1275252 - Deal with TLS 1.3 intolerance

Status: RESOLVED FIXED

(Core :: Security: PSM, defect)

Description

[Masatoshi Kimura [:emk]]

Attachment: patch

- Added SSL_ERROR_INTERNAL_ERROR_ALERT to fallback reasons.
- Do not send the fallback SCSV with TLS 1.2.
The fallback SCSV spec (RFC 7507) explicitly allows this:
https://tools.ietf.org/html/rfc7507
>   For example, during the initial
>   deployment of a new protocol version (when some interoperability
>   problems may have to be expected), smoothly falling back to the
>   previous protocol version in case of problems may be preferable to
>   potentially not being able to connect at all: so TLS_FALLBACK_SCSV
>   could be omitted for this particular protocol downgrade step.

Also, TLS 1.3 has a built-in anti-downgrade mechanism to prevent downgrade attacks. So fallback SCSV is unnecessary.

Microsoft opposed the fallback SCSV because they concerned that the fallback SCSV might break forward compatibility. And they were right :(

Comment 1

[Dana Keeler (she/her) (use needinfo) [:keeler]]

Comment on attachment 8755836 [details] [diff] [review]
patch

Review of attachment 8755836 [details] [diff] [review]:
-----------------------------------------------------------------

I guess I'm not too surprised there are issues with this. r=me

Comment 2

[Masatoshi Kimura [:emk]]

https://hg.mozilla.org/integration/mozilla-inbound/rev/8eb0aaeb31344b0800469018c658e0f1c84d5823
Bug 1275252 - Deal with some TLS 1.3 intolerance. r=keeler

Comment 3

[Wes Kocher (:KWierso) (Not reading bugmail; email directly if needed)]

https://hg.mozilla.org/mozilla-central/rev/8eb0aaeb3134