Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8061798

Add support for TLS_FALLBACK_SCSV (RFC 7507)

    Details

    • Type: Enhancement
    • Status: Closed
    • Priority: P3
    • Resolution: Won't Fix
    • Affects Version/s: None
    • Fix Version/s: tbd_major
    • Component/s: security-libs
    • Labels:
      None

      Description

      This is an enhancement request to add support for the TLS_FALLBACK_SCV cipher suite that can be employed to prevent unintended protocol downgrades between clients and servers. The latest IETF draft is: https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-03

        Activity

        Hide
        wetmore Bradford Wetmore added a comment - - edited
        As mentioned in the SSLParameters, this requires an API change for JDK 9, and likely can't be done for shipping JDK's.

        IIRC, (haven't looked at this in a while), we can probably add the server side support with no API change.
        Show
        wetmore Bradford Wetmore added a comment - - edited As mentioned in the SSLParameters, this requires an API change for JDK 9, and likely can't be done for shipping JDK's. IIRC, (haven't looked at this in a while), we can probably add the server side support with no API change.
        Show
        mullan Sean Mullan added a comment - Latest IETF draft: http://ietfreport.isoc.org/all-ids/draft-ietf-tls-downgrade-scsv-03.txt
        Hide
        mullan Sean Mullan added a comment -
        Initial security-dev discussion on adding support for this feature is here: http://mail.openjdk.java.net/pipermail/security-dev/2014-October/011348.html
        Show
        mullan Sean Mullan added a comment - Initial security-dev discussion on adding support for this feature is here: http://mail.openjdk.java.net/pipermail/security-dev/2014-October/011348.html
        Hide
        fweimer Florian Weimer added a comment -
        Show
        fweimer Florian Weimer added a comment - Rebased webrev posted for review: http://mail.openjdk.java.net/pipermail/security-dev/2015-January/011653.html
        Hide
        xuelei Xue-Lei Fan added a comment -
        Voices: TLS Fallbacks are Dead

        Eric Lawrence gave an overview of the current state of TLS version
        intolerance and browser fallbacks, https://textslashplain.com/2016/05/04/tls-fallbacks-are-dead/

        Currently, looks like the major players of browsers don't support version fallback any more:

        Safari: Not support
        IE: Not support
        Firefox: Removed in Firefox 37.
        Chrome: Removed in Chrome 50
        Opera: Remove in Opera 37

        Version fallback is a legacy mechanism for version negotiation implementation bugs. With the fading out of version fallback mechanism, it may be not necessary to support TLS_FALLBACK_SCSV if it is not actually used in the real world.
        Show
        xuelei Xue-Lei Fan added a comment - Voices: TLS Fallbacks are Dead Eric Lawrence gave an overview of the current state of TLS version intolerance and browser fallbacks, https://textslashplain.com/2016/05/04/tls-fallbacks-are-dead/ Currently, looks like the major players of browsers don't support version fallback any more: Safari: Not support IE: Not support Firefox: Removed in Firefox 37. Chrome: Removed in Chrome 50 Opera: Remove in Opera 37 Version fallback is a legacy mechanism for version negotiation implementation bugs. With the fading out of version fallback mechanism, it may be not necessary to support TLS_FALLBACK_SCSV if it is not actually used in the real world.
        Hide
        fweimer Florian Weimer added a comment -
        I've reached the same conclusion quite some time ago, and I think I posted this to the mailing list. However, I'm worried that TLS 1.3 support in clients will bring back fallbacks in some form. We will have to see if we can label insecure fallback in clients as a client security issue (which is what should have been done for the existing fallbacks anyway).
        Show
        fweimer Florian Weimer added a comment - I've reached the same conclusion quite some time ago, and I think I posted this to the mailing list. However, I'm worried that TLS 1.3 support in clients will bring back fallbacks in some form. We will have to see if we can label insecure fallback in clients as a client security issue (which is what should have been done for the existing fallbacks anyway).
        Hide
        xuelei Xue-Lei Fan added a comment -
        For TLS 1.3, the protocol version in ClientHello handshake message is using TLS 1.2 version number. It mitigates the version fallback requirement from TLS 1.3 to TLS 1.2. Let's see what could happen in the real world. If browsers come back to version fallback mechanism in the future, we may re-open this RFE and consider this feature again.
        Show
        xuelei Xue-Lei Fan added a comment - For TLS 1.3, the protocol version in ClientHello handshake message is using TLS 1.2 version number. It mitigates the version fallback requirement from TLS 1.3 to TLS 1.2. Let's see what could happen in the real world. If browsers come back to version fallback mechanism in the future, we may re-open this RFE and consider this feature again.

          People

          • Assignee:
            xuelei Xue-Lei Fan
            Reporter:
            mullan Sean Mullan
          • Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: