Re: [TLS] PR#1091: Changes to provide middlebox robustness

Yuhong Bao <> Wed, 22 November 2017 17:52 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id BFCB3129503 for <>; Wed, 22 Nov 2017 09:52:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.875
X-Spam-Status: No, score=-0.875 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FORGED_HOTMAIL_RCVD2=0.874, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id zaG8V5qhvAwg for <>; Wed, 22 Nov 2017 09:52:50 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 3DD241294DF for <>; Wed, 22 Nov 2017 09:52:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=9lVEppWIk6I43N9alZgDbLqlp1VM2P1xu8zKH3cVnzI=; b=hM/VDb4rrPMDQw7y1rzimLPFQvL2nnybCX5Dw2QbAzh3MIak1gFBp6Q2QTLEvxaMg/HVlf1l+YOGnsQn0rb/wMhL7qT0ZWbW7ILQRDUPFPhmJj1erWi48PQwrKOj2VtCRg10ykyS7v2kOKy3F0cqPbRXp1BhpVVZQ4emXtdOox1CgaOgocKotNoZP/jK2L4f9pX6jZJ6jS7EJQ1uQbNriDq4bYDrddJmR9kMSyOWIORQlTk++1cisRZMVg9Gtvx/wfXjcOlX9ODl56NHAHYxcaY3G1TkLTtVF7phfQ9bPc+8ccE6qUY3QPTnIkaKQcYPcstwA0dhjJPF10sjvFU11g==
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id; Wed, 22 Nov 2017 17:52:49 +0000
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id via Frontend Transport; Wed, 22 Nov 2017 17:52:48 +0000
Received: from ([]) by ([]) with mapi id 15.20.0239.009; Wed, 22 Nov 2017 17:52:48 +0000
From: Yuhong Bao <>
To: David Benjamin <>, Tapio Sokura <>
CC: "" <>
Thread-Topic: [TLS] PR#1091: Changes to provide middlebox robustness
Thread-Index: AQHTVyvb2MH+ZKktR0KvrQ+TnVw5FaMfyD2AgACtqICAAFERWw==
Date: Wed, 22 Nov 2017 17:52:48 +0000
Message-ID: <>
References: <> <>, <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-incomingtopheadermarker: OriginalChecksum:0ADDB0F0F550F00E0357164ED63149A82AD75B9D012D0BFDB3F666584252CD82; UpperCasedChecksum:E953DBFDB7A8997FC6DAEEECA2AB3786274834B79B8FB3E3EB880D8B29591CCB; SizeAsReceived:7390; Count:47
x-ms-exchange-messagesentrepresentingtype: 1
x-tmn: [XTMq0STemv02kEtzpBwwZtXq720eSlySBzC4y6I3zFpqBMlkIqC1H5rZFYfoqmIr]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DM3NAM03HT185; 6:CMgdgotXwuDtqgqXuAkEqsHlweGGW3ROOpSxS7MJAnUz0w5N2y3H9D/oYyhyIYXFwV2ORGAKztDAZt2g/6TkfE0+Q5nmzNT74nQdZlIi9NI71KoxOpCnk4hiqjpd6538mzov5FVjg12xTuTy7eZ8z3Ums1dhYUlLUW/lKlQdA/yKImiUs4r16t8q2GydMmyEcX+efRnYxUvrNETNHUVu7iWC1ooyqMPRfY3/M/aBrBjzWWpyk2FjG2hpxQCS2EWXQjxSFGeVgq8v5IDEAOvUiOY7RIvz/L+I3zCvyyflauEYcL7TnNAr8U0zwb3xFE748+1p4WfprFlPNRxfVXiuK5EACsGZr8G6y0ckLwXNz8U=; 5:8lg8QM6jnbcoy6Ktntxm164aymzSeu15ndTRAHtoyPi6DnMLLub0Xb0QlBF/5poNcf2ZdZlX5D/dSa6nqtCUhY1lE1qh1bFH232iqGNUWLt45eQ1cWbIsooHlU+P0m1NPC6BiB0GIC1ZVnBPcmPi0yE9F6OLg95ZFAtR1FCHs0E=; 24:9pTQPvL2zlWAj8YgJrM/3VacdBkeTX8/3tlvYn/G6WKFhdYh/2xlDvybhNxw+8rGbGndz8hc276XEAgi8T/KyW7eD57ZeYzCJyLieuqnByU=; 7:rla2vEU97FRGt0QAQjMC7VZ0x/QwftUzhtkUszAqPLvLc0+KHoCxtHh14sc88cfVptKNjqainsKh4Y9jVfIxDqKwYsChzEQ4ZIWb34Mly4QczLVlDPKPi+IU9oWYMY/Tw3vg05wlAwu7dfMx2wC/q7IG3+JGIvdHP6wv4IS7qETdzCnDkATRhkbZREeaU8tgSqB27NxwyPISAB3wsxuu29tyw2XgEJ2ApYTIb6H09DXUt3z9gDBASGEwew11gR+h
x-incomingheadercount: 47
x-eopattributedmessage: 0
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(201702061074)(5061506573)(5061507331)(1603103135)(2017031320274)(2017031324274)(2017031323274)(2017031322404)(1603101448)(1601125374)(1701031045); SRVR:DM3NAM03HT185;
x-ms-traffictypediagnostic: DM3NAM03HT185:
x-ms-office365-filtering-correlation-id: 4b4c1889-7c46-4db4-56e7-08d531d1d842
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(444000031); SRVR:DM3NAM03HT185; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:DM3NAM03HT185;
x-forefront-prvs: 0499DAF22A
x-forefront-antispam-report: SFV:NSPM; SFS:(7070007)(98901004); DIR:OUT; SFP:1901; SCL:1; SRVR:DM3NAM03HT185;; FPR:; SPF:None; LANG:;
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 4b4c1889-7c46-4db4-56e7-08d531d1d842
X-MS-Exchange-CrossTenant-originalarrivaltime: 22 Nov 2017 17:52:48.8320 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Internet
X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM3NAM03HT185
Archived-At: <>
Subject: Re: [TLS] PR#1091: Changes to provide middlebox robustness
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 22 Nov 2017 17:52:52 -0000

