6

My IE browser has SSLv3.0, TLS 1.0,1.1 and 1.2 enabled in the advanced settings.

And (I was informed by my server admin) my web server can encrypt data in SSLv3.0 and TLS 1.0

Now which system (server or the browser) decides which protocol to use. I do know that TLS 1.0 is used. But I need to now which system takes the decision.

S.L. Barth
  • 5,486
  • 8
  • 38
  • 47
nJoshi
  • 171
  • 1
  • 4

2 Answers2

13

To complement the answer from @raz, one must be aware of Protocol Downgrade Attacks. Browsers like IE send their maximum supported version, and then the server chooses (in your case, IE says "I know up to TLS 1.2" and the server responds with "we will do TLS 1.0"). However, browsers know that there exist buggy servers out there, that will simply have an epileptic stroke when the client says "I know up to TLS 1.2". If the connection just breaks, the browser will try again, saying "I know up to TLS 1.1". On failure, it then tries again with "I know up to TLS 1.0". Again on failure, the client will again try, claiming only SSL 3.0 support.

The problem with this behaviour is that an attacker can simply kill connection attempts that try to do anything else than SSL 3.0. From the point of view of the client, this will look like a buggy server that cannot tolerate anything else than SSL 3.0. From the point of view of the server, this will look like an old client that knows only SSL 3.0. The net result is that client and server will use SSL 3.0, even though both support TLS 1.0.

Summary: though, nominally, in SSL/TLS the client proposes and the server chooses, the try-again-with-lower-version behaviour of most browsers implies that, in practice, the client proposes but the attacker chooses. Which is unfortunate.

This is why you should disable SSL 3.0 support in your browser.

Tom Leek
  • 168,808
  • 28
  • 337
  • 475
11

The server chooses which cipher suite to use for establishing the secure channel.

The client (browser) poses the protocols and encryption algorithms that it will accept. The server chooses the one it deems most secure (based on its own list of acceptable protocols) and that is used for the secure channel. If the server does not see any cipher suites that it deems suitable, then the connection is rejected.

Please see How SSL/TLS Works for more information.

Community
  • 1
RoraΖ
  • 12,317
  • 4
  • 51
  • 83
  • 1
    So to reaffirm, the server decides that, correct? – nJoshi Nov 13 '14 at 20:22
  • 2
    Yes, the server chooses which cipher suite to use. – RoraΖ Nov 13 '14 at 20:23
  • @raz: Do that mean that the list of the accepted cipher strings on server site needs to be ordered (the most secure first etc.)? – boleslaw.smialy Jul 28 '15 at 13:26
  • 1
    @boleslaw.smialy The server is just configured to support a list of cipher suites. It chooses the first cipher suite in the client's list that it supports. If none are supported by the server, then the handshake fails. – RoraΖ Jul 28 '15 at 13:31