Martin, Consider the following two cases: 1. We have a client which simply is configured ...
10 years, 1 month ago
(2016-01-25 03:35:31 UTC)
#3
Martin,
Consider the following two cases:
1. We have a client which simply is configured for TLS 1.2
2. We have a client which tries TLS 1.3 and then falls back to TLS 1.2 upon RST.
These look identical to NSS: as a client configured to the range (1.1, 1.2), and
a true TLS 1.3 server responds identically: with a tainted random value.
However, in the first case, we need a successful handshake and in the second
case we need it to fail.
WRT to the rest of your note: it's actually not possible to set the downgrade
version to be > than the *supported* version; I check for that. It's simply
possible to configure it *between* the maximum supported version and the maximum
configured version (inclusive) to support the case above.
Martin, see comments above. I may be short on sleep here, but I don't think ...
10 years, 1 month ago
(2016-01-25 03:42:35 UTC)
#4
Martin, see comments above. I may be short on sleep here, but I don't think a
single "check" bit works properly here, since I think we need to compare the
version we *want* against the version we *got*.
https://codereview.appspot.com/289900043/diff/1/external_tests/ssl_gtest/ssl_...
File external_tests/ssl_gtest/ssl_loopback_unittest.cc (right):
https://codereview.appspot.com/289900043/diff/1/external_tests/ssl_gtest/ssl_...
external_tests/ssl_gtest/ssl_loopback_unittest.cc:798: ConnectExpectFail();
On 2016/01/25 01:41:59, mt wrote:
> I wouldn't have thought that this would be an error-worthy scenario. The
client
> is configured for 1.1 and it got 1.1. That the server decided to signal a
> potential downgrade isn't of much interest to the client. That you then
decide
> to abort is problematic, I think.
The reason it's aborting is that this API (SSL_SetDowngradeCheckVersion() tells
NSS that we have fallen back insecurely from version X).
https://codereview.appspot.com/289900043/diff/1/lib/ssl/SSLerrs.h
File lib/ssl/SSLerrs.h (right):
https://codereview.appspot.com/289900043/diff/1/lib/ssl/SSLerrs.h#newcode469
lib/ssl/SSLerrs.h:469: "Invalid version set for downgrade check.")
On 2016/01/25 01:41:59, mt wrote:
> I think that SEC_ERROR_INVALID_ARGS is plenty good for this.
Yes, that's fine.
https://codereview.appspot.com/289900043/diff/1/lib/ssl/ssl3con.c
File lib/ssl/ssl3con.c (right):
https://codereview.appspot.com/289900043/diff/1/lib/ssl/ssl3con.c#newcode6580
lib/ssl/ssl3con.c:6580: ss->ssl3.downgradeCheckVersion);
On 2016/01/25 01:41:59, mt wrote:
> I think that this is an abuse of PR_MAX. You require that the
> downgradeCheckVersion is >= vrange.max, so that is the relevant value to use.
>
> downgradeCheckVersion = ss->ssl3.downgradeCheckVersion;
> if (!downgradeCheckVersion) {
> downgradeCheckVersion = ss->vrange.max;
> }
Well, it's either 0 or >= ssl3.ssl3.downgradeCheckVersion (as reflected in your
proposed code). I'm happy to change it as you suggest, but it's not clear to me
why that's an improvement.
https://codereview.appspot.com/289900043/diff/1/lib/ssl/ssl3con.c#newcode8147
lib/ssl/ssl3con.c:8147: * we ship the final version of TLS 1.3.
On 2016/01/25 01:41:59, mt wrote:
> Acknowledged, but you can remove this note because we all don't care about
> SSLv2. Anyone sending a v2-compatible hello gets what they deserve :)
I was thinking to leave this in place until we actually removed V2, but I could
go either way.
https://codereview.appspot.com/289900043/diff/1/lib/ssl/ssl3con.c#newcode8154
lib/ssl/ssl3con.c:8154: sizeof tls13_downgrade_random);
On 2016/01/25 01:41:59, mt wrote:
> parens on sizeof
Yeah, good point.
https://codereview.appspot.com/289900043/diff/1/lib/ssl/sslimpl.h
File lib/ssl/sslimpl.h (right):
https://codereview.appspot.com/289900043/diff/1/lib/ssl/sslimpl.h#newcode1038
lib/ssl/sslimpl.h:1038: * Used only on the client. */
On 2016/01/25 01:41:59, mt wrote:
> The comment in ssl.h implies that the value defaults to the maximum configured
> version.
Right, I'll fix this comment.
On 2016/01/25 03:35:31, ekr-webrtc wrote: > 1. We have a client which simply is configured ...
10 years, 1 month ago
(2016-01-25 03:48:49 UTC)
#5
On 2016/01/25 03:35:31, ekr-webrtc wrote:
> 1. We have a client which simply is configured for TLS 1.2
> 2. We have a client which tries TLS 1.3 and then falls back to TLS 1.2 upon
RST.
Ugh, I hadn't thought about the fallback thing. That's gross, but I guess that
I can accept that. Please update the comment to make that clearer. "downgrade"
here might refer to the attack, but fallback also applies.
Issue 289900043: Implement TLS 1.3 anti-downgrade measure
(Closed)
Created 10 years, 1 month ago by ekr-rietveld
Modified 10 years ago
Reviewers: mt, wtc1
Base URL:
Comments: 26