TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol Downgrade Attacks
RFC 7507
Internet Engineering Task Force (IETF) B. Moeller
Request for Comments: 7507 A. Langley
Updates: 2246, 4346, 4347, 5246, 6347 Google
Category: Standards Track April 2015
ISSN: 2070-1721
TLS Fallback Signaling Cipher Suite Value (SCSV)
for Preventing Protocol Downgrade Attacks
Abstract
This document defines a Signaling Cipher Suite Value (SCSV) that
prevents protocol downgrade attacks on the Transport Layer Security
(TLS) and Datagram Transport Layer Security (DTLS) protocols. It
updates RFCs 2246, 4346, 4347, 5246, and 6347. Server update
considerations are included.
Status of This Memo
This is an Internet Standards Track document.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of RFC 5741.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc7507.
Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Moeller & Langley Standards Track [Page 1]
RFC 7507 TLS Fallback SCSV April 2015
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Protocol Values . . . . . . . . . . . . . . . . . . . . . . . 3
3. Server Behavior . . . . . . . . . . . . . . . . . . . . . . . 4
4. Client Behavior . . . . . . . . . . . . . . . . . . . . . . . 4
5. Operational Considerations . . . . . . . . . . . . . . . . . 5
6. Security Considerations . . . . . . . . . . . . . . . . . . . 6
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 7
8.1. Normative References . . . . . . . . . . . . . . . . . . 7
8.2. Informative References . . . . . . . . . . . . . . . . . 7
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 8
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 8
1. Introduction
To work around interoperability problems with legacy servers, many
TLS client implementations do not rely on the TLS protocol version
negotiation mechanism alone but will intentionally reconnect using a
downgraded protocol if initial handshake attempts fail. Such clients
may fall back to connections in which they announce a version as low
as TLS 1.0 (or even its predecessor, Secure Socket Layer (SSL) 3.0)
as the highest supported version.
While such fallback retries can be a useful last resort for
connections to actual legacy servers, there's a risk that active
attackers could exploit the downgrade strategy to weaken the
cryptographic security of connections. Also, handshake errors due to
network glitches could similarly be misinterpreted as interaction
with a legacy server and result in a protocol downgrade.
All unnecessary protocol downgrades are undesirable (e.g., from TLS
1.2 to TLS 1.1, if both the client and the server actually do support
TLS 1.2); they can be particularly harmful when the result is loss of
the TLS extension feature by downgrading to SSL 3.0. This document
defines an SCSV that can be employed to prevent unintended protocol
downgrades between clients and servers that comply with this document
by having the client indicate that the current connection attempt is
merely a fallback and by having the server return a fatal alert if it
detects an inappropriate fallback. (The alert does not necessarily
indicate an intentional downgrade attack, since network glitches too
could result in inappropriate fallback retries.)
Moeller & Langley Standards Track [Page 2]
RFC 7507 TLS Fallback SCSV April 2015
The fallback SCSV defined in this document is not a suitable
substitute for proper TLS version negotiation. TLS implementations
Show full document text