Re: [TLS] Can flags be responded to with an extension?
Ilari Liusvaara <ilariliusvaara@welho.com> Wed, 13 April 2022 18:44 UTC
Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E7B1D3A15B1 for <tls@ietfa.amsl.com>; Wed, 13 Apr 2022 11:44:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jdxYK8-gWZPE for <tls@ietfa.amsl.com>; Wed, 13 Apr 2022 11:44:10 -0700 (PDT)
Received: from welho-filter2.welho.com (welho-filter2b.welho.com [83.102.41.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8CC0D3A1586 for <tls@ietf.org>; Wed, 13 Apr 2022 11:44:10 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter2.welho.com (Postfix) with ESMTP id F367FD01E3 for <tls@ietf.org>; Wed, 13 Apr 2022 21:44:07 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp2.welho.com ([IPv6:::ffff:83.102.41.85]) by localhost (welho-filter2.welho.com [::ffff:83.102.41.24]) (amavisd-new, port 10024) with ESMTP id t1O1ez6t9Dzg for <tls@ietf.org>; Wed, 13 Apr 2022 21:44:07 +0300 (EEST)
Received: from LK-Perkele-VII2 (87-92-216-160.rev.dnainternet.fi [87.92.216.160]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp2.welho.com (Postfix) with ESMTPSA id C8A8472 for <tls@ietf.org>; Wed, 13 Apr 2022 21:44:06 +0300 (EEST)
Date: Wed, 13 Apr 2022 21:44:06 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: "<tls@ietf.org>" <tls@ietf.org>
Message-ID: <YlcZ9uwcqN6kfuTN@LK-Perkele-VII2.locald>
References: <CABcZeBPyqFSgdiUbgKk5QbHnDA_zT8RH_KROebTrUNOnfqZZGQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <CABcZeBPyqFSgdiUbgKk5QbHnDA_zT8RH_KROebTrUNOnfqZZGQ@mail.gmail.com>
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/5Sug8MasCwzC2iph_Z5Hk6e-Cwk>
Subject: Re: [TLS] Can flags be responded to with an extension?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Apr 2022 18:44:20 -0000
On Wed, Apr 13, 2022 at 10:56:49AM -0700, Eric Rescorla wrote: > Consider the case where the client wants to offer some capability that > the server then responds to with real data, rather than just an > acknowledgement. > > For instance, supposing the SCT extension from RFC 6962 did not exist, > the client would want to indicate support in CH and the server would > send the SCT in CERT, but this extension would need to be non-empty > and hence not a flag. draft-ietf-tls-tlsflags-09 seems a bit > uncelar on this point (unless I'm missing it) but I think we > should explicitly allow it. > > Thoughts? There is actually precedent for stuff like this (even if it is a nasty hack): The TLS_EMPTY_RENEGOTIATION_INFO_SCSV ciphersuite. The reply to that is the renegotiation_info extension, even if that extension was not present in the client hello. However, that one is not exactly pleasant to implement in TLS library, Looking at source of my TLS library, it has some magic hacks in order to support parsing client hello with TLS_EMPTY_RENEGOTIATION_INFO_SCSV. -Ilari
- [TLS] Can flags be responded to with an extension? Eric Rescorla
- Re: [TLS] Can flags be responded to with an exten… Ilari Liusvaara
- Re: [TLS] Can flags be responded to with an exten… Benjamin Kaduk
- Re: [TLS] Can flags be responded to with an exten… Eric Rescorla
- Re: [TLS] Can flags be responded to with an exten… Yoav Nir
- Re: [TLS] Can flags be responded to with an exten… Eric Rescorla
- Re: [TLS] Can flags be responded to with an exten… Benjamin Kaduk
- Re: [TLS] Can flags be responded to with an exten… Eric Rescorla
- Re: [TLS] Can flags be responded to with an exten… Benjamin Kaduk
- Re: [TLS] Can flags be responded to with an exten… Yoav Nir