Re: [TLS] on sharing PSKs between TLS 1.2 and TLS 1.3
Matt Caswell <matt@openssl.org> Mon, 23 July 2018 12:56 UTC
Return-Path: <matt@openssl.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AF4DF130E74 for <tls@ietfa.amsl.com>; Mon, 23 Jul 2018 05:56:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qADxuubaRcUb for <tls@ietfa.amsl.com>; Mon, 23 Jul 2018 05:56:21 -0700 (PDT)
Received: from mta.openssl.org (mta.openssl.org [194.97.150.230]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 074C0130E78 for <tls@ietf.org>; Mon, 23 Jul 2018 05:56:21 -0700 (PDT)
Received: from [10.38.10.6] (ip-25-84-52-196.southampton.uk.amsterdamresidential.com [196.52.84.25]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mta.openssl.org (Postfix) with ESMTPSA id 92488EAABD for <tls@ietf.org>; Mon, 23 Jul 2018 12:56:18 +0000 (UTC)
To: tls@ietf.org
References: <20180719230009.GD14551@akamai.com> <ce4cb23be8939e57574062e17c4f204f7145d020.camel@redhat.com> <CABcZeBN4tdHZ_fzqqEJNR46BP5bxiy6gWa17xxhfj9YXVAR0rw@mail.gmail.com> <86b69d7d0534d7c711d13182c18774cf484e6431.camel@redhat.com> <CAF8qwaBDXw1vur5eaLhGyMcZefgwX66QBzfXMB+E6mBKsUnwdA@mail.gmail.com>
From: Matt Caswell <matt@openssl.org>
Openpgp: preference=signencrypt
Autocrypt: addr=matt@openssl.org; prefer-encrypt=mutual; keydata= xsBNBFGALsIBCADBkh6zfxbewW2KJjaMaishSrpxuiVaUyvWgpe6Moae7JNCW8ayhJbwAtsQ 69SGA4gUkyrR6PBvDMVYEiYqZwXB/3IErStESjcu+gkbmsa0XcwHpkE3iN7I8aU66yMt710n GEmcrR5E4u4NuNoHtnOBKEh+RCLGp5mo6hwbUYUzG3eUI/zi2hLApPpaATXnD3ZkhgtHV3ln 3Z16nUWQAdIVToxYhvVno2EQsqe8Q3ifl2Uf0YpaN19BDBrxM3WPOAKbJk0Ab1bjgEadavrF BCOl9CrbThewRGmkOdxJWaVkERXMShlzUzjJvKOUEUGOxJCmnfQimPQoCdQyVFLgHfRFABEB AAHNH01hdHQgQ2Fzd2VsbCA8bWF0dEBvcGVuc3NsLm9yZz7CwHgEEwECACIFAlPevrwCGwMG CwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJENnE0m0OYESRoD0H/1lEJXfr66rdvskyOi0z U0ARvUXHjbmmYkZ7ETkdXh7Va/Tjn81T3pwmr3F4IcLGNLDz4Eg67xbq/T8rrsEPOx5nV/mR nUT97UmsQuLnR2wLGbRBu24FKM7oX3KQvgIdJWdxHHJsjpGCViE1mIFARAzlN+6p3tPbnQzA NjRy7i/PYU/niGdqVcMhcnZCX5F7YH6w6t0ZmYH3m1QeREnWqfxu7eyHsIvebMgKTI/bMG8Z 7KlLZha9HwrFXQAPIST6sfc1blKJ9INUDM9iK6DR/ulkw7e0hmHLqjWqYs5PzyXeoNnsPXJt 69wiADYqj4KNDIdNp1RoF9qfb1nE+DM6rgbOwE0EUYAuwgEIAM9nUJAEpsVBYwK92PP9Mlo1 /etXp6JgBI68sOCJxTwzBrbTzIlevVQXqW9zdODD6ObKcgGNuG+G6Nwn54P6McRpd2dxor9Y A+yaI0yT6CVnhxsXjwc/vuQ4tBAL6tfuMAXRVIeEVk22cKk4HJB68ImXCCRdyRi9HIE5iTrZ HsHC4sjAsirhlc0o8hU3gqkKh2Ehwa6+U8lzNx06hoFEZxIVRteoz1jzCHImF7EXztEcDIam O8uckVKAuKbJgFGkU3bkvNgWlc8Pgx4tRUNJGC1LE4nYqaSEwee1SpA/VewiDObj97PozCTF zRCUBCnSvaAlTnpA90TnODH7ar+L5aEAEQEAAcLAXwQYAQIACQUCUYAuwgIbDAAKCRDZxNJt DmBEkQs2B/96XB9hyFpX/bhu41YNr7nSA65dDi9d+PkMqvLppickG3VR4xXWywzEJTw6W2DN MyFO6mOtdXWgNdgDF7HKZYvHBr6pyttLAMP7BfWBvU7YY59uKmUSc5vl0NzsaSbx5PDSQEkS ICLI+/hIwuEXOb6Z7gOrX7F1uy83TmHFOOjD2mLl5isUzFhaLVk0fZSY+mCgg3/inbwb8g31 91Ybk2LfXmndaEsdEzMLrT0g6wIgmybz6UdVuVPfSPGly0VWVAG1sNPOCpAuJpNV6+VxrdVi Ax3vQPbx3XzqDFS1ISlnd0qS/7RXwMuFDpVH/BDvzQcoikWnpRY/loPGkSg4TB7a
Message-ID: <da524fff-a7f6-3938-a26d-48a9f8796731@openssl.org>
Date: Mon, 23 Jul 2018 13:56:17 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <CAF8qwaBDXw1vur5eaLhGyMcZefgwX66QBzfXMB+E6mBKsUnwdA@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-GB
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/C6DR2asygoOWAv0UV5WDeMZZK7M>