The real question is if getting into an arms race with middleboxes is even a good idea IMO.

From: TLS <> on behalf of David Benjamin <>
Sent: Wednesday, November 22, 2017 5:02:15 AM
To: Tapio Sokura
Subject: Re: [TLS] PR#1091: Changes to provide middlebox robustness

As a source of some of those numbers, someone interested in actually deploying TLS 1.3, and, most importantly, someone who would have to deal with the fallout of that deployment, I can unequivocally say those are not "very good" figures. They are completely implausible by orders of magnitude. TLS 1.3, the secure upgrade to TLS 1.2, is not even close to being deployable today.

Unchanged, deployment would require a unsecured version fallback, the same one that gave POODLE. An attacker could silently downgrade us to TLS 1.2. That ServerHello.random anti-downgrade signal would have been purely wishful thinking and never implemented. I think this would be a huge step back. A de facto fallback would also send the same signal as tweaking the protocol. There isn't enough incentive for middleboxes to ship updates or for administrators to deploy those updates when doing nothing works just fine. For 21 years, since SSL 3.0, we didn't really change TLS's handshake and left it all unencrypted. In retrospect, it's probably to be expected the network latched onto it. Ignoring the problem won't erase those 21 years.

These changes are certainly ugly, but they are only ugly. They have no impact on security, unlike the fallback which does. There is a complexity impact, but, having implemented it, the impact is actually quite small. Making the first server message more uniform between versions and HelloRetryRequest is even a small convenience.

This is indeed baggage, but that is not new. When I think of the consequences of buggy middleboxes, I am actually less concerned that our first roundtrip needs to look a little funny, and more that we are wasting three bytes in front of *every* record (PR762). That we have entirely lost TCP and my colleagues on QUIC needed to start over on UDP for improvements. That even then QUIC ran into ossification later on. That every protocol change is risky and requires endless experimentation. That the reality of engineering on the Internet appears to be: if it was observable over time, it has ossified.

I share the justified frustration with this picture, but it's reality. There are two questions now:

1) What we do need to do to deploy a change today? (Our handshake versioning joints have rusted shut, and we need to break them free.)
2) How do we avoid needing to do worse tomorrow? (We've got it moving again, and we want to keep it that way.)

PR1091 seems to answer (1). (2) is harder. We need to think about how to avoid ossification. Writing versioning invariants[*] clearly is an easy step, but text alone isn't enough. Reducing unencrypted portions is also obvious and valuable in itself, but TLS has a bootstrapping problem here. We also need to think more in the direction of GREASE, but perhaps further as GREASE itself only tried to prevent buggy endpoints.

This is a difficult question we won't fully explore immediately, and solving it is not going to magic away (1) anyway. So I think our first step is clear: get through the accumulated rust.


[*] TLS's versioning rules are quite restrictive. We promise you can parse newer ClientHellos. Everything after that is fair game to change. If you produced the ClientHello, you can reasonably assume the peer won't send you anything that will confuse you. If you are forwarding a ClientHello you did not produce, you MUST NOT process the response in any way. It will contain incompatible messages in the future. Alas, reality shows that the network did not observe these rules.

On Tue, Nov 21, 2017 at 9:41 PM Tapio Sokura <<>> wrote:

On 6.11.2017 20:19, Eric Rescorla wrote:
> Once you do this, the middleboxes seem to mostly ignore everything
> after the CCS, so the rest of the handshake proceeds smoothly.
> This is all a bit nasty, but none of it changes the cryptographic
> computations or the state machine (because you just ignore CCS).

The discussion in Singapore on middlebox issues during the WG session
woke me up on this. I don't post much on this list, but here I have to
say that this dance to work around middleboxes looks seriously like
putting the cart before the horse.

I'm not arguing that the cryptographic properties/security of TLS 1.3 is
affected by these changes. I'm saying that this messing around with
making 1.3 look like 1.2 adds unnecessary complexity that will just hurt
everyone in the long run. In the short term you get a few % more
successful 1.3 handshakes, but once it's in the spec, it will bother
implementers for years to come.

Sometimes you have to let some things break to be able to move forward.
If over 90% (the figures presented in Singapore) of TLS 1.3 handshakes
already go through without 1.2 emulation / middlebox compensation in the
protocol, I find that a very good number for this point in time.

It's the middleboxes that should adapt to be 1.3 compatible, not the
other way around. This is not sending a good signal to the industry.

Sorry if I'm beating a dead horse (behind the cart). But my
interpretation of the comments made during the WG session indicate that
if there's consensus on incorporating these middlebox compatibility
changes, it's a very rough consensus.


TLS mailing list<>