmTv0KVQhpg@mail.gmail.com>
In-Reply-To: <CABkgnnVcNgC0SXFkfLYJHyxWe0uxDDShfgPgH=JmmTv0KVQhpg@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20140121; t=1414225283; bh=WodbrnGB9+yp3aj3L2p4aZQvFh9b8oADGimPjKgT770=; h=Received:Received:Message-ID:Date:From:MIME-Version:To:Subject: Content-Type; b=qI/cEQbrqyGVCyg5YvFCeMZXxDCpL43ddW+bZoASQTznt77bk/WCCHrYaw+DLLinD 6op5yNn4zmkEQtF5CpJ1Pxp8M7mfY2Gc2KPDoTNu+5SOexw1fjouFT9SXvbEIdVTsn swnI0FpFPkQU/QCN22VcPgU+TpJ+XRSzDdcPccf8e+Exa0lvKPpVjtprVDhZpGYtpn Kv/cb13ndU80SmooQCgfbo2wOH38ZSyMauvb4JHICTEKpKdvrKaJZlI40EddozyvC+ Ya6fGUcuWLTywBqvcS01vOVK43yGS23b9UGAU+Zmf96LxSF7Q1/TpCFkw9o0vk4lVM i7fAwHIfc/OKg==
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/wiU9_-ezyAFmnHgwJtp1HLN34As
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Working Group Last Call for draft-ietf-tls-downgrade-scsv-00
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 25 Oct 2014 08:21:27 -0000

On 10/25/2014 01:02 AM, Martin Thomson wrote:
> On 25 October 2014 00:55, Andrey Jivsov <crypto@brainhub.org> wrote:
>> Repeating my point earlier, it looks kind of harsh to fail TLS 1.1 on the
>> server when it can only negotiate SSL3.0 with that client.
> Why, if the client is willing to do TLS 1.1, there's an unnecessary fallback.
In my example the client failed TLS1.2 ClientHello and decided 
(incorrectly, due to network failure, etc) to do TLS1.1+TLS_FALLBACK_SCSV.

>
> Note that the maximum version in play is always the maximum version
> that the server (or client) is willing to negotiate.
The above is too general, so let's ignore it for now :-)
> If a server is
> capable of 1.2, but configured with 1.1, only downgraded handshakes to
> 1.0 or SSL will cause the alert to be generated.
I don't think this is what Bodo is saying. Sec 3 (server) is missing the 
concept of "configured", while the sec 4 (client) has it.

My example again is:

* the server capable of TLS 1.2 and lower. I mean, it will accept TLS 
1.2 ClientHello.
* the pair of the server and client happened to only able negotiate a 
ciphersuite that is set on the server to be SSL3.0
* client sends TLS1.1+TLS_FALLBACK_SCSV

So, what is server's maximum version? Bodo says it's TLS1.2. Thus, 
TLS1.1+TLS_FALLBACK_SCSV must fail. I say it's harsh because this pair 
can only negotiate SSL 3.0.

v2.23.0 | Report a Bug | By Email