[TLS] Input on ECH specification
Elardus Erasmus <Elardus.Erasmus@Sophos.com> Wed, 07 February 2024 22:06 UTC
Return-Path: <elardus.erasmus@sophos.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 348B0C14F73F for <tls@ietfa.amsl.com>; Wed, 7 Feb 2024 14:06:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.802
X-Spam-Level:
X-Spam-Status: No, score=-2.802 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sophos.com header.b="nAS8wnRi"; dkim=pass (2048-bit key) header.d=mail-dkim-eu-west-1.prod.hydra.sophos.com header.b="6pmDI2BD"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Vzu2L2ZHEDQS for <tls@ietfa.amsl.com>; Wed, 7 Feb 2024 14:06:25 -0800 (PST)
Received: from id-euw1.prod.hydra.sophos.com (id-euw1.prod.hydra.sophos.com [198.154.180.69]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B3A4EC14F616 for <tls@ietf.org>; Wed, 7 Feb 2024 14:06:24 -0800 (PST)
Received: from ip-172-19-0-196.eu-west-1.compute.internal (ip-172-19-0-196.eu-west-1.compute.internal [127.0.0.1]) by id-euw1.prod.hydra.sophos.com (Postfix) with ESMTP id 4TVZ2R1WC8zKm4j for <tls@ietf.org>; Wed, 7 Feb 2024 22:06:23 +0000 (UTC)
X-Sophos-Product-Type: Gateway
X-Sophos-Email-ID: 0084574540de45a1be227b2646d79870
Received: from GBR01-LO4-obe.outbound.protection.outlook.com (mail-lo4gbr01lp2104.outbound.protection.outlook.com [104.47.85.104]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by relay-eu-west-1.prod.hydra.sophos.com (Postfix) with ESMTPS id 4TVZ2P60tqzYcn2 for <tls@ietf.org>; Wed, 7 Feb 2024 22:06:21 +0000 (UTC)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=IcFzRZZl9+YVdxGItkLq7PIPl3TNOjAgT5N1FmgmbQFBmDE3cvl+mki2WLM0E7JsbpuWSxHazsvpYRE19ATJVJBZOTHyLbMCftkgq9iaQlmB6YOqxiuedooswtZoo79WlejR3QH10BiLXcnCG7pR5OUeN0b4JXMrubA1ZfWy76Cggc7bMz2UAQ53UNcNsgIgYVQ/SMVL58B86BTlwxbS2rTWqGxs15AGWS3Gv8FHhPq7J7QNdMrGcNXVkfGqSc3PD9mtRM7riTZbg8OrgEmENKnkco+3KgZz3YwkKKbrEpj9g2rq3VZDJQHtFVxyTyVpxTjYq5CuSYZxIkSWLL5aBQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=E1wHxY9Pkf/CRMlAx8CkHW74hpLXNP5NkRKsjpc/9Fo=; b=lSfiC/+w3LErolhcgMxgsFkuFP1uXutqYIwIIVdcJOeA8tm5y7czFH2RKLfu1HCZ/S3VY/VKauKoXB/YpIpGbdMon7TjTUSkHN1v0ndQnZuJDpumXB0e0f3fOlufzDV3/eHPAC/75az+pyePnJpSaGbirL6gg/QUSiz3nrnlzoVEwM+hpUeQMQHKBBgvyan/m5/EkNEeeXmY0ApHUW73v0QKsRVEPqnVQwrn1y0CpBGeR0bqaTas8VhyptKGyhr0Yrpmwovq4PzEOO4Z0T3wEFJCcz3JETZ+bcHt8r7WGkQDGWWYhXMgPYDgdLwQLZTeRmhtd3b+Os4BKenAcKsv2Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=sophos.com; dmarc=pass action=none header.from=sophos.com; dkim=pass header.d=sophos.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1707343579; s=sophosf69f0521910d49beb03f4ce823e25fdd; d=sophos.com; h=Content-Type:Date:Subject:To:From; bh=E1wHxY9Pkf/CRMlAx8CkHW74hpLXNP5NkRKsjpc/9Fo=; b=nAS8wnRic61bzPJrkJlLfOHXdYVWZiba+MJjONBw0ddWX/yD4S+NdH90wTbADwJ+ UA/Ria4jEvp/Pmhhd2YN5DzIht790QZ111FXAZ/r3hYXVo3wkvcu3CgA7e/lJYHB2Rt UTSVInH6XxZrAoomBZ24BGzeZUS/3batyNltBloNIeR6Xw8ONWxE3E013LysnPTLPQz /iIukVxewemRjXh1rDWnvvQEFDx4Q3V/Gq5GoiRr0X4nH8h8DmmlKCWxxCVmrCUtsvI kMuHgRaF6NS57RWS5ZNTFdHs87sxsRxtqoGDWD2EsnzclFXdpXIpTjDlRWLoThXX3to 3OVqR2y0UQ==