Subject: Re: [TLS] on sharing PSKs between TLS 1.2 and TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Jul 2018 12:56:24 -0000
On 20/07/18 13:42, David Benjamin wrote: > I think that's the point of deciding this immediate question now, so we > can get some text in the specification. If we decide to fix this, we'd > instruct implementations to (temporary!) turn off TLS 1.3 if 1.2 PSKs > are configured and then, once the fixup document is published, implement > it and remove the version logic. This is interoperable at all > combinations as version negotiation runs first. So, to be clear about this interim proposal: 1) If a client is configured with a 1.2 PSK but not a 1.3 PSK, it should not provide supported versions, and only negotiate TLSv1.2 or lower. If it has both then it should supply supported versions and advertise support for TLSv1.3. 2) If a server is configured with a 1.2 PSK and not a 1.3 PSK it should only select TLSv1.2 or lower. 3) If a server has separate 1.2 PSKs and 1.3 PSKs should it allow 1.3 to be negotiated? Presumably "yes" to allow a phased roll out of TLSv1.3 to clients. Consider the case after Universal PSKs have been introduced. A client that has not been explicitly configured for 1.3 PSKs can suddenly start offering them and will issue a ClientHello containing supported versions with TLSv1.3 in it. But if it then attempts to connect to a server which does not support universal PSKs and has been explicitly configured with separate 1.2 and 1.3 PSKs the server will select TLSv1.3, but then the connection will fail because the explicit 1.3 PSK configured on the server is not compatible with the Universal PSK offered by the client. Or did I misunderstand something somewhere? Matt
- [TLS] on sharing PSKs between TLS 1.2 and TLS 1.3 Benjamin Kaduk
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… Ilari Liusvaara
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… Nikos Mavrogiannopoulos
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… Eric Rescorla
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… Matt Caswell
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… Eric Rescorla
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… Nikos Mavrogiannopoulos
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… Eric Rescorla
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… David Benjamin
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… Ilari Liusvaara
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… Jonathan Hoyland
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… Matt Caswell
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… Nikos Mavrogiannopoulos
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… Karthikeyan Bhargavan
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… Eric Rescorla
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… Benjamin Kaduk
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… Eric Rescorla
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… Ilari Liusvaara
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… Nikos Mavrogiannopoulos
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… Eric Rescorla
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… Ilari Liusvaara
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… Karthikeyan Bhargavan
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… Eric Rescorla