< draft-ietf-tls-downgrade-scsv-01.txt		draft-ietf-tls-downgrade-scsv-02.txt >
	Network Working Group B. Moeller		Network Working Group B. Moeller
	Internet-Draft A. Langley		Internet-Draft A. Langley
	Updates: 2246, 4346, 4347, 5246, 6347 Google		Updates: 2246, 4346, 4347, 5246, 6347 Google
	(if approved) November 10, 2014		(if approved) November 12, 2014
	Intended status: Standards Track		Intended status: Standards Track
	Expires: May 14, 2015		Expires: May 16, 2015
	TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol		TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol
	Downgrade Attacks		Downgrade Attacks
	draft-ietf-tls-downgrade-scsv-01		draft-ietf-tls-downgrade-scsv-02
	Abstract		Abstract
	This document defines a Signaling Cipher Suite Value (SCSV) that		This document defines a Signaling Cipher Suite Value (SCSV) that
	prevents protocol downgrade attacks on the Transport Layer Security		prevents protocol downgrade attacks on the Transport Layer Security
	(TLS) protocol. It updates RFC 2246, RFC 4346, and RFC 5246.		(TLS) protocol. It updates RFC 2246, RFC 4346, and RFC 5246.
	Status of This Memo		Status of This Memo
	This Internet-Draft is submitted in full conformance with the		This Internet-Draft is submitted in full conformance with the
	skipping to change at page 1, line 35 ¶		skipping to change at page 1, line 35 ¶
	Internet-Drafts are working documents of the Internet Engineering		Internet-Drafts are working documents of the Internet Engineering
	Task Force (IETF). Note that other groups may also distribute		Task Force (IETF). Note that other groups may also distribute
	working documents as Internet-Drafts. The list of current Internet-		working documents as Internet-Drafts. The list of current Internet-
	Drafts is at http://datatracker.ietf.org/drafts/current/.		Drafts is at http://datatracker.ietf.org/drafts/current/.
	Internet-Drafts are draft documents valid for a maximum of six months		Internet-Drafts are draft documents valid for a maximum of six months
	and may be updated, replaced, or obsoleted by other documents at any		and may be updated, replaced, or obsoleted by other documents at any
	time. It is inappropriate to use Internet-Drafts as reference		time. It is inappropriate to use Internet-Drafts as reference
	material or to cite them other than as "work in progress."		material or to cite them other than as "work in progress."
	This Internet-Draft will expire on May 14, 2015.		This Internet-Draft will expire on May 16, 2015.
	Copyright Notice		Copyright Notice
	Copyright (c) 2014 IETF Trust and the persons identified as the		Copyright (c) 2014 IETF Trust and the persons identified as the
	document authors. All rights reserved.		document authors. All rights reserved.
	This document is subject to BCP 78 and the IETF Trust's Legal		This document is subject to BCP 78 and the IETF Trust's Legal
	Provisions Relating to IETF Documents		Provisions Relating to IETF Documents
	(http://trustee.ietf.org/license-info) in effect on the date of		(http://trustee.ietf.org/license-info) in effect on the date of
	publication of this document. Please review these documents		publication of this document. Please review these documents
	skipping to change at page 3, line 8 ¶		skipping to change at page 3, line 8 ¶
	that comply with this document, by having the client indicate that		that comply with this document, by having the client indicate that
	the current connection attempt is merely a fallback, and by having		the current connection attempt is merely a fallback, and by having
	the server return a fatal alert if it detects an inappropriate		the server return a fatal alert if it detects an inappropriate
	fallback. (The alert does not necessarily indicate an intentional		fallback. (The alert does not necessarily indicate an intentional
	downgrade attack, since network glitches too could result in		downgrade attack, since network glitches too could result in
	inappropriate fallback retries.)		inappropriate fallback retries.)
	The fallback SCSV defined in this document is not suitable substitute		The fallback SCSV defined in this document is not suitable substitute
	for proper TLS version negotiation. TLS implementations need to		for proper TLS version negotiation. TLS implementations need to
	properly handle TLS version negotiation and extensibility mechanisms		properly handle TLS version negotiation and extensibility mechanisms
	to avoid the security issues and connection delays associated with		to avoid the security issues and connection delays associated with
	fallback retries."		fallback retries.
	This specification applies to implementations of TLS 1.0 [RFC2246],		This specification applies to implementations of TLS 1.0 [RFC2246],
	TLS 1.1 [RFC4346], and TLS 1.2 [RFC5246], and to implementations of		TLS 1.1 [RFC4346], and TLS 1.2 [RFC5246], and to implementations of
	DTLS 1.0 [RFC4347] and DTLS 1.2 [RFC6347]. (It is particularly		DTLS 1.0 [RFC4347] and DTLS 1.2 [RFC6347]. (It is particularly
	relevant if TLS implementations also include support for predecessor		relevant if TLS implementations also include support for predecessor
	protocol SSL 3.0 [RFC6101].) It can be applied similarly to later		protocol SSL 3.0 [RFC6101].) It can be applied similarly to later
	protocol versions.		protocol versions.
	The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",		The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
	"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this		"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
	skipping to change at page 4, line 8 ¶		skipping to change at page 4, line 8 ¶
	3. Server behavior		3. Server behavior
	This section specifies server behavior when receiving the		This section specifies server behavior when receiving the
	TLS_FALLBACK_SCSV cipher suite from a client in		TLS_FALLBACK_SCSV cipher suite from a client in
	ClientHello.cipher_suites.		ClientHello.cipher_suites.
	o If TLS_FALLBACK_SCSV appears in ClientHello.cipher_suites and the		o If TLS_FALLBACK_SCSV appears in ClientHello.cipher_suites and the
	highest protocol version supported by the server is higher than		highest protocol version supported by the server is higher than
	the version indicated in ClientHello.client_version, the server		the version indicated in ClientHello.client_version, the server
	MUST respond with a fatal inappropriate_fallback alert.		MUST respond with a fatal inappropriate_fallback alert (unless it
			responds with a fatal protocol_version alert because the version
			indicated in ClientHello.client_version is unsupported). The
			record layer version number for this alert MUST be set to either
			ClientHello.client_version (as it would for the Server Hello
			message if the server was continuing the handshake), or to the
			record layer version number used by the client.
	o Otherwise (either TLS_FALLBACK_SCSV does not appear, or it appears		o Otherwise (either TLS_FALLBACK_SCSV does not appear, or it appears
	and the client's protocol version is at least the highest protocol		and the client's protocol version is at least the highest protocol
	version supported by the server), the server proceeds with the		version supported by the server), the server proceeds with the
	handshake as usual.		handshake as usual.
	(A protocol version is supported by the server if, in response to		(A protocol version is supported by the server if, in response to
	appropriate Client Hello messages, the server would use it for		appropriate Client Hello messages, the server would use it for
	ServerHello.server_version. If a particular protocol version is		ServerHello.server_version. If a particular protocol version is
	implemented but completely disabled by server settings, it is not		implemented but completely disabled by server settings, it is not
End of changes. 6 change blocks.
	6 lines changed or deleted		12 lines changed or added
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/