Re: [TLS] Is stateless HelloRetryRequest worthwhile? (was Re: TLS 1.3 Problem?)

Michael D'Errico <> Thu, 01 October 2020 14:04 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id C935B3A1093 for <>; Thu, 1 Oct 2020 07:04:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key) header.b=HBpZk6Zg; dkim=pass (2048-bit key) header.b=f3U/yOEA
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id IAZM0mtkFCu6 for <>; Thu, 1 Oct 2020 07:04:37 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id A09E43A1090 for <>; Thu, 1 Oct 2020 07:04:37 -0700 (PDT)
Received: from compute4.internal (compute4.nyi.internal []) by mailout.nyi.internal (Postfix) with ESMTP id 5D1DE5C01C1 for <>; Thu, 1 Oct 2020 10:04:35 -0400 (EDT)
Received: from imap21 ([]) by compute4.internal (MEProxy); Thu, 01 Oct 2020 10:04:35 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; h= mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type; s=fm1; bh=/hQZcJdQpSbf8YcLdMFPCt7d2dI5KKw wj6kYGzepOoU=; b=HBpZk6ZgCfBWgmGWxGKVlAdCGAGjLOuNvXoW+iRGWnZkUee 8pRIt5YIN+WYN4hOjgi7EBk76eMwCUodkzNNDyha+RJu+yRfpEfkS5k9FefqW84X bSLrpVZccBP/g+u3FvLdpA+/JqrJVk9wAG9vggAWrpAKvvq6ydo8c4k0DF8IKqd3 MOwKESP4KS0Eb2WnDY7G1czW6PNsmk0mZQkBnIiwuGXlDGFdQGsiS31lqClDMJND dkMbIEzwhvdw9QgQ0nnsJf8Wn1ihiQQKQElSIFhHu1lIwTwDz2qXS+Ppkwxt+G4V iWPoY31Ng9nAzXLWY8lh/k1LsPwx0iQGyb0FGhg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; bh=/hQZcJ dQpSbf8YcLdMFPCt7d2dI5KKwwj6kYGzepOoU=; b=f3U/yOEAPhrZpQlvF326wl BFNGAvuyATpf3dcfOpRm8uGR1yQUBqF+RBiWw1khEv8j/DXmbqZSMGKeNO7tGZ7M vjstbKlnSi+tHt+/+gbtyMeWQSk4Lu+focOpMbb57aAMNMeyiiAagGuAVnaDYqvL RyXBNKSB6X9noyBGTNe2Tr+Ao+eAyRLVeqAVrHkjETaoi5j7t07/4v3c34n0ic9Y NEcVlYQjErl5gZBpUloHwfTs3F8nt55la8yStpFzIbd4wHBUeI9yJKhVv3P2tcTJ tzzv+BOV7Hta+02ExRj+OoeLfnlMq7nc5+/Nc0kldmkd1ZXdORI0ZbodJVeOPPPA ==
X-ME-Sender: <xms:8uF1X4CMoviwD9L7X5koPuX3jg1BLiWBuNTgwF408v3vR2A3UWqVxg> <xme:8uF1X6juZrVL7lMimPB_heqT-zglqrqCGOvWZ4VDrRDHppYH5f-8Vi6P0SHhxi7_Q gaEZveMiwwhyPdAHw>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedujedrfeeggdejfecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecunecujfgurhepofgfggfkjghffffhvffutgesthdtre dtreerjeenucfhrhhomhepfdfoihgthhgrvghlucffkdfgrhhrihgtohdfuceomhhikhgv qdhlihhsthesphhosghogidrtghomheqnecuggftrfgrthhtvghrnhepudeuvefhgfetgf eiveffheeiueejlefhudegjefhkeeffedtleejtefguedvuddunecuffhomhgrihhnpehh thhtphhsfiiffiguohhtmhhikhgvshhtohholhgsohigughothhorhhgohhrughothhnvg htthhothgvshhthihouhhrohifnhgtohguvgdrihhtnecuvehluhhsthgvrhfuihiivgep tdenucfrrghrrghmpehmrghilhhfrhhomhepmhhikhgvqdhlihhsthesphhosghogidrtg homh
X-ME-Proxy: <xmx:8uF1X7nlfmFjp2aYQfzT8CZ6PaBcIZ2ZsDG8z9uqcP-r2hoR-w9GeA> <xmx:8uF1X-xx2_4zpzYu9gBQhzGlk3Q5MFeKDPtrnnt-uSQw5O3Dl_86zw> <xmx:8uF1X9RNnZXwN_cxdGIPzSM76D1U_yzE3h1qrSaUVl3VqQ2duyoJng> <xmx:8-F1X0cHCF3Q6A5stLbKT9mXoX-woddRHhkPlE8eyyzs2d4hlnfOiQ>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 71187660069; Thu, 1 Oct 2020 10:04:26 -0400 (EDT)
X-Mailer: Webmail Interface
User-Agent: Cyrus-JMAP/3.3.0-382-ge235179-fm-20200928.002-ge2351794
Mime-Version: 1.0
Message-Id: <>
In-Reply-To: <>
References: <> <> <> <> <> <> <> <> <> <> <> <03ba01d6974e$ffaefe30$ff0cfa90$> <> <> <> <>
Date: Thu, 01 Oct 2020 10:02:37 -0400
From: "Michael D'Errico" <>
Content-Type: text/plain
Archived-At: <>
Subject: Re: [TLS] =?utf-8?q?Is_stateless_HelloRetryRequest_worthwhile=3F_=28?= =?utf-8?q?was_Re=3A_TLS_1=2E3_Problem=3F=29?=
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 01 Oct 2020 14:04:39 -0000

> I am having a difficult time understanding the tradeoffs you're facing.

This is the first time I'm reading the TLS 1.3 RFC.  I have
implemented SSLv3, TLS 1.0, 1.1, and 1.2.  You may have
used my test server at https www dot mikestoolbox dot
org or dot net to test your own code.  It's kind of old now
since it doesn't do ECC and the DHE_RSA key exchange
I focused on has been disabled by most clients so you
end up getting a regular RSA handshake now.

I have gotten caught by the stateless HelloRetryRequest
and can't get past it.  You can't possibly implement it the
way the spec suggests with just a hash in a HRR cookie
extension.  If it can be done at all, the stateless server
should probably just put the ClientHello1 and HRR (minus
the cookie) into the cookie extension.  If this is how it
should be done, then the spec should say so -- exactly
how to do it so everyone does it the same (correct) way
and not just hand-wave it and say figure it out yourself.

Getting the cookie right isn't enough because of the
potential for resending an old cookie by a mischievous
client.  Nico suggests that replay caches are hard to
get right even when your distributed servers are all
talking to each other.