Upgrade to Pro — share decks privately, control downloads, hide ads and more …

TLS Version Intolerance

TLS Version Intolerance

Slides from a short talk at the Berlin AppSec & Crypto Meetup, a continuation of Hanno Böck’s talk about TLS version intolerance from a month before. He explained how with TLS 1.3 just around the corner there again are growing compatibility concerns about legacy TLS stacks. I covered the latest TLS WG developments around version negotiation for TLS 1.3 and GREASE.

Tim Taubert

October 06, 2016
Tweet

More Decks by Tim Taubert

Other Decks in Programming

Transcript

  1. Negotiating a TLS connection Client: The highest TLS version I

    support is 1.2. Server: I only support TLS 1.1, let’s use that to communicate.
  2. Hitting a version intolerant server Client: The highest TLS version

    I support is 1.3. Server: *does stupid things* d
  3. 1st connection attempt: Client: The highest TLS version I support

    is 1.3. Server: *does not understand* 2nd connection attempt: Client: The highest TLS version I support is 1.2. Server: Now we’re talking!
  4. Downgrade Protection Mechanisms Downgrade sentinels in TLS 1.3 Static values

    at the end of ServerHello.random TLS 1.2: 0x44 0x4F 0x57 0x4E 0x47 0x52 0x44 0x01 TLS 1.1: 0x44 0x4F 0x57 0x4E 0x47 0x52 0x44 0x00
  5. Generate Random Extensions And Sustain Extensibility “have one joint and

    keep it well oiled” (AGL) Inject GREASE values pseudo-randomly