code review 157090043: crypto/tls: support TLS_FALLBACK_SCSV as a server.

crypto/tls: support TLS_FALLBACK_SCSV as a server.

A new attack on CBC padding in SSLv3 was released yesterday[1]. Go only
supports SSLv3 as a server, not as a client. An easy fix is to change
the default minimum version to TLS 1.0 but that seems a little much
this late in the 1.4 process as it may break some things.

Thus this patch adds server support for TLS_FALLBACK_SCSV[2] -- a
mechanism for solving the fallback problem overall. Chrome has
implemented this since February and Google has urged others to do so in
light of yesterday's news.

With this change, clients can indicate that they are doing a fallback
connection and Go servers will be able to correctly reject them.

[1] http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html
[2] https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00

[agl1, 2014-10-15 21:12:56]

Hello rsc@golang.org (cc: golang-codereviews@googlegroups.com),

I'd like you to review this change to
https://code.google.com/p/go

[rsc, 2014-10-15 22:56:56]

LGTM

https://codereview.appspot.com/157090043/diff/40001/src/crypto/tls/alert.go
File src/crypto/tls/alert.go (right):

https://codereview.appspot.com/157090043/diff/40001/src/crypto/tls/alert.go#n...
src/crypto/tls/alert.go:64: alertUserCanceled:           "user canceled",
do you need to add text for alertInappropriateFallback here?

https://codereview.appspot.com/157090043/diff/40001/src/crypto/tls/handshake_...
File src/crypto/tls/handshake_server.go (right):

https://codereview.appspot.com/157090043/diff/40001/src/crypto/tls/handshake_...
src/crypto/tls/handshake_server.go:233: return false, errors.New("tls:
connection rejected because the client indicated that it was retrying with a
lesser protocol version when that shouldn't be necessary.")
can you make the error text any shorter?

"tls: client using inppropriate protocol version fallback"
?

[agl1, 2014-10-16 00:54:11]

*** Submitted as https://code.google.com/p/go/source/detail?r=ad9e191a5194 ***

crypto/tls: support TLS_FALLBACK_SCSV as a server.

A new attack on CBC padding in SSLv3 was released yesterday[1]. Go only
supports SSLv3 as a server, not as a client. An easy fix is to change
the default minimum version to TLS 1.0 but that seems a little much
this late in the 1.4 process as it may break some things.

Thus this patch adds server support for TLS_FALLBACK_SCSV[2] -- a
mechanism for solving the fallback problem overall. Chrome has
implemented this since February and Google has urged others to do so in
light of yesterday's news.

With this change, clients can indicate that they are doing a fallback
connection and Go servers will be able to correctly reject them.

[1]
http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting...
[2] https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00

LGTM=rsc
R=rsc
CC=golang-codereviews
https://codereview.appspot.com/157090043

https://codereview.appspot.com/157090043/diff/40001/src/crypto/tls/alert.go
File src/crypto/tls/alert.go (right):

https://codereview.appspot.com/157090043/diff/40001/src/crypto/tls/alert.go#n...
src/crypto/tls/alert.go:64: alertUserCanceled:           "user canceled",
On 2014/10/15 22:56:56, rsc wrote:
> do you need to add text for alertInappropriateFallback here?

Done.

https://codereview.appspot.com/157090043/diff/40001/src/crypto/tls/handshake_...
File src/crypto/tls/handshake_server.go (right):

https://codereview.appspot.com/157090043/diff/40001/src/crypto/tls/handshake_...
src/crypto/tls/handshake_server.go:233: return false, errors.New("tls:
connection rejected because the client indicated that it was retrying with a
lesser protocol version when that shouldn't be necessary.")
On 2014/10/15 22:56:56, rsc wrote:
> can you make the error text any shorter?
> 
> "tls: client using inppropriate protocol version fallback"
> ?
> 

Done.