oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: SSL POODLE

From: Florian Weimer <fweimer () redhat com>
Date: Wed, 15 Oct 2014 09:10:24 +0200
On 10/15/2014 08:05 AM, Krassimir Tzvetanov wrote:

Agreed: just I think you meant "1": security.tls.version.min == 1 (not 3)...

from: http://kb.mozillazine.org/Security.tls.version.*
---
1

TLS 1.0 is the minimum required / maximum supported encryption protocol.
(This is the current default for the maximum supported version.)
---


What seems to get lost is this part of Mozilla's announcement:
“This relies on a behavior of browsers called insecure fallback, where browsers attempt to negotiate lower versions of TLS or SSL when connections fail.” 

<https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/>
As far as I can tell, the TLS downgrade protection mechanism work. However, browsers have an out-of-protocol, unprotected downgrade mechanism to SSL 3.0. (The Firefox function is called “retryDueToTLSIntolerance”.) I think we would be better off disabling *that* mechanism (for which configuration knob seems to exist, alas), instead of disabling SSL 3.0 or adding a different protocol version probing mechanism.
From what I can tell, applications which simply use one the usual TLS implementations and do not implement their own protocol downgrade are still secure even if both ends implement SSL 3.0 support because the version numbers are protected by the handshake hash and the TLS implementation will never negotiate use of the SSL 3.0 protocol version. 

--
Florian Weimer / Red Hat Product Security
Previous By Date Next
Previous By Thread Next

Current thread: