[TLS] [Technical Errata Reported] RFC8446 (7250)
RFC Errata System <rfc-editor@rfc-editor.org> Mon, 14 November 2022 16:50 UTC
Return-Path: <wwwrun@rfcpa.amsl.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 074FBC14F73E for <tls@ietfa.amsl.com>; Mon, 14 Nov 2022 08:50:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.646
X-Spam-Level:
X-Spam-Status: No, score=-1.646 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.25, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3q-FofQxgDcE for <tls@ietfa.amsl.com>; Mon, 14 Nov 2022 08:50:17 -0800 (PST)
Received: from rfcpa.amsl.com (rfc-editor.org [50.223.129.200]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3C09EC14CEE0 for <tls@ietf.org>; Mon, 14 Nov 2022 08:50:17 -0800 (PST)
Received: by rfcpa.amsl.com (Postfix, from userid 499) id E656455EAF; Mon, 14 Nov 2022 08:50:16 -0800 (PST)
To: ekr@rtfm.com, rdd@cert.org, paul.wouters@aiven.io, caw@heapingbits.net, joe@salowey.net, sean+ietf@sn3rd.com
From: RFC Errata System <rfc-editor@rfc-editor.org>
Cc: aland@freeradius.org, tls@ietf.org, rfc-editor@rfc-editor.org
Content-Type: text/plain; charset="UTF-8"
Message-Id: <20221114165016.E656455EAF@rfcpa.amsl.com>
Date: Mon, 14 Nov 2022 08:50:16 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/A-tmh6BF2ceNmL-DHcSzKEEPqgA>
Subject: [TLS] [Technical Errata Reported] RFC8446 (7250)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Nov 2022 16:50:21 -0000
The following errata report has been submitted for RFC8446, "The Transport Layer Security (TLS) Protocol Version 1.3". -------------------------------------- You may review the report below and at: https://www.rfc-editor.org/errata/eid7250 -------------------------------------- Type: Technical Reported by: Alan DeKok <aland@freeradius.org> Section: 4.6.1 Original Text ------------- The client MAY use this PSK for future handshakes by including the ticket value in the "pre_shared_key" extension in its ClientHello (Section 4.2.11). Corrected Text -------------- (to add) Where the client does not support session tickets, this extension MUST be ignored. Notes ----- I've seen a TLS implementation which doesn't implement session tickets. That's fine, but the implementation doesn't *ignore* session tickets it receives. Instead, it treats reception of the ticket as un recoverable error, and drops the TLS connection. It's also worth adding a note to section 4.2 at the bottom of page 38. To note that in general, f an extension isn't supported AND doesn't materially affect the TLS exchange, THEN it should be ignored. i.e. there's nothing in the spec which mentions Postel's law "be conservative in what you send, be liberal in what you accept". So implementors reading this document are free to do all kinds of odd things. In addition, the text in Section 4.2 at the bottom of page 38 says: " Designers and implementors should be aware of the fact that until the handshake has been authenticated, active attackers can modify messages and insert, remove, or replace extensions. " The implicit conclusion here is that an implementation receiving extensions must sanity check them. e.g. an attacker adding an undefined / unknown extension should not cause the entire session to be torn down. Instructions: ------------- This erratum is currently posted as "Reported". If necessary, please use "Reply All" to discuss whether it should be verified or rejected. When a decision is reached, the verifying party can log in to change the status and edit the report, if necessary. -------------------------------------- RFC8446 (draft-ietf-tls-tls13-28) -------------------------------------- Title : The Transport Layer Security (TLS) Protocol Version 1.3 Publication Date : August 2018 Author(s) : E. Rescorla Category : PROPOSED STANDARD Source : Transport Layer Security Area : Security Stream : IETF Verifying Party : IESG
- [TLS] [Technical Errata Reported] RFC8446 (7250) RFC Errata System
- Re: [TLS] [Technical Errata Reported] RFC8446 (72… Eric Rescorla
- Re: [TLS] [Technical Errata Reported] RFC8446 (72… Alan DeKok
- Re: [TLS] [Technical Errata Reported] RFC8446 (72… Eric Rescorla
- Re: [TLS] [Technical Errata Reported] RFC8446 (72… Alan DeKok
- Re: [TLS] [Technical Errata Reported] RFC8446 (72… Eric Rescorla
- Re: [TLS] [EXTERNAL] Re: [Technical Errata Report… Andrei Popov