Am 24.10.2014 23:16, schrieb David Li:
On Fri, Oct 24, 2014 at 1:28 PM, Richard Könning <richard.koenn...@ts.fujitsu.com <mailto:richard.koenn...@ts.fujitsu.com>> wrote: Am 24.10.2014 20:47, schrieb David Li: On Fri, Oct 24, 2014 at 11:18 AM, Richard Könning <Richard.Koenning@ts.fujitsu.__com <mailto:richard.koenn...@ts.fujitsu.com> <mailto:Richard.Koenning@ts.__fujitsu.com <mailto:richard.koenn...@ts.fujitsu.com>>> wrote: At 24.10.2014 19:03, David Li wrote: I am still a little unclear by what exactly TLS_FALLBACK_SCSV option would do. What if the server only supports SSLv3 + TLSv1 and client only connects with SSLv3? Without the patch, both would agree to SSLv3. So this is a problem. Well I thought it's the CBC cipher mode used by SSLv3 that has the problem. So we should avoid SSLv3 all together. Exactly. But when you have a client which speaks only SSLv3 as in your example below you have to decide: Don't use the client or enhance it so it speaks at least TLSv1 or use SSLv3 despite the problems with SSLv3. Maybe this is is my confusion. Will the SSLv3 alone cause the attack? Or will a "downgrade process" from TLS 1.0 or later to the SSLv3 expose the vulnerability? SSLv3 alone is vulnerable. When you decide that this vulnerability is so large that you don't want to use SSLv3 in any case than life is easy: deactivate the usage of SSLv3 in all clients and servers and you have not to think about fall back to SSLv3. But when your opinion is, that an SSLv3 connection is better than no connection than you may have to fall back to SSLv3 some times. The TLS_FALLBACK_SCSV helps you to ensure that the fall back is done only when SSLv3 is really the highest SSL/TLS protocol shared by client and server. So is it true that in this case TLS_FALLBACK_SCSV still can't prevent the attack since this is a totally legitimate honest fallback to SSLv3? In other words, the MITM attacker doesn't have to message the handshake at all.
Your example, which i addressed, was a client using SSLv3 right from the start (for whatever reasons), in that case there is *no fallback*. If you set nevertheless the option TLS_FALLBACK_SCSV by the client than you will get no connection. The same result can be achieved by deinstalling the client.
TLS_FALLBACK_SCSV can prevent the usage of SSLv3 when both partners are able to speak a better protocol. If SSLv3 is the best e.g. the client speaks than you have only the choice to communicate via the attackable SSLv3 (or even worse completely unencrypted) or to communicate not at all.
Best regards, Richard ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