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1707343579; s=v1; d=mail-dkim-eu-west-1.prod.hydra.sophos.com; h=Content-Type:Date:Subject:To:From; bh=E1wHxY9Pkf/CRMlAx8CkHW74hpLXNP5NkRKsjpc/9Fo=; b=6pmDI2BDFGrzJDAB9kTxgQUnDZKSHFJbptL0VSe9j0PoomIl1OHT6n4NI1eiYsL8 oyxhlouaXKrqRZgay1G2r69y/Q3Wq9TK7syWFTZId0cAeCodsvdkE7vuoqoBkEsEvPH MZgEIyywdLd4E8CXEvy4BiG60yPAT786DOw4oKH39AN4UM2ZKX0p89RSxW43gsrFuEd qbWinEkGPDhCXSvZ9sXcH5ossjTa0Fk9azAQX845SzyJexsgVyZbK4e7Ck1RchTkKCU EKH4IKLnPS/fIubUAtJ8sP7gESkVJWf7xjwWm78+AD2xJVcWdH00HR3KdapObLwIJrS nilBKGtlaA==
Received: from CWXP265MB4681.GBRP265.PROD.OUTLOOK.COM (2603:10a6:400:150::9) by CWLP265MB2563.GBRP265.PROD.OUTLOOK.COM (2603:10a6:400:a8::5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7249.39; Wed, 7 Feb 2024 22:06:19 +0000
Received: from CWXP265MB4681.GBRP265.PROD.OUTLOOK.COM ([fe80::cb5:fdae:5bb1:fa46]) by CWXP265MB4681.GBRP265.PROD.OUTLOOK.COM ([fe80::cb5:fdae:5bb1:fa46%4]) with mapi id 15.20.7249.039; Wed, 7 Feb 2024 22:06:19 +0000
From: Elardus Erasmus <Elardus.Erasmus@Sophos.com>
To: "tls@ietf.org" <tls@ietf.org>
Thread-Topic: Input on ECH specification
Thread-Index: AdpaEZ4w95BWOi+/Q+GJzQV0Cra2GA==
Date: Wed, 07 Feb 2024 22:06:19 +0000
Message-ID: <CWXP265MB46815100B9E7A58D77168E9595452@CWXP265MB4681.GBRP265.PROD.OUTLOOK.COM>
Accept-Language: en-US, en-GB
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=Sophos.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: CWXP265MB4681:EE_|CWLP265MB2563:EE_
x-ms-office365-filtering-correlation-id: 3c4175d3-8b52-47aa-995a-08dc2829038a
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: rT1ZYMV+uBteOZYzUA5hDIhZEEmLbtrlfnvIn1Pr+b8YZEfO2Kdq4CJIv0zulNU+kcnJ/er7aqqHQO6A7HpYpsG0c+VK7fOWe/ytPzIyb8ORaoXrn7BuLtIZ1cGvwR4yDwBSGQymUo/tcJhelY5CAvbTaiSeXH9eezrKyjrXOW3a4SUkYTT3f5YIbVitClSbkRMmZWGj5JXuAGLqbyJBJwVgI+EqV5UL3plgUsGbRVM3/wL8mLZ+AD2PJrXloXrxAiPOwzZyNnkokPceDHgUleVQJGdpEXbQAVjQJ2tog6sVMZBtCsSaIs86dsDyxtLkl6NX2XPwjokoOUrWhaObG8Cpp86dqywsspJcVsyFAdbKInGM4ffqj8U+d9Aq5IR1Tli/uHMbOIzsutPQsBs8aPLYq+Jwz5YkqFstslga+yG2OtLFZhrAEAOL6jYZKgFPWtYQnPd5v5srFid6rHSLwUtxxqdx4OBe8gMxl8VjvJBi/axRaCiyDMAZEt5251bCc1/gBgNDJpdzNOQG/zLQlLioBACLtwmWhqaM8iTbWIvLtQSPVScRrQP1GDbtmknWX6hUFhP0B051GSP+PJe30b+5U/xfe1sJWhwtHSa1ouI=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CWXP265MB4681.GBRP265.