Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
Suggestion: TLSv1.3 Handshake downgrade detection and protection
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: David Hu via curl-users <curl-users_at_lists.haxx.se>
Date: Thu, 21 Oct 2021 22:31:38 +0000
"TLS 1.3 provides a downgrade protection mechanism which is embedded in the server’s random nonce in ServerHello message. If a TLS 1.3 server sees that it’s only possible to negotiate an older protocol version, then TLS 1.3 requires to set the last 8 bytes of their ServerHello.random field to one of the predefined values:
If negotiating TLS 1.2, then the last 8 bytes have to be 44 4F 57 4E 47 52 44 01
If negotiating TLS 1.1 or even older protocol versions, then the last 8 bytes have to be 44 4F 57 4E 47 52 44 00
Then, TLS 1.3 says that a client has to check that the last 8 bytes of received ServerHello.random are not equal to either of the values above, and if so, the connection has to be terminated."
The first seven bytes of last 8 bytes literally shows "DOWNGRD" signifying the protocol version has been (intentionally) lowered.
This helps prevent downgrade attacks in a degree.
By the way if curl is specified to negotiate TLSv1.3 but the ServerHello shows it only supports TLSv1.2 or lower AND it contains either the following bytes 44 4F 57 4E 47 52 44 01 or 44 4F 57 4E 47 52 44 00 curl should immediately abort the handshake process.
And if a user chooses a lower TLS version than TLSv1.3 while the server supports TLSv1.3 curl should show a warning.
Date: Thu, 21 Oct 2021 22:31:38 +0000
"TLS 1.3 provides a downgrade protection mechanism which is embedded in the server’s random nonce in ServerHello message. If a TLS 1.3 server sees that it’s only possible to negotiate an older protocol version, then TLS 1.3 requires to set the last 8 bytes of their ServerHello.random field to one of the predefined values:
If negotiating TLS 1.2, then the last 8 bytes have to be 44 4F 57 4E 47 52 44 01
If negotiating TLS 1.1 or even older protocol versions, then the last 8 bytes have to be 44 4F 57 4E 47 52 44 00
Then, TLS 1.3 says that a client has to check that the last 8 bytes of received ServerHello.random are not equal to either of the values above, and if so, the connection has to be terminated."
The first seven bytes of last 8 bytes literally shows "DOWNGRD" signifying the protocol version has been (intentionally) lowered.
This helps prevent downgrade attacks in a degree.
By the way if curl is specified to negotiate TLSv1.3 but the ServerHello shows it only supports TLSv1.2 or lower AND it contains either the following bytes 44 4F 57 4E 47 52 44 01 or 44 4F 57 4E 47 52 44 00 curl should immediately abort the handshake process.
And if a user chooses a lower TLS version than TLSv1.3 while the server supports TLSv1.3 curl should show a warning.
-- Unsubscribe: https://lists.haxx.se/listinfo/curl-users Etiquette: https://curl.haxx.se/mail/etiquette.htmlReceived on 2021-10-22