Re: [TLS] TLS1.3 Ticket Usage Across Versions
David Benjamin <davidben@chromium.org> Mon, 15 November 2021 16:45 UTC
Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 542F23A0E93 for <tls@ietfa.amsl.com>; Mon, 15 Nov 2021 08:45:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.949
X-Spam-Level:
X-Spam-Status: No, score=-9.949 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.701, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AWNWP-TmxE5P for <tls@ietfa.amsl.com>; Mon, 15 Nov 2021 08:45:09 -0800 (PST)
Received: from mail-pj1-x102b.google.com (mail-pj1-x102b.google.com [IPv6:2607:f8b0:4864:20::102b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1042A3A0E67 for <tls@ietf.org>; Mon, 15 Nov 2021 08:45:09 -0800 (PST)
Received: by mail-pj1-x102b.google.com with SMTP id np6-20020a17090b4c4600b001a90b011e06so304678pjb.5 for <tls@ietf.org>; Mon, 15 Nov 2021 08:45:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=BT9PKWzFhNr9sc8/TfoE16zckL02yMPpZg/0/LCrSvQ=; b=B8uW4omnSWTXeTVnfXW1P5C53vCt5JCssSo42I1rFoq2o0oWrqq7IQUhSU0wP1xsHX UuwWa0UEZR/xiQEXfIY+6fg6nFBJWh7LmnSbqCOlQWh8a2O0JjlyCRj+o7g6cGaN5Eqt 9Wjkg2tisqUDlI4Jw7Spfc4pB5L2/uCdlcP6M=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=BT9PKWzFhNr9sc8/TfoE16zckL02yMPpZg/0/LCrSvQ=; b=yABcEJnE3RXaXdbak/0g1CZ8ci1e5+vQOTVaftTbTBNcy4zuVgTJ+uaZJ/J8QX6QkA zDY787YNr096esV107gBKmdN+zOb34sqYcTvLBoGJQZtpbBdEGxXVVzrBLcRGdUttRJ7 haNgAaYmM0XrXs30GuKMyGdueBfQlzwFrD92Mu1/3Esm8KqGOktPapwJeXNvh51qzJI9 lsPzcPVQxwbDp23eAu/IXZb8xHILkkqvXfzpsWsUeWpqY9wAhgIwQ9gsaqxKckaHgf8+ 8ymfi1VquAYlfj/Ag/M3eZO3ceTex3QaFhRhQiL+pYnCRuHI0sO+YXvHWIRmC6OvNgyL ie2Q==
X-Gm-Message-State: AOAM533rV0jGlz4Q+Bb2UZzLs0koG83YpzsV8ft4rBkIkM4NQ+JGi0U1 M/2+1rl2NX20Lz9bdHN0D+cgA+RLbwpDabYVM3HF0OSNoQ==
X-Google-Smtp-Source: ABdhPJyTymD9j1QH7bMeaZa3A0+XVJSdJMztYLdZjmTdgzAMnCEKPoezczbcSIPC5NByooo94n/cCbQJTj+qrDHQUSg=
X-Received: by 2002:a17:90a:590d:: with SMTP id k13mr54808pji.184.1636994707141; Mon, 15 Nov 2021 08:45:07 -0800 (PST)
MIME-Version: 1.0
References: <23EC35FA-D689-4CF9-8D5C-8ECF75B80746@raycoll.com> <20211113012111.GJ6443@akamai.com>
In-Reply-To: <20211113012111.GJ6443@akamai.com>
From: David Benjamin <davidben@chromium.org>
Date: Mon, 15 Nov 2021 11:44:50 -0500
Message-ID: <CAF8qwaCWGd+Ct5E8OT77U6UVH=NTQqmyr3QMFXEVDSj7e1mbLQ@mail.gmail.com>
To: Benjamin Kaduk <bkaduk=40akamai.com@dmarc.ietf.org>
Cc: Steven Collison <steven@raycoll.com>, tls@ietf.org
Content-Type: multipart/alternative; boundary="00000000000005641005d0d6882c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/DI1KCxEgM70yYe3BkzZ-yNYFZtk>
Subject: Re: [TLS] TLS1.3 Ticket Usage Across Versions
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Nov 2021 16:45:16 -0000
It could be valid to populate both if the client wishes to offer both a TLS 1.2 session and a (different!) TLS 1.3 session. I don't believe there's any prohibition on this per se. But I've not heard of any client doing this. It seems needlessly fussy and interacts awkwardly with the appendix C.4 mechanism. (And sending an empty session_ticket extension along with pre_shared_key is quite common since empty session_ticket is how one signals support for TLS 1.2 tickets at all.) But that's not what's going on here, since the client is apparently offering the same session in both places. I don't think it'd cause anything terrible (this isn't one of the two load-bearing version/session checks), but it is a waste of bytes and not what the client is supposed to be doing. One could probably argue that it's implicitly against the spec because we say TLS 1.3 NewSessionTicket tickets go in pre_shared_key, and that session_ticket values come from TLS 1.2 NewSessionTicket tickets. On Fri, Nov 12, 2021 