Am Sonntag, 19. Oktober 2014, 21:11:01 schrieb Ángel González: > Tim Rühsen wrote: > > Hi Ángel, > > > > thanks for your testing. > > > > I would like to reproduce it - can you tell me what you did exactly ? > > I used a simple server that printed the TLS Client Hello and closed the > connection. > Browsers automatically retried with lower SSL versions. > wget aborted with an «Unable to establish SSL connection.» message > > > The original paper talks about 'client renegotiation dance'. > > What about renegotiation at protocol level ? Isn't it possible that a TLS > > connection goes down to SSLv3 intransparent to the client/server code ? > > AFAIK no. That is protected by the HMAC. The problem is the version > downgrading > on a network error, which can be inserted by a MiTM (and without > TLS_FALLBACK_SCSV the server won't be able to that the client downgraded its > version thinking the server didn't support a greater one). > > > I am not that deep into the TLS/SSL libraries to answer that question > > myself right now. The paper talks about 'proper protocol version > > negotiation' - that seems to need some clarification. > > That's the server replying with a lower protocol version in the same > connection. > The downgrade was a hack for broken servers not properly supporting SSL. > And > we are paying it now.
Thank you ! Tim