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230031)(39860400002)(366004)(136003)(396003)(376002)(346002)(230922051799003)(1800799012)(64100799003)(451199024)(186009)(41300700001)(52536014)(2906002)(55016003)(8936002)(8676002)(9326002)(5660300002)(83380400001)(3480700007)(86362001)(166002)(33656002)(38070700009)(26005)(66556008)(66446008)(66476007)(76116006)(66946007)(7696005)(6506007)(71200400001)(38100700002)(122000001)(316002)(6916009)(64756008)(478600001)(9686003); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 0MuDY/ivLOr2JYbkM+KWIGoEmOwppMt6ujc/qWkTKduZ2TIYUlTnCUjVr4TXY+BWxWQuCN83N/NnF9KF/xVkodF/nNWlfavgi5Ey5nsF4caKqndlIBowk0QnY4r2Qr0jw/l6Ec8278Vdpiak0BzziSCzGYINj1LxGXhdQbz8EMBHPXbx0yCwUHbcxXryHJ8u/ED5kob6QwAEsjUVjTqpJAtMxxvR15c/67OFZDrEwNqc56AUqhiCF70O2Bjrp5JjurdVsfMON1Xu1RupbZtHuSbxtHV6pmSz5AKfdKmIYM6uS5pK7/vkSdi0Vdqu0NUOhFEAUhtzDCLB3eBwJcv4PrrNRcWIOL7jQoXa57392Z262Z12bIfp53AJNQpN66gpFF5eGbFCEaiRwxcrHiMigXgc0U48aPQwtuZTOfSlY6yz73kXI3Gb+xCQmu+FLLRftNaMVgbOKzdKJiHuYLZTHT5i6+fUrLm6sMBwfgKzzeHa/TD3Pb0+cr/8wneLMCqgLBmqR+IqFTDpBC9K+pdOn6GIglb/60bXgLussUj/H/k3LfbWbmQNMogYgdnz0kHREDqFvW//r2HLsRnjqRNor14DWWngL0vC80YHv+0sasGy2JXr9El9bGEYvsMIU4TjQ5M25G9Q02oISawdnXqHFtEzoQkgRjTTD0DR3WQY8g00DC/bIj7qFz8BsLoHNY6NKLWFxFswtPk8I8tbTKWFQaF5x5c978I+gzDvCxP51W4v9fVDfiNBGzKAtAHJNoDo12KG8xjOcRAJCoeE7DEOPjkIgBBJkRLniqTlmBDltcsVZCjtHSzaufyiguiFW58lZqxDd8mntIvhhGeIE8fhSUkPNTLeSxFz+4DsdE9Rl8bvMku07/ylfGAb5bN6/cuhJp0dKJIMLvolOLAUU7YeE360Y7V2eAXxI9FpUbI4O3Sn5RgQ4QCNXVmtiGBANZekJdq5HisWGYqiThzlWu8JyBryOgVOycUMUze/y39tsPr27g+a+V8fJ1PUykr04n5Ub+oxnBII+fDY4wvblNjy83scSZD+F5tmXubcCbs3d9me2Z2rOh2VWRUxCOiKY1alIbvwbwZOd/wl7d7qaU2qRESUME1u3yeK8AR5JuoTTe8ZwozdSphr26g1I8w+UG2E39V5jEkw7lavF018Lj0cDGdUEHCRjDD3DkfoB9Hb8bDbU+IFPGRbmbAYmY+mpjnQjGl7ARd4IwO1N1drICMof//rTEkdqziggb8pKfzGc0WHWYggMu1BA01wxK981Jg39Fo2A+uaM2Ly36DqXVSdesHOgwtCBZkI4RNryRisoE1Zi7658llJ80qjaqzCgrlgDmcfwObfGGRXh3D+FU5cnFmqa7WD2YqZFVghDJaWThLwYEXT1nMaw6M4Kx1Ic82DAzAktaWWfye74PEpjykKO+DNvGJZlDir/zehKYsLdq+s1QjrM4kBsR9xORuwRRuNP/2nN27xlnN35Lrk4gdXAkXn62zTHG9KSlKjVKb9ixsyfaZi/Rrhy36tek9r8TZSutKbGfqQdu0iN7ZkGbwv+SgZJqFlqlFonGnnguNbQlhImZOwXgqMdHk7j/5IfQQR
Content-Type: multipart/alternative; boundary="_000_CWXP265MB46815100B9E7A58D77168E9595452CWXP265MB4681GBRP_"
MIME-Version: 1.0
X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: A0B8aZPpQBXOI2eF0Q87N56nWog73tvfPIsRqIQabIW622/BDhgDXhpIM2JF4hKXV3U8wzFt4jfSND5C6VtAhwyhbCr0vd+JEIi9qugM5d37GnJKeKV/ZTwo2czW7bkNPRPSB9f94nFsTRBUUq301Ts6KojDtWkgiJSMv78U72ddLvKgMIZjdJdpSqttzYYggFlva8b7vPkuNuUtNEhjAFgj3cfd7zSluf7uku2jGpVsiHR7yPQeacpPWD9BaefYuZGE49K3RgYyT2yokPEP9I6kbVvBEDjJjWEeQgj+3I6kJftsr3uabHfM98rwifw61wy9abmKcECTWK0vySlNhv+KYeuGzRkMgqAhG3oC4vrEBmSHIXR2NjJefNIHH0W2swZIOHVjpxHm87xqVZlw5REnXIXTO9i4GavhBYRLZ2PuOTCu7y9Acdaeg1p3Tr3ANLEuTSrgVuVlB03kGYC9ibBN1jNWrBsM2P7Wv7gB2TufHzocqg+FfEpzb0OLXbjWULIM9pBrXNlumR4PJP+bVC0cE0JXggZXZzVAOtqXEAVNAxvxA+i2ZctXGfOz7z+cea9Fzo7cxO7V6iVJ01tOEIfmocEPxqILka6ymGCAwIA8/DNWQwYYTvcIsiCTfez23/egJNgK9YbAWwQj9Wd+TsjdSshb/eEVW8O+mlQzIMSgiuYWC5NsHconTKvTP7Kp
