Re: [TLS] SCSVs and SSLv3 fallback
mrex@sap.com (Martin Rex) Mon, 08 April 2013 21:31 UTC
Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 140BD21F9133 for <tls@ietfa.amsl.com>; Mon, 8 Apr 2013 14:31:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.21
X-Spam-Level:
X-Spam-Status: No, score=-10.21 tagged_above=-999 required=5 tests=[AWL=0.039, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Zo9EqIbF3ARR for <tls@ietfa.amsl.com>; Mon, 8 Apr 2013 14:31:23 -0700 (PDT)
Received: from smtpde02.sap-ag.de (smtpde02.sap-ag.de [155.56.68.140]) by ietfa.amsl.com (Postfix) with ESMTP id 38B3D21F8FED for <tls@ietf.org>; Mon, 8 Apr 2013 14:31:23 -0700 (PDT)
Received: from mail05.wdf.sap.corp by smtpde02.sap-ag.de (26) with ESMTP id r38LVLUO023218 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Mon, 8 Apr 2013 23:31:21 +0200 (MEST)
In-Reply-To: <op.wu8ppkb73dfyax@killashandra.invalid.invalid>
To: "Yngve N. Pettersen" <yngve@spec-work.net>
Date: Mon, 08 Apr 2013 23:31:21 +0200
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20130408213121.C150B1A698@ld9781.wdf.sap.corp>
From: mrex@sap.com
X-SAP: out
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] SCSVs and SSLv3 fallback
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Apr 2013 21:31:24 -0000
Yngve N. Pettersen wrote: > Martin Rex <mrex@sap.com> wrote: > > > > Why would you ever check for 4.xx version numbers? > > > > Rejecting 4.x version numbers is perfectly OK for TLS servers! > > > > rfc5246 says: > > TLS servers > > compliant with this specification MUST accept any value {03,XX} as > > the record layer version number for ClientHello. > > > > TLS clients that wish to negotiate with older servers MAY send any > > value {03,XX} as the record layer version number. > > > > A TLS client that uses a version {04,00} at the record layer or in > > ClientHello.client_version is squarely in undefined territory, > > and every conceivable server behaviour is perfectly compliant > > with the TLSv1.2 spec. (Personally, however, I believe that > > crashing is never a valid option for the server). > > The keywords are "forward compatibility". > > And your quote concerns the *record* layer version, which is 3.1 in my > testcase. > > The 4.1 that I am using in my test, is set in the > *ClientHello.client_version* field. > > IMO a SSL/TLS server MUST tolerate ANY ClientHello.client_version larger > than its own highest supported version, and when returning the Server > Hello will reply with whatever its highest supported version is. Quoting from rfc4346 (TLS v1.1 Record Protocol PDU): http://tools.ietf.org/html/rfc4346#page-18 struct { uint8 major, minor; } ProtocolVersion; struct { ContentType type; ProtocolVersion version; uint16 length; opaque fragment[TLSPlaintext.length]; } TLSPlaintext; A TLS client that sends a ClientHello.client_version with major=4,minor=1 and expecting interop on SSLv3,TLSv1.0,TLSv1.1 or TLSv1.2 is just as misguided as a client that sends a ClientHello.client_version with major=254, minor=255 and expecting interop on SSLv3,TLSv1.0,TLSv1.1 or TLSv1.2. The meaning of the latter protocol version is defined here: http://tools.ietf.org/html/rfc4347 and there is *NO* reservation or requirement in rfc5246 that would could be interpreted to make "major=4" any less invalid than "major=254". -Martin
- Re: [TLS] SCSVs and SSLv3 fallback Martin Rex
- [TLS] SCSVs and SSLv3 fallback Trevor Perrin
- Re: [TLS] SCSVs and SSLv3 fallback Hanno Böck
- Re: [TLS] SCSVs and SSLv3 fallback Geoffrey Keating
- Re: [TLS] SCSVs and SSLv3 fallback Yngve N. Pettersen
- Re: [TLS] SCSVs and SSLv3 fallback Joseph Birr-Pixton
- Re: [TLS] SCSVs and SSLv3 fallback Trevor Perrin
- Re: [TLS] SCSVs and SSLv3 fallback Nikos Mavrogiannopoulos
- Re: [TLS] SCSVs and SSLv3 fallback Trevor Perrin
- Re: [TLS] SCSVs and SSLv3 fallback Paul Hoffman
- Re: [TLS] SCSVs and SSLv3 fallback Trevor Perrin
- Re: [TLS] SCSVs and SSLv3 fallback Yngve N. Pettersen
- Re: [TLS] SCSVs and SSLv3 fallback Trevor Perrin
- Re: [TLS] SCSVs and SSLv3 fallback Nikos Mavrogiannopoulos
- Re: [TLS] SCSVs and SSLv3 fallback Yngve N. Pettersen
- Re: [TLS] SCSVs and SSLv3 fallback Trevor Perrin
- Re: [TLS] SCSVs and SSLv3 fallback Yngve N. Pettersen
- Re: [TLS] SCSVs and SSLv3 fallback Adam Langley
- Re: [TLS] SCSVs and SSLv3 fallback Trevor Perrin
- Re: [TLS] SCSVs and SSLv3 fallback Martin Rex
- Re: [TLS] SCSVs and SSLv3 fallback Martin Rex
- Re: [TLS] SCSVs and SSLv3 fallback Martin Rex
- Re: [TLS] SCSVs and SSLv3 fallback Martin Rex
- Re: [TLS] SCSVs and SSLv3 fallback Yngve N. Pettersen
- Re: [TLS] SCSVs and SSLv3 fallback Martin Rex
- Re: [TLS] SCSVs and SSLv3 fallback Yngve N. Pettersen
- Re: [TLS] SCSVs and SSLv3 fallback Martin Rex
- Re: [TLS] SCSVs and SSLv3 fallback Yngve N. Pettersen
- Re: [TLS] SCSVs and SSLv3 fallback Trevor Perrin
- Re: [TLS] SCSVs and SSLv3 fallback Martin Rex
- Re: [TLS] SCSVs and SSLv3 fallback Yngve N. Pettersen
- Re: [TLS] SCSVs and SSLv3 fallback Yngve N. Pettersen
- Re: [TLS] SCSVs and SSLv3 fallback Martin Rex
- Re: [TLS] SCSVs and SSLv3 fallback Yoav Nir