datatracker.ietf.org
Sign In
Version 4.45, 2013-05-14
Report a bug

Managing and removing automatic version rollback in TLS Clients
draft-pettersen-tls-version-rollback-removal-01

Active Internet-Draft (None)
Document Stream: No stream defined
Last updated: 2013-01-09
Intended RFC status: (None)
Other versions: plain text, pdf, html
Document shepherd:(None)
Shepherd writeup
IESG State: I-D Exists
Responsible AD: (None)
Send notices to: No addresses provided 
Network Working Group                                       Y. Pettersen
Internet-Draft                                           January 9, 2013
Intended status: Informational
Expires: July 13, 2013

    Managing and removing automatic version rollback in TLS Clients
            draft-pettersen-tls-version-rollback-removal-01

Abstract

   Ever since vendors started deploying TLS 1.0 clients, these clients
   have had to handle server implementations that do not tolerate the
   TLS version supported by the client, usually by automatically
   signaling an older supported version instead.  Such version rollbacks
   represent a potential security hazard, if the older version should
   become vulnerable to attacks.  The same history repeated when TLS
   Extensions were introduced, as some servers would not negotiate with
   clients that sent these protocol extensions, forcing clients to
   reduce protocol functionality in order to maintain interoperability.

   This document outlines a procedure to help clients decide when they
   may use version rollback to maintain interoperability with legacy
   servers, under what conditions the clients should not allow version
   rollbacks, such as when the server has indicated support for the TLS
   Renegotiation Information extension.  The intention of this procedure
   is to limit the use of automatic version rollback to legacy servers
   and eventually eliminate its use.

Status of this Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on July 13, 2013.

Copyright Notice

Pettersen                 Expires July 13, 2013                 [Page 1]
Internet-Draft         Version rollback management          January 2013

   Copyright (c) 2013 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

1.  Introduction

   When vendors of Transport Layer Security (TLS) clients intially
   developed and released TLS 1.0 [RFC2246] clients, they quickly
   discovered that not all Secure Sockets Layer (SSL) v3 [RFC6101]
   servers were willing to accept or complete handshakes with the TLS
   clients.  The reasons for this varied across various server
   implementations, such as not accepting versions higher than SSL v3,
   and various errors in the implementation of the handshake, e.g.,
   expecting the RSA Premaster Secret's version field to match the
   selected version, not the signaled version.

   Given the scope of the problem of getting servers fixed, in order to
   provide a good user experience for their customers, vendors elected
   instead to restart the connection and signal the older protocol
   version as the highest supported version in such cases.

   This process was repeated when TLS Extensions[RFC6066], TLS 1.1
   [RFC4346] and TLS 1.2 [RFC5246] were introduced, as clients had to
   disable these features to be able to connect with servers that did
   not tolerate them.

   As a consequence, clients are not just vulnerable to a version
   rollback attack; in the event that a vulnerability in older protocol
   versions should be discovered, they are intentionally designed to be
   vulnerable to such attacks by automatically performing a version
   rollback whenever something goes wrong with the current TLS
   handshake.

   While it would be preferable that clients do not perform version
   rollbacks, it is presently not practical to forbid it entirely, but
   there are ways to limit the use of rollbacks, and eventually phase
   out the usage completely.

Pettersen                 Expires July 13, 2013                 [Page 2]
Internet-Draft         Version rollback management          January 2013