X-OriginatorOrg: sophos.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CWXP265MB4681.GBRP265.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 3c4175d3-8b52-47aa-995a-08dc2829038a
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Feb 2024 22:06:19.7713 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 358a41ff-46d9-49d3-a297-370d894eae6a
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: AK59fK5HKYH8WQ85Nv8ZQZdoRY6YsnvNN+CVQXrePLL2KsJGCsUaOQ3GFNVbLRlFhZ10idY1bYebi2c6GIa1I+mprjFWjeUP6Ci9+sO3Owg=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CWLP265MB2563
X_Sophos_TLS_Connection: OPP_TLS_1_3
X_Sophos_TLS_Delivery: true
X-Sophos-MH-Mail-Info-Key: NFRWWjJSMVdDOHpLbTRqLTE3Mi4xOS4wLjE5Ng==
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/I3aD_sfhmPPOKbKZrctFH_X05Xk>
Subject: [TLS] Input on ECH specification
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Feb 2024 22:06:29 -0000
Hi, I figured it would be better to send an email, rather than proposing and discussing this on a PR (proposed edits/diffs are at the bottom of this email). We have two suggestions regarding the specification text (https://datatracker.ietf.org/doc/draft-ietf-tls-esni/): Suggestion 1 Make it clear that if an ECH extension is absent from the server_hello, it qualifies as an ECH disabling signal. The text earlier in the section already requires that "both authentication and the handshake complete successfully" in the initial ECH-enabled connection, for ECH to be regarded as disabled. The same (ECH disabling due to absent ECH ext from server) can be deducted by reading a few paragraphs, but even then, it is not clear. This makes it much clearer. In Section 6.1.6, change: If none of the values provided in "retry_configs" contains a supported version, or an earlier TLS version was negotiated, the client can regard ECH as securely disabled by the server, and it SHOULD retry the handshake with a new transport connection and ECH disabled. To: If none of the values provided in "retry_configs" contains a supported version, or an earlier TLS version was negotiated, or the server did not supply an "encrypted_client_hello" extension in its EncryptedExtensions message, the client can regard ECH as securely disabled by the server. It SHOULD retry the handshake with a new transport connection and ECH disabled. Suggestion 2 Section 6.1.6 also mentions that: Clients SHOULD implement a limit on retries caused by receipt of "retry_configs" or servers which do not acknowledge the "encrypted_client_hello" extension. The text does not differentiate between retry types for the purpose of limiting the connections. I.e., if the ECH config was replaced, then it is an ECH-enabled retry (with new keys). But if ECH was disabled, then it is an ECH-disabled retry. Limiting the connections makes sense for ECH-enabled retries due