Tim Rühsen wrote:
Hi Ángel,
thanks for your testing.
I would like to reproduce it - can you tell me what you did exactly ?
I used a simple server that printed the TLS Client Hello and closed the
connection.
Browsers automatically retried with lower SSL versions.
wget aborted with an «Unable to establish SSL connection.» message
The original paper talks about 'client renegotiation dance'.
What about renegotiation at protocol level ? Isn't it possible that a TLS
connection goes down to SSLv3 intransparent to the client/server code ?
AFAIK no. That is protected by the HMAC. The problem is the version
downgrading
on a network error, which can be inserted by a MiTM (and without
TLS_FALLBACK_SCSV the server won't be able to that the client downgraded its
version thinking the server didn't support a greater one).
I am not that deep into the TLS/SSL libraries to answer that question myself
right now. The paper talks about 'proper protocol version negotiation' - that
seems to need some clarification.
That's the server replying with a lower protocol version in the same
connection.
The downgrade was a hack for broken servers not properly supporting SSL.
And
we are paying it now.
