IETF Logo Mail Archive

Re: [TLS] checking on an scsv point

mrex@sap.com (Martin Rex) Wed, 18 February 2015 00:16 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D6AD1A910A for <tls@ietfa.amsl.com>; Tue, 17 Feb 2015 16:16:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.251
X-Spam-Level:
X-Spam-Status: No, score=-6.251 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RgUtjFHPJmjv for <tls@ietfa.amsl.com>; Tue, 17 Feb 2015 16:16:10 -0800 (PST)
Received: from smtpde01.smtp.sap-ag.de (smtpde01.smtp.sap-ag.de [155.56.68.170]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ADC3C1A8840 for <tls@ietf.org>; Tue, 17 Feb 2015 16:16:09 -0800 (PST)
Received: from mail05.wdf.sap.corp (mail05.sap.corp [194.39.131.55]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtpde01.smtp.sap-ag.de (Postfix) with ESMTPS id 61AA72AC04; Wed, 18 Feb 2015 01:16:06 +0100 (CET)
X-purgate-ID: 152705::1424218567-0000765A-7D2062A8/0/0
X-purgate-size: 2721
X-purgate: clean
X-purgate: This mail is considered clean (visit http://www.eleven.de for further information)
X-purgate-Ad: Categorized by eleven eXpurgate (R) http://www.eleven.de
X-purgate-type: clean
Received: from ld9781.wdf.sap.corp (ld9781.wdf.sap.corp [10.21.82.193]) by mail05.wdf.sap.corp (Postfix) with ESMTP id 7990F42FAD; Wed, 18 Feb 2015 01:16:06 +0100 (CET)
Received: by ld9781.wdf.sap.corp (Postfix, from userid 10159) id 735991B1B1; Wed, 18 Feb 2015 01:16:06 +0100 (CET)
In-Reply-To: <CALuAYvYZut20D=73f58RL+mykR_r5kQAqYKeoubH2i6dipDrAw@mail.gmail.com>
To: Henrik Grubbström <grubba@gmail.com>
Date: Wed, 18 Feb 2015 01:16:06 +0100
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="ISO-8859-1"
Message-Id: <20150218001606.735991B1B1@ld9781.wdf.sap.corp>
From: mrex@sap.com
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/wtM_sRqSnRPYzerYfXdpgwbTW08>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] checking on an scsv point
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Feb 2015 00:16:14 -0000

Henrik Grubbström wrote:
> 
> I also fail to see how you can call this less complex and without new
> connection establishment, as for the FALLBACK_SCSV to have been
> asserted there will already have been a reconnect.

Just using a connection established with
(ClientHello.client_version+1) will be less complexity for
clients (that implement this alternative behaviour properly)
because the app will not have to establish a new connection
and go through the entire app-level protocol preparations again
(HTTP CONNECT proxy and/or STARTTLS prologue)

> 
> > Keep in mind that I'm NOT asking to make early adopter servers(!)
> > non-compliant.  Admittedly, I don't know what exactly the early
> > adopting clients will currently do when they receive
> 
> Yes, this will break (probably most) early adopters,

In which way does it "break" early adopters.
The fatal alert will unconditionally result in complete interop
failure on the established connection.  The "worst" that could possibly
happen is a "different kind of complete interop failure" but an interop
failure is an interop failure is an interop failure.  So really, making
it worse for the current handshake is factually impossible.

>
> as good practice in applications (especially those involving crypto)
> is to validate that all parameters are within the expected range,
> and it isn't allowed for a server to bump the protocol version above
> what the client requested.

It was the CLIENT(!!) who asserted the FALLBACK_SCSV in the first
place, complaining loudly that it would really like to use a higher
TLS protocol version that what the client placed into
ClientHello.client_version, so this reasoning is bogus here.


>
> I suspect the most common failure is a protocol_version alert.

The whole proposal started because the client believes that the
protocol options that the server negotiates would be options that
the client rather does not want.  So what kind of alert the client
sends if it wants to abort the current handshake and start a new one,
doesn't really matter for the server here.

What matters is that the server does not have to take the blame for
the handshake failure.  This will be left to the client, who started
the FALLBACK_SCSV dance.  For this particular connection, the server
has the necessary state to make this handshake failure "soft"
(i.e. not stand out in the traces), when the client aborts in response
to the servers selection of
  ServerHello.server_version = (ClientHello.client_version+1)

so I really don't mind such a client behaviour.

Servers not implementing the alternative approach do not have to bother
about this outcome.


-Martin

v2.23.0 | Report a Bug | By Email