0

I'm a little confused about something I am reading in Bulletproof SSL.

"TLS 1.2 is the only protocol that allows suites to define their PRFs. This means that for the suites defined before TLS 1.2 the negotiated protocol version dictates the PRF. For example, the TLS_RSA_WITH_AES_128_CBC_SHA suite uses a PRF based on HMACSHA256 when negotiated with TLS 1.2 but a PRF based on a HMAC-MD5/HMACSHA combination when used with TLS 1.0. On the other hand, SHA384 GCM suites (which can be used only with TLS 1.2 and newer) will always use HMAC-SHA384 for the PRF."

The cipher in the example above is listed as a TLSv1.0 cipher from the OpenSSL page. However it says here that it can be negotiated as TLSv1.2? What am I missing? (Obviously a lot I know that but be gentle:)) I was under the impression that a 1.0 ciphers could only be negotiated as 1.0.

user53029
  • 2,657
  • 5
  • 24
  • 35
  • In TLS 1.2 the hashing algorithm negotiated is used as the hash function in the PRF. So it's not really "defining" it per-say. This answer details it better. http://security.stackexchange.com/questions/39590/whats-the-hash-for-in-ecdhe-rsa-aes-gcm-sha/39596#39596 – RoraΖ Aug 22 '14 at 11:25

1 Answers1

1

No, new versions of TLS have not removed cipher suites defined in older versions.1 Which version of TLS you use and which cipher suite you use are two linked but separate matters (you can't always use a new cipher suite in an old TLS version). OpenSSL is just listing which version the cipher suites were first added in.

The PRF is mostly used for key derivation (and verifying the handshake hasn't been tampered with). TLS 1.0 and 1.1 said, "we do this thing with MD5 and SHA-1". TLS 1.2 went and changed it to, "Yeah, so, now it depends on the negotiated cipher suite. All the old cipher suites will now use SHA-256, btw.". (Edit: I'm 99% certain that's correct. The old cipher suites may use either MD5 or SHA-1 instead. The RFC confuses me.)

1 The agenda for TLS 1.3 includes removing all sorts of old, obsolete nonsense, including many yucky cipher suites. Also, I'm being careful with my language when I say "TLS". I'm ignoring SSL. SSL 3.0 probably removed stuff, and I don't know if TLS 1.0 did.

Community
  • 1
Matt Nordhoff
  • 3,430
  • 1
  • 21
  • 16
  • Ok what about 1.2 suites such as TLS_RSA WITH_AES_256_CBC_SHA256 or TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384? Can a client/server negotiate these if they only support TLSv1.0? – user53029 Aug 22 '14 at 12:00
  • Technically a client and server can negotiate whatever they're configured to negotiate and support. The cipher suite format hasn't changed between TLSv1 and TLSv1.2. Just the meaning of the elements. If the client and server both support TLS_RSA WITH_AES_256_CBC_SHA256 then it will be used. If TLSv1.0 is used it will still work. If TLSv1.2 is used it will still work. The only different is in how the negotiated hashing algorithm is used. – RoraΖ Aug 22 '14 at 13:01
  • Thanks Raz I'm good now..well, at least for the moment:) – user53029 Aug 22 '14 at 13:24
  • 1
    Officially TLS1.1 deleted the broken-off-the-bat export suites and TLS1.2 deleted the broken-by-time single-DES suites, but OpenSSL still allows them -- if the peer agrees of course. (And RFC6176 "withdrew" *SSL2* a decade too late.) TLS1.1 noted (affirmed?) the KRB5 suites and TLS1.2 did not but it didn't obsolete RFC2712 either. – dave_thompson_085 Aug 23 '14 at 17:31
  • 1
    @raz no: 1.0 (and SSL3) suites, except possibly the deletions I just noted, work in 1.2 using the new PRF. But suites with an AEAD mode or SHA2 hash are new in 1.2 and can't work in 1.0 or 1.1 because they change the record format or (some) values respectively. The 2 cases asked by user53029 are both SHA2 and thus 1.2 only. – dave_thompson_085 Aug 23 '14 at 17:33
  • @dave_thompson_085 Ah, thanks for clearing that up! – RoraΖ Aug 24 '14 at 13:09