Re: [TLS] PR#1091: Changes to provide middlebox robustness

[Hubert Kario <hkario@redhat.com>]

In general +1, I like to see TLS 1.3 deployed ASAP and making the spurious 
failures as rare as possible is a good way to make that happen.

that being said, I have few comments:

On Monday, 6 November 2017 19:19:01 CET Eric Rescorla wrote:
> https://github.com/tlswg/tls13-spec/pull/1091
> 
> As I mentioned a while back, we've been seeing evidence of middlebox
> intolerance. I just posted PR 1091, which is based on a bunch of work
> by the BoringSSL team and an original suggestion by Kyle Nekritz that
> should significantly decrease the rate of these errors.
> 
> The general idea here is to make TLS 1.3 look more like TLS 1.2
> resumption. The major changes are:
> 
> - Move version negotiation entirely into "supported_versions", and hence
>   ServerHello.version == 0x0303 (TLS 1.2)
> - Restore the missing session_id and compression fields in ServerHello

less special cases in parser code - big +1

> - The client sends a fake session_id and the server echoes it
> - The server sends ChangeCipherSpec messages after
> ServerHello/HelloRetryRequest
>   (so that the middlebox ignores any "encrypted" data afterwards),
>   and the client sends ChangeCipherSpec after ClientHello. Either
>   side has to ignore ChangeCipherSpec during the handshake.

That's the part I have a bit of a problem with.
If the CCS is necessary to make middleboxes work, and given that lack-of-CCS-
intolerance is not something that we can detect reliably (not in a way that 
can be simulated by an attacker), I think the CCS should be baked in the TLS 
1.3 as deep as it was baked into TLS 1.2.

That is, the standard should make it a mandatory message to send, fully parsed 
and validated, requiring aborting connection if it is received at any 
unexpected moment, in duplicate, omitted or malformed. Not only as part of the 
"compatibility mode".

> - Merge HRR and ServerHello into a single message with the semantics
>   distinguished by a special ServerHello.Random value.
> - Switch the record layer version to 0x0303 for post-ClientHello
>   messages to match ServerHello.
> 
> Once you do this, the middleboxes seem to mostly ignore everything
> after the CCS, so the rest of the handshake proceeds smoothly.

So I have this crazy idea... What happens if the first message sent by client 
and server is the CCS?
 
> This is all a bit nasty, but none of it changes the cryptographic
> computations or the state machine (because you just ignore CCS).
> Several of the most unpleasant changes (sending fake session id and
> sending ChangeCipherSpec), are only needed in compatibility mode,
> and if you don't have to worry about middleboxes, you can just
> omit them.
> 
> There are implementations of these changes (except for HRR) in both
> BoringSSL and NSS, and Google has preliminary measurements with these
> changes that show comparable error rates to TLS 1.2 (I expect them to
> publish those shortly). We expect to have further measurements from
> Chrome as well as from Firefox by the WG meeting.
> 
> Please take a look and hopefully we can close on this in Singapore.

-- 
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00  Brno, Czech Republic