Re: [quicwg/base-drafts] Prohibit TLS 1.3 middlebox compatibility mode (#3595)

Martin Thomson <> Thu, 23 April 2020 07:53 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 8B7183A1637 for <>; Thu, 23 Apr 2020 00:53:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.696
X-Spam-Status: No, score=-1.696 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_IMAGE_ONLY_28=1.404, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Y9eEzlRTRME6 for <>; Thu, 23 Apr 2020 00:53:34 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 13D2A3A1679 for <>; Thu, 23 Apr 2020 00:53:34 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id E7FA0E1156 for <>; Thu, 23 Apr 2020 00:53:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=pf2014; t=1587628412; bh=xgeKbqlq322C0m/IYRqZduWIel6bYilaKXGq65SlWhk=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=iQnwq4kPPnWdVWY9skXVanIn0uEu95SiMdCfTIFPvwPo4KaBymBnwTvEe9OVUTBHn ebMa9TCKGOE4Q6ps8a5Pqf0+ARtCWdJGvUM03byZG9B+WrHkPhrYJY6k9Yq3RINp32 BOpMG+AJlA70VtdXvwfyqfuwx1fTWsPX+q7jY5os=
Date: Thu, 23 Apr 2020 00:53:32 -0700
From: Martin Thomson <>
Reply-To: quicwg/base-drafts <>
To: quicwg/base-drafts <>
Cc: Subscribed <>
Message-ID: <quicwg/base-drafts/pull/3595/review/>
In-Reply-To: <quicwg/base-drafts/pull/>
References: <quicwg/base-drafts/pull/>
Subject: Re: [quicwg/base-drafts] Prohibit TLS 1.3 middlebox compatibility mode (#3595)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5ea1497cd909d_7e553fc1352cd96488756"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: martinthomson
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
Archived-At: <>
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 23 Apr 2020 07:53:37 -0000

@martinthomson commented on this pull request.

> @@ -1631,6 +1632,21 @@ PROTOCOL_VIOLATION.
 As a result, EndOfEarlyData does not appear in the TLS handshake transcript.
+## Prohibit TLS Middlebox Compatibility Mode {#compat-mode}
+Appendix D.4 of {{!TLS13}} describes an alteration to the TLS 1.3 handshake as
+a workaround for bugs in some middleboxes. The TLS 1.3 middlebox compatibility
+mode involves setting the legacy_session_id field to a 32-byte value in the
+ClientHello and ServerHello, then sending a change_cipher_spec record. Both
+field and record carry no semantic content and are ignored.
+This mode has no use in QUIC as it only applies to middleboxes that interfere
+with TLS over TCP. A client MUST NOT request the use of the TLS 1.3
+compatibility mode. A server MUST treat the receipt of a TLS ClientHello that
+requests the use of the TLS 1.3 middlebox compatibility mode as a connection
+error of type PROTOCOL_VIOLATION.

I can do SHOULD.

The way our stack works is that we let TLS consume the ClientHello and then ask it for a response.  That produces a CCS if the client asked for one.  We turn that into an error (we used to crash).  Any implementation could, as I think Kazuho suggests, just drop the CCS, which might be easier in cases where your interface only passes handshake records.  We have a generic record callback, so detecting record type 20 is easy.

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub: