Tim Taubert
@ttaubert
Version negotiation and
GREASE in TLS 1.3
October 2016, Berlin
Slide 2
Slide 2 text
Version Intolerance & Fallbacks
Downgrade Protections
TLS 1.3 Version Negotiation
GREASE
Slide 3
Slide 3 text
Negotiating a TLS connection
Client: The highest TLS version I support is 1.2.
Server: I only support TLS 1.1, let’s use that to
communicate.
Slide 4
Slide 4 text
Hitting a version intolerant server
Client: The highest TLS version I support is 1.3.
Server: *does stupid things* d
Slide 5
Slide 5 text
1st connection attempt:
Client: The highest TLS version I support is 1.3.
Server: *does not understand*
2nd connection attempt:
Client: The highest TLS version I support is 1.2.
Server: Now we’re talking!
Slide 6
Slide 6 text
Insecure Version Fallbacks
Disabled since Firefox 37 and Chrome 50
POODLE attacks CBC padding in SSL 3.0
Slide 7
Slide 7 text
Version Intolerance & Fallbacks
Downgrade Protections
TLS 1.3 Version Negotiation
GREASE
Slide 8
Slide 8 text
Downgrade Protection Mechanisms
TLS_FALLBACK_SCSV {0x56, 0x00}
RFC 7507 by Adam Langley and Bodo Möller
Slide 9
Slide 9 text
Downgrade Protection Mechanisms
Downgrade sentinels in TLS 1.3
Static values at the end of ServerHello.random
TLS 1.2: 0x44 0x4F 0x57 0x4E 0x47 0x52 0x44 0x01
TLS 1.1: 0x44 0x4F 0x57 0x4E 0x47 0x52 0x44 0x00
Slide 10
Slide 10 text
Version Intolerance & Fallbacks
Downgrade Protections
TLS 1.3 Version Negotiation
GREASE
Slide 11
Slide 11 text
TLS 1.3 Version Negotiation
ClientHello.legacy_version = {3, 3} (static)
Negotiate via supported_versions extension
Slide 12
Slide 12 text
Version Intolerance & Fallbacks
Downgrade Protections
TLS 1.3 Version Negotiation
GREASE
Slide 13
Slide 13 text
Generate Random Extensions And
Sustain Extensibility
“have one joint and keep it well oiled” (AGL)
Inject GREASE values pseudo-randomly