IETF Logo Mail Archive

Re: [TLS] The TLS_FALLBACK_SCSV time bomb (was: Re: Working Group Last Call for draft-ietf-tls-downgrade-scsv-00)

Martin Thomson <martin.thomson@gmail.com> Fri, 17 October 2014 20:03 UTC

Return-Path: <martin.thomson@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1E2AA1A0164 for <tls@ietfa.amsl.com>; Fri, 17 Oct 2014 13:03:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kku9-TeAoYTY for <tls@ietfa.amsl.com>; Fri, 17 Oct 2014 13:03:25 -0700 (PDT)
Received: from mail-la0-x236.google.com (mail-la0-x236.google.com [IPv6:2a00:1450:4010:c03::236]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8C2721A003B for <tls@ietf.org>; Fri, 17 Oct 2014 13:03:25 -0700 (PDT)
Received: by mail-la0-f54.google.com with SMTP id gm9so1306555lab.13 for <tls@ietf.org>; Fri, 17 Oct 2014 13:03:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=DV7jue0Y1HO92+kExlFI/gZ75E0myF4ENYc7qD4Dyd4=; b=JvPt+8pBJlY1oO+sUS68Av8qDBCeD0EYhecCbjVkIph8LlVmmJpNlcK/vCda8VIVbP syNSNlm9ZDDQGH+HwPy9DKlXMKfHFgGWNCAQANnkIg5qhFO5m4krfq/gGWkLUNPKTk8Y DrQT5iDZS6rVebw3S2atTDCrV6VmcN8tz+piWWdEvk28Icxhjd18p9N/d6t8eez86poD etrCwavcKlcYgy/oKLHsi8NhYJi8jYCY5HeUR2g/hQ4+oXTLo9H4jhuKZsdojsqg6p9P 4kMLL6u8Y92Nzsc0UQ/2Y3nCCtECsaz6YKU9zZ91+d9zcC8He2KgOmGWZuAuQwotO7mN fVyA==
MIME-Version: 1.0
X-Received: by 10.152.216.200 with SMTP id os8mr5554962lac.85.1413576203824; Fri, 17 Oct 2014 13:03:23 -0700 (PDT)
Received: by 10.25.215.217 with HTTP; Fri, 17 Oct 2014 13:03:23 -0700 (PDT)
In-Reply-To: <CADMpkcLRCsfQSr0=f97kXJw3RwHN5A79MYQ2j7XaxPxUy2MCLg@mail.gmail.com>
References: <2112FCAD-4820-49D9-9871-6501C83A554D@cisco.com> <543F9893.806@redhat.com> <543FA0A0.1030205@polarssl.org> <543FCAED.50502@redhat.com> <2A0EFB9C05D0164E98F19BB0AF3708C71D39ECECB4@USMBX1.msg.corp.akamai.com> <5440E005.6000607@redhat.com> <180027849.13041583.1413544466157.JavaMail.zimbra@redhat.com> <CADMpkcL2mntDd0dOruziqF0F=xURnqGgd_YkpF+ONzz8v-wQ9Q@mail.gmail.com> <1354095824.13104897.1413553221955.JavaMail.zimbra@redhat.com> <CADMpkcLRCsfQSr0=f97kXJw3RwHN5A79MYQ2j7XaxPxUy2MCLg@mail.gmail.com>
Date: Fri, 17 Oct 2014 13:03:23 -0700
Message-ID: <CABkgnnUBYtWUY-CZDDzFiDpMWYbca74o6kejh2Q3L+FHVaHoOA@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
To: Bodo Moeller <bmoeller@acm.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/zGhUiVHdD0A-JBGrtYYH_RvvUt8
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] The TLS_FALLBACK_SCSV time bomb (was: Re: Working Group Last Call for draft-ietf-tls-downgrade-scsv-00)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Oct 2014 20:03:32 -0000

On 17 October 2014 06:51, Bodo Moeller <bmoeller@acm.org> wrote:
> I know. This is exactly why OpenSSL does honor SSL_MODE_SEND_FALLBACK_SCSV
> even when the highest supported protocol version is enabled. (So the best
> way to make the API less fragile might be to create an additional setting
> that makes SSL_MODE_SEND_FALLBACK_SCSV behavior unconditional, such as
> SSL_MODE_SEND_FALLBACK_SCSV_FOR_TESTING.)

I considered building this sort of feature, but it comes down to this:
if you are doing the fallback thing, such that setting this option is
even a possibility, then you are already tall enough to work out when
to send the SCSV and when not to.

Furthermore, we have situations where clients are configured to send
less than the highest version initially, such that it would not be
appropriate to set the SCSV.  And, we now have experimental TLS 1.3
code in NSS, all of which makes the question of  what the actual
highest version that is supported quite murky.

Another alternative is to have a value that is set to the highest
version permitted.  Handshakes that go out with lower version numbers
get marked with the SCSV.  Set this to a low value and the SCSV is
suppressed.

v2.43.4 | Report a Bug | By Email | System Status