draft-ietf-tls-downgrade-scsv-01.txt   draft-ietf-tls-downgrade-scsv-02.txt 
Network Working Group B. Moeller Network Working Group B. Moeller
Internet-Draft A. Langley Internet-Draft A. Langley
Updates: 2246, 4346, 4347, 5246, 6347 Google Updates: 2246, 4346, 4347, 5246, 6347 Google
(if approved) November 10, 2014 (if approved) November 12, 2014
Intended status: Standards Track Intended status: Standards Track
Expires: May 14, 2015 Expires: May 16, 2015
TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol
Downgrade Attacks Downgrade Attacks
draft-ietf-tls-downgrade-scsv-01 draft-ietf-tls-downgrade-scsv-02
Abstract Abstract
This document defines a Signaling Cipher Suite Value (SCSV) that This document defines a Signaling Cipher Suite Value (SCSV) that
prevents protocol downgrade attacks on the Transport Layer Security prevents protocol downgrade attacks on the Transport Layer Security
(TLS) protocol. It updates RFC 2246, RFC 4346, and RFC 5246. (TLS) protocol. It updates RFC 2246, RFC 4346, and RFC 5246.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
skipping to change at page 1, line 35 skipping to change at page 1, line 35
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on May 14, 2015. This Internet-Draft will expire on May 16, 2015.
Copyright Notice Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 3, line 8 skipping to change at page 3, line 8
that comply with this document, by having the client indicate that that comply with this document, by having the client indicate that
the current connection attempt is merely a fallback, and by having the current connection attempt is merely a fallback, and by having
the server return a fatal alert if it detects an inappropriate the server return a fatal alert if it detects an inappropriate
fallback. (The alert does not necessarily indicate an intentional fallback. (The alert does not necessarily indicate an intentional
downgrade attack, since network glitches too could result in downgrade attack, since network glitches too could result in
inappropriate fallback retries.) inappropriate fallback retries.)
The fallback SCSV defined in this document is not suitable substitute The fallback SCSV defined in this document is not suitable substitute
for proper TLS version negotiation. TLS implementations need to for proper TLS version negotiation. TLS implementations need to
properly handle TLS version negotiation and extensibility mechanisms properly handle TLS version negotiation and extensibility mechanisms
to avoid the security issues and connection delays associated with to avoid the security issues and connection delays associated with
fallback retries." fallback retries.
This specification applies to implementations of TLS 1.0 [RFC2246], This specification applies to implementations of TLS 1.0 [RFC2246],
TLS 1.1 [RFC4346], and TLS 1.2 [RFC5246], and to implementations of TLS 1.1 [RFC4346], and TLS 1.2 [RFC5246], and to implementations of
DTLS 1.0 [RFC4347] and DTLS 1.2 [RFC6347]. (It is particularly DTLS 1.0 [RFC4347] and DTLS 1.2 [RFC6347]. (It is particularly
relevant if TLS implementations also include support for predecessor relevant if TLS implementations also include support for predecessor
protocol SSL 3.0 [RFC6101].) It can be applied similarly to later protocol SSL 3.0 [RFC6101].) It can be applied similarly to later
protocol versions. protocol versions.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
skipping to change at page 4, line 8 skipping to change at page 4, line 8
3. Server behavior 3. Server behavior
This section specifies server behavior when receiving the This section specifies server behavior when receiving the
TLS_FALLBACK_SCSV cipher suite from a client in TLS_FALLBACK_SCSV cipher suite from a client in
ClientHello.cipher_suites. ClientHello.cipher_suites.
o If TLS_FALLBACK_SCSV appears in ClientHello.cipher_suites and the o If TLS_FALLBACK_SCSV appears in ClientHello.cipher_suites and the
highest protocol version supported by the server is higher than highest protocol version supported by the server is higher than
the version indicated in ClientHello.client_version, the server the version indicated in ClientHello.client_version, the server
MUST respond with a fatal inappropriate_fallback alert. MUST respond with a fatal inappropriate_fallback alert (unless it
responds with a fatal protocol_version alert because the version
indicated in ClientHello.client_version is unsupported). The
record layer version number for this alert MUST be set to either
ClientHello.client_version (as it would for the Server Hello
message if the server was continuing the handshake), or to the
record layer version number used by the client.
o Otherwise (either TLS_FALLBACK_SCSV does not appear, or it appears o Otherwise (either TLS_FALLBACK_SCSV does not appear, or it appears
and the client's protocol version is at least the highest protocol and the client's protocol version is at least the highest protocol
version supported by the server), the server proceeds with the version supported by the server), the server proceeds with the
handshake as usual. handshake as usual.
(A protocol version is supported by the server if, in response to (A protocol version is supported by the server if, in response to
appropriate Client Hello messages, the server would use it for appropriate Client Hello messages, the server would use it for
ServerHello.server_version. If a particular protocol version is ServerHello.server_version. If a particular protocol version is
implemented but completely disabled by server settings, it is not implemented but completely disabled by server settings, it is not
 End of changes. 6 change blocks. 
6 lines changed or deleted 12 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/