TLS Version intolerance

Almost every imaginable TLS implementation flaw can be found in the wild.


SSL/TLS versions during handshake

Client: "Dear server, I support TLSv1.2"

Server: "I don't support that, let's use TLSv1.0"

But sometimes...

Client: "Dear server, I support TLSv1.2"

Server thinks: "I never heard of TLSv1.2... Maybe I better say nothing at all or send an error..."

Version intolerance (this is always a server bug)


Client tries to connect with highest version TLSv1.2 - Server wants SSLv3

Client tries to connect with highest version TLSv1.0 - Server will use TLSv1.0

What browsers did

Browser tries to connect with SSLv3 to TLSv1.2.

No answer? Browser retries with SSLv3 to TLsv1.1.

Retries all supported versions.

Behavior has been called "Protocol Dance".

Black Hat 2014

Antoine Delignat-Lavaud presents Virtual Host Confusion attack.

POODLE (2014)

Padding Oracle On Downgraded Legacy Encryption

Another Padding Oracle that only works against SSLv3.

Good for the attacker: We can downgrade users.


SCSV (RFC 7507): Server signals browser that it is not broken.

Protocol dance and SCSV

  1. We have a version negotiation mechanism
  2. Servers have broken TLS implementations.
  3. Browsers implement workaround.
  4. Workaround introduces security issue.
  5. Workaround for security issue introduced by workaround gets standardized.

Version intolerance

By now most browser downgrades have been removed.

"It's taken about 15 years to get to the point where web browsers don't have to work around broken version negotiation in TLS and that's mostly because we only have three active versions of TLS. When we try to add a fourth (TLS 1.3) in the next year, we'll have to add back the workaround, no doubt." Adam Langley (2016)

TLS 1.3 version intolerance

Around 3 % of servers affected.

Several vendors identified already, trying to pressure them to fix.

Thanks for listening