IETF Logo Mail Archive

Re: [Emu] WGLC completed for for draft-ietf-emu-eap-tls13-05

Jouni Malinen <j@w1.fi> Sat, 13 July 2019 14:21 UTC

Return-Path: <j@w1.fi>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C8B7A120045 for <emu@ietfa.amsl.com>; Sat, 13 Jul 2019 07:21:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id up6aLWmwm3yn for <emu@ietfa.amsl.com>; Sat, 13 Jul 2019 07:21:34 -0700 (PDT)
Received: from li674-96.members.linode.com (mail.w1.fi [212.71.239.96]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A063A120026 for <emu@ietf.org>; Sat, 13 Jul 2019 07:21:34 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by li674-96.members.linode.com (Postfix) with ESMTP id 408D811B51; Sat, 13 Jul 2019 14:21:31 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at w1.fi
Received: from li674-96.members.linode.com ([127.0.0.1]) by localhost (mail.w1.fi [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RmBlwLfo_Mtj; Sat, 13 Jul 2019 14:21:29 +0000 (UTC)
Received: by jm (sSMTP sendmail emulation); Sat, 13 Jul 2019 17:21:27 +0300
Date: Sat, 13 Jul 2019 17:21:27 +0300
From: Jouni Malinen <j@w1.fi>
To: Alan DeKok <aland@deployingradius.com>
Cc: Joseph Salowey <joe@salowey.net>, EMU WG <emu@ietf.org>
Message-ID: <20190713142127.GA32230@w1.fi>
References: <CAOgPGoCB7VOzjo+ckDhNiApa6ozCDr3zfj6pMVG3ZRfV4RP6mQ@mail.gmail.com> <20190712210819.GA26853@w1.fi> <05B92C31-6CFB-4DFD-BCBD-EE5F3472D7B2@deployingradius.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <05B92C31-6CFB-4DFD-BCBD-EE5F3472D7B2@deployingradius.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/PgGjhmafbbSJCcQctDsFw7AvNmU>
Subject: Re: [Emu] WGLC completed for for draft-ietf-emu-eap-tls13-05
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 13 Jul 2019 14:21:37 -0000

On Sat, Jul 13, 2019 at 08:59:04AM +0200, Alan DeKok wrote:
> On Jul 12, 2019, at 11:08 PM, Jouni Malinen <j@w1.fi> wrote:
> > It would seem to make sense to me to allow the EAP-TLS 1.3 server to
> > send out either an empty plaintext or a one octet plaintext to avoid
> > this issue in a straightforward manner.
> 
>   We may also want to later perform additional signalling at that phase of the authentication.  As such, it may be good to say:
> 
> * a one octet plaintext of 0x00 should be sent
> * on reception, any data received should be ignored
>   * non-zero octets, or more than one octet MAY indicate future extensions

I'm not sure how I'd feel about EAP-TLS extension that uses actual
application data when we have EAP-TEAP available for cases that need
additional data to be exchanged in the tunnel. Anyway, this combination
of server sending one octet (0x00) and peer decrypting the application
data but ignoring its length and contents is what I ended up
implementing now. This seems to work fine for the case where
NewSessionTicket message(s) are used.

I did see some issues when OpenSSL 1.1.1 when disabling sending of
session tickets, though. The current draft indicates that the empty
Application Data payload would be send out in the same EAP packet with
the server's Finished message, i.e., before the server having
authenticated the peer. And this would be done without the peer having
used TLS early data (which is explicitly disallowed in the draft). That
combination did not work with my experiments since OpenSSL was rejecting
the SSL_write() operation after the server having written own Finished
message, but before having received the Finished message from the peer.
The OpenSSL documentation seemed to imply that SSL_write_early_data()
could be used by the server _if_ the client first sent early data.. At
least in my tests, OpenSSL rejected that call without early data from
the client.

I may have missed some other part of the OpenSSL API where the server
could have sent out the Application Data message to the unauthenticated
peer (if someone knows how to do that, please do let me know), but
regardless, this design of the EAP-TLS v1.3 server depending on a
mechanism that need actual application data (even if empty or known one
octet value) to be sent before having completed authentication of the
TLS client feels like something that can result in implementation
complexities with various TLS libraries. Forcing a new session ticket to
be sent out is a way to work around this, but I'm not sure I'd call this
ideal.

-- 
Jouni Malinen                                            PGP id EFC895FA

v2.23.0 | Report a Bug | By Email