at 8:23 PM Benjamin Kaduk <bkaduk= 40akamai.com@dmarc.ietf.org> wrote: > On Fri, Nov 12, 2021 at 04:23:12PM -0800, Steven Collison wrote: > > Hello, > > > > While testing a TLS1.3 client implementation, I found an unexpected > > behavior. Specific sequence: > > 1. Client negotiates TLS1.3 with Server. > > 2. Server sends NST with a valid ticket. > > 3. Client reconnects to the same Server. The ClientHello contains both > the > > `session_ticket` and `pre_shared_key` extensions. The value of the > > `psk_identity` is equal to the value of the `session_ticket`. > > > > Is it ever valid for a client to populate both extensions with the same > > ticket value? Even if the client reconnects and lands on a different > server > > node that only supports TLS1.2, resumption should fail because the > protocol > > version should be included as part of the session state. The > > `session_ticket` extension data in this example is at least wasted data. > > > > I did not see anything in the spec(neither 8446 2.2 nor 4.6.1) that > > explicitly disallows this. 2.2 contains “Both mechanisms are obsoleted in > > TLS 1.3.” when referring to `session_ticket` and `session_id` resumption, > > but that may not be clear enough. > > "Obsoleted in TLS 1.3" is not a very good argument, since we do allow > sending a ClientHello that will be valid for both TLS 1.2 and TLS 1.3. > > I think the relevant requirement here (phrased as binding on the server, > but by extension on what the client should expect) is in > https://datatracker.ietf.org/doc/html/rfc8446#section-4.6.1: > > Any ticket MUST only be resumed with a cipher suite that has the same > KDF hash algorithm as that used to establish the original connection. > > There is some history to that part of the text that used to have a longer > list of requirements (e.g., including matching SNI), but it got trimmed > down over time to just this one, needed for safety of the key schedule. > > There is a certain reading that treats "KDF hash algorithm" as including > the > KDF construction itself, i.e., limiting the protocol version used, though > there can be cases where the TLS 1.2 PRF uses the same hash algorithm used > for a TLS 1.3 HKDF, so it's not an ironclad argument. > > Contrast this to the requirements for using early data, > https://datatracker.ietf.org/doc/html/rfc8446#section-4.2.10: > > In order to accept early data, the server MUST have accepted a PSK > cipher suite and selected the first key offered in the client's > "pre_shared_key" extension. In addition, it MUST verify that the > following values are the same as those associated with the > selected PSK: > > - The TLS version number > > - The selected cipher suite > > - The selected ALPN [RFC7301] protocol, if any > > For early data, the TLS version is indeed specifically called out. > > > My recollection of the discussions leading up to > > https://github.com/tlswg/tls13-spec/commit/fc685853ce52a320fa99cd46e48cf7f8954ff663 > are that the TLS 1.3 session ticket was to be tied to the protocol > version, but > the text doesn't really seem to support that. > > So, in summary, I don't think it's ever actually valid to populate both, > but > I can't find solid evidence in RFC 8446 to support that claim in the amount > of time I allocated to look for it just now. > > Thanks for asking; it's interesting to hear about such an unusual client > implementation! > > -Ben > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- Re: [TLS] TLS1.3 Ticket Usage Across Versions Benjamin Kaduk
- [TLS] TLS1.3 Ticket Usage Across Versions Steven Collison
- Re: [TLS] TLS1.3 Ticket Usage Across Versions David Benjamin
- Re: [TLS] TLS1.3 Ticket Usage Across Versions Steven Collison