Re: [TLS] Update on TLS 1.3 Middlebox Issues

Yoav Nir <> Sat, 07 October 2017 18:38 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 6F82B1321A2 for <>; Sat, 7 Oct 2017 11:38:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 5Aw5crQA-Qtg for <>; Sat, 7 Oct 2017 11:38:01 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:400c:c09::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 67414134B1F for <>; Sat, 7 Oct 2017 11:37:40 -0700 (PDT)
Received: by with SMTP id u138so14374648wmu.4 for <>; Sat, 07 Oct 2017 11:37:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=bCM72/NQzakRimCPfVqna9qpb6VsY+fCkhvqJPhQPrM=; b=cXyyQTjAoulkFHm9kO2pxlLoiLiavvTvy5GMeN1b5Lb3J/xuQV/SjW9Ctv5phS3itX 2F4/C/fSQy6dhwf3jUWXV9FKVSF3IggKBPODaQcRKqILFGo13fP04rJ/+veJuWm61S/8 ADMt/Gml9VF3wykz/wC/nqGCAQ747aEmQsUKgaTjGTwQP+KiQi+MUkTy6R6txrRO0UUa O2dT+GRKPJW1EikeW1TMoOLE2qlpyIUix6yOliOgFii8H9uSplB3Fv4/uN7bXf5ri17V BjFWzihZJMsizBZp3AdBI2gLwP9OwJE43M228/YM0w3/+Zx1xo+Jrx2nP9wqGSwUmzA2 EjkA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=bCM72/NQzakRimCPfVqna9qpb6VsY+fCkhvqJPhQPrM=; b=XOt1k2f3Uy371Vh9WPmM3Ludwri/jeg8hSk4Z55fbU9iG7FjkXqA3Md+OzdGXRgGHZ 5Nyv1wwRVky6ToJe9ytloHY4/6jhcvaBBzYbT1FjHZSbAFMDSftZXc+1NDGYj52vB6xQ 2aIHXMmuq7Kjhi+fBgES5FJ4EbcpSV3Y+Noks2uJik48SC92ulPUN9JHM6JpZrBxM1M3 nOgU+pGaKTMotlc8l6OCgmWij+WcdubXNBTHtqy3rBZf550q0IC8GPQWOAA7SBhASRie E5o07lGROKiaNFlVNDR8YZW5bk5UF6g4lUx417fIRFixz6Ao3LDOCLKL1IFGNZX3aX/Z sshQ==
X-Gm-Message-State: AMCzsaViGN6TLP6KsCRqPEYLsxm5fUtDqrIUIFFd09qv5AMYtY2Z0lFc xbc11/UGXW+tVjSSz8qoXdM=
X-Google-Smtp-Source: AOwi7QChTpVWqFQ1SrE7YmsZO2rZHVVB4Od88uGK8wUJYEdVmgryoT1M9ze0uOYBJw86+BvUk0svUA==
X-Received: by with SMTP id a2mr7678963edd.234.1507401458915; Sat, 07 Oct 2017 11:37:38 -0700 (PDT)
Received: from [] ([]) by with ESMTPSA id x14sm5782309edd.10.2017. (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 07 Oct 2017 11:37:37 -0700 (PDT)
From: Yoav Nir <>
Message-Id: <>
Content-Type: multipart/signed; boundary="Apple-Mail=_8A33CCBA-A95F-4F83-8AD3-435040128DC6"; protocol="application/pgp-signature"; micalg=pgp-sha512
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
Date: Sat, 7 Oct 2017 21:37:35 +0300
In-Reply-To: <>
Cc: Rich Salz <>, "" <>
To: Nick Sullivan <>
References: <> <> <> <>
X-Mailer: Apple Mail (2.3273)
Archived-At: <>
Subject: Re: [TLS] Update on TLS 1.3 Middlebox Issues
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 07 Oct 2017 18:38:03 -0000

> On 7 Oct 2017, at 17:17, Nick Sullivan <>; wrote:
> Yoav,
> Let me make a correction to your scenario:. Instead of:
> "You’ll need it for Chrome to work with Google."
> it's:
> "You’ll need it for Chrome to work with Google, Facebook, and most of the 10% of Alexa top million sites that are using Cloudflare.”

What part of “not making any configuration changes until the second week of January” is not clear to you?

Seriously, I’ve had this conversation with administrators.

Because if they go to their bosses, they get asked if they can guarantee that the update will cause no outage. Of course they can’t.

Then they get asked if Edge has the same problem. Let’s assume the answer is yes.

Then they get asked if they can turn off TLS 1.3 in Edge using GPO (or whatever the remote configuration of Microsoft Windows is called these days). In all likelihood, the answer is yes.

Problem sovled, no?

But, they’ll protest, more than half our employees use Chrome.

So tell them not to use Chrome, says the manager.

Because for the manager the decision to update the middlebox is all risk with no rewards.