Re: [TLS] Don't Split HelloRetryRequest
Christopher Patton <cpatton@cloudflare.com> Thu, 01 April 2021 18:20 UTC
Return-Path: <cpatton@cloudflare.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 559B13A1E0C for <tls@ietfa.amsl.com>; Thu, 1 Apr 2021 11:20:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cloudflare.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qncRPvtXA0vI for <tls@ietfa.amsl.com>; Thu, 1 Apr 2021 11:20:28 -0700 (PDT)
Received: from mail-qk1-x72c.google.com (mail-qk1-x72c.google.com [IPv6:2607:f8b0:4864:20::72c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EFE3B3A1E08 for <tls@ietf.org>; Thu, 1 Apr 2021 11:20:27 -0700 (PDT)
Received: by mail-qk1-x72c.google.com with SMTP id y5so3108354qkl.9 for <tls@ietf.org>; Thu, 01 Apr 2021 11:20:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=YvlWgJDJ6dp75+u0NH1kkgqmNqYUu6Z+r7oHR8Kuu1w=; b=Q0mM6D4plyYhcMWXt+JLK6bEOZ+01VWAHMxZu1BA16K5InCu1zxTHS11wNJwE37SH5 KakMvTqeyVzCmjV+byiAopKhxCq8CbFQiJWYRfJGaeGhMxpQ3wffsQ2XhtIsZn7sE/92 WhTuc1lQiCz+y0Z3yTox52UaE5X3V+lnUe+J8=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=YvlWgJDJ6dp75+u0NH1kkgqmNqYUu6Z+r7oHR8Kuu1w=; b=Jo9ncAdJyIYYcBAHaATeZ7DGgLNCX/9X5SDLJI0+ndNVkU9VmYnNbWW9MNIlLgW/y4 JKZSbEQnrWo5squXNGtOAGySu49Vvf1mna7JV7i9CbuJtnyh6Tm7TUdgefknGnOdb4yz G/ueIWPV/sjpr2Y/MOVoo+Rz+ScRKyfHuZB1jCmLhkziZ76qI9bvMDw55FteuEQv0vcY xVQ9cjKxiWRJkk2o5sDWELIklSlgueZgQAST6JSKWcAJVzLZwCHnhpvJrV3Zt55JFi8r BfyT/Kt/CqQnDQQYvD0peRk0qBOJoVbwmnVjkIkVKL498PnnbZPjCiUc6BqQS4obKzLL CmhA==
X-Gm-Message-State: AOAM533T1+330iWNT/aqIfMFSoDZeID2cDT07VSD1cRsLueCuE75wa/n F1JcgC9bg/w4OqAZPyKqsiClo8zLAcay0+NeBdZcrw==
X-Google-Smtp-Source: ABdhPJwbbU5y+r4uXgbz7+aleXUbUQGq2oVY3KH5Z+8RnQzxFU7fP5yFqgXnQcmKDxUSmAoDrKqGwRdAlaGTqbznupU=
X-Received: by 2002:a37:a38e:: with SMTP id m136mr9623366qke.250.1617301226261; Thu, 01 Apr 2021 11:20:26 -0700 (PDT)
MIME-Version: 1.0
References: <d0758a0a-737b-40ac-8189-1b4168510859@www.fastmail.com> <CAG2Zi216sYnwmZFdHxnMC+8vP0Ewr7tBr0TBc2PKkpJsgRFjiA@mail.gmail.com> <8f69f37e-b011-85a3-cd76-75cff00156a2@cs.tcd.ie> <CAG2Zi229wAWC8NLuN_1h6KQiBRzxvA-NQN8obdoSbfAUL+713A@mail.gmail.com>
In-Reply-To: <CAG2Zi229wAWC8NLuN_1h6KQiBRzxvA-NQN8obdoSbfAUL+713A@mail.gmail.com>
From: Christopher Patton <cpatton@cloudflare.com>
Date: Thu, 01 Apr 2021 11:20:15 -0700
Message-ID: <CAG2Zi23GOs7KvvZ-digueTOARCZa87hXeKac22GbbPDgpdXF+Q@mail.gmail.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Cc: Martin Thomson <mt@lowentropy.net>, "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000001638b205beed49d6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/0R4OC6FrsdCoGzf_UErTmvGjVKE>
Subject: Re: [TLS] Don't Split HelloRetryRequest
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Apr 2021 18:20:32 -0000
One way HRR is used is in case the client's and server's cipher suite > preferences don't intersect. This feature is an essential part of TLS, as > there's no a priori reason why the client and server will initially > advertise overlapping preferences. (They usually do, hence the claim that > HRR is rare.) I don't think aborting the handshake instead of HRR is an > acceptable solution, as this would mean there are deployments with which > TLS couldn't be used. > Slight refinement: David B. pointed out to me that "cipher suite preference" isn't quite the right term here. The client provides key shares in its CH that it guesses the server can use; if it's wrong, then the server replies with HRR. A more accurate statement would be that "HRR is essential for ensuring the client sends a key share the server supports."
- [TLS] Don't Split HelloRetryRequest Martin Thomson
- Re: [TLS] Don't Split HelloRetryRequest Stephen Farrell
- Re: [TLS] Don't Split HelloRetryRequest Christopher Patton
- Re: [TLS] Don't Split HelloRetryRequest Stephen Farrell
- Re: [TLS] Don't Split HelloRetryRequest Christopher Patton
- Re: [TLS] Don't Split HelloRetryRequest Christopher Patton
- Re: [TLS] Don't Split HelloRetryRequest Stephen Farrell
- Re: [TLS] Don't Split HelloRetryRequest Carrick Bartle
- Re: [TLS] Don't Split HelloRetryRequest Stephen Farrell
- Re: [TLS] Don't Split HelloRetryRequest David Benjamin
- Re: [TLS] Don't Split HelloRetryRequest Stephen Farrell
- Re: [TLS] Don't Split HelloRetryRequest Martin Thomson
- Re: [TLS] Don't Split HelloRetryRequest Martin Thomson
- Re: [TLS] Don't Split HelloRetryRequest Christopher Patton
- Re: [TLS] Don't Split HelloRetryRequest Martin Thomson