Re: [TLS] checking on an scsv point
mrex@sap.com (Martin Rex) Wed, 18 February 2015 00:16 UTC
Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D6AD1A910A for <tls@ietfa.amsl.com>; Tue, 17 Feb 2015 16:16:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.251
X-Spam-Level:
X-Spam-Status: No, score=-6.251 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RgUtjFHPJmjv for <tls@ietfa.amsl.com>; Tue, 17 Feb 2015 16:16:10 -0800 (PST)
Received: from smtpde01.smtp.sap-ag.de (smtpde01.smtp.sap-ag.de [155.56.68.170]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ADC3C1A8840 for <tls@ietf.org>; Tue, 17 Feb 2015 16:16:09 -0800 (PST)
Received: from mail05.wdf.sap.corp (mail05.sap.corp [194.39.131.55]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtpde01.smtp.sap-ag.de (Postfix) with ESMTPS id 61AA72AC04; Wed, 18 Feb 2015 01:16:06 +0100 (CET)
X-purgate-ID: 152705::1424218567-0000765A-7D2062A8/0/0
X-purgate-size: 2721
X-purgate: clean
X-purgate: This mail is considered clean (visit http://www.eleven.de for further information)
X-purgate-Ad: Categorized by eleven eXpurgate (R) http://www.eleven.de
X-purgate-type: clean
Received: from ld9781.wdf.sap.corp (ld9781.wdf.sap.corp [10.21.82.193]) by mail05.wdf.sap.corp (Postfix) with ESMTP id 7990F42FAD; Wed, 18 Feb 2015 01:16:06 +0100 (CET)
Received: by ld9781.wdf.sap.corp (Postfix, from userid 10159) id 735991B1B1; Wed, 18 Feb 2015 01:16:06 +0100 (CET)
In-Reply-To: <CALuAYvYZut20D=73f58RL+mykR_r5kQAqYKeoubH2i6dipDrAw@mail.gmail.com>
To: Henrik Grubbström <grubba@gmail.com>
Date: Wed, 18 Feb 2015 01:16:06 +0100
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="ISO-8859-1"
Message-Id: <20150218001606.735991B1B1@ld9781.wdf.sap.corp>
From: mrex@sap.com
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/wtM_sRqSnRPYzerYfXdpgwbTW08>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] checking on an scsv point
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Feb 2015 00:16:14 -0000
Henrik Grubbström wrote: > > I also fail to see how you can call this less complex and without new > connection establishment, as for the FALLBACK_SCSV to have been > asserted there will already have been a reconnect. Just using a connection established with (ClientHello.client_version+1) will be less complexity for clients (that implement this alternative behaviour properly) because the app will not have to establish a new connection and go through the entire app-level protocol preparations again (HTTP CONNECT proxy and/or STARTTLS prologue) > > > Keep in mind that I'm NOT asking to make early adopter servers(!) > > non-compliant. Admittedly, I don't know what exactly the early > > adopting clients will currently do when they receive > > Yes, this will break (probably most) early adopters, In which way does it "break" early adopters. The fatal alert will unconditionally result in complete interop failure on the established connection. The "worst" that could possibly happen is a "different kind of complete interop failure" but an interop failure is an interop failure is an interop failure. So really, making it worse for the current handshake is factually impossible. > > as good practice in applications (especially those involving crypto) > is to validate that all parameters are within the expected range, > and it isn't allowed for a server to bump the protocol version above > what the client requested. It was the CLIENT(!!) who asserted the FALLBACK_SCSV in the first place, complaining loudly that it would really like to use a higher TLS protocol version that what the client placed into ClientHello.client_version, so this reasoning is bogus here. > > I suspect the most common failure is a protocol_version alert. The whole proposal started because the client believes that the protocol options that the server negotiates would be options that the client rather does not want. So what kind of alert the client sends if it wants to abort the current handshake and start a new one, doesn't really matter for the server here. What matters is that the server does not have to take the blame for the handshake failure. This will be left to the client, who started the FALLBACK_SCSV dance. For this particular connection, the server has the necessary state to make this handshake failure "soft" (i.e. not stand out in the traces), when the client aborts in response to the servers selection of ServerHello.server_version = (ClientHello.client_version+1) so I really don't mind such a client behaviour. Servers not implementing the alternative approach do not have to bother about this outcome. -Martin
- [TLS] checking on an scsv point Stephen Farrell
- Re: [TLS] checking on an scsv point Martin Thomson
- Re: [TLS] checking on an scsv point Martin Rex
- Re: [TLS] checking on an scsv point Henrik Grubbström
- Re: [TLS] checking on an scsv point David Benjamin
- Re: [TLS] checking on an scsv point Martin Thomson
- Re: [TLS] checking on an scsv point Martin Rex
- Re: [TLS] checking on an scsv point Martin Rex
- Re: [TLS] checking on an scsv point Martin Thomson
- Re: [TLS] checking on an scsv point Martin Thomson
- Re: [TLS] checking on an scsv point Martin Rex
- Re: [TLS] checking on an scsv point Martin Thomson