to config replacement, since the connections seem not be successful in any case and thus the extra load is not necessary. But limiting it for ECH-disabled connections could mean that connections may start failing abruptly, depending on the aggressiveness of the limit on the client. As long as ECH-disabled connections succeed, they should not be limited so that connectivity does not suffer unnecessarily. It would probably even be good/necessary to implement a holdoff on the client in the ECH-disabled case. I.e., not making an ECH-enabled connection to an SNI that resulted in ECH disabling for some duration of time. Some scenarios where this would be desirable: * The ECH version steps. This will lead to ECH-disabled retries. During DNS propagation time, the number of connections to client-facing servers of ECH enabled sites will double (say a large CDN activates a version step of all its sites all at once). Clients that limit retries could experience connectivity issues, but clients that implement a holdoff would mitigate the connection doubling problem in such a scenario. * A server disables ECH temporarily or serves TLS 1.2. Again, ECH will be securely disabled, and a connectivity loss may occur (retry limit). A doubling in connections will be experienced until DNS propagation is finished - or indefinitely in case of a config issue (e.g. server administrator does not remove ECH config from DNS). * Section 8.2 talks about middleboxes acting as TLS-terminating proxies. All connections going through such proxies will result in ECH being disabled (due to the ECH extension being absent from the server_hello). Also leading to a possible connectivity loss, or at the very least a permanent doubling in connections. The "connection doubling" in the scenarios above increases connection establishment latency and adds load to the client, server, middlebox, and other stateful network devices, and can be mitigated by a temporary holdoff on ECH-enabled connections on the client. The proposal is therefore to change Section 6.1.6 from: If none of the values provided in "retry_configs" contains a supported version, or an earlier TLS version was negotiated, the client can regard ECH as securely disabled by the server, and it SHOULD retry the handshake with a new transport connection and ECH disabled. Clients SHOULD implement a limit on retries caused by receipt of "retry_configs" or servers which do not acknowledge the "encrypted_client_hello" extension. If the client does not retry in either scenario, it MUST report an error to the calling application. To: Clients SHOULD implement a limit on ECH-enabled retries caused by the secure replacement of ECH keys by "retry_configs". If the client does not retry, it MUST report an error to the calling application. If none of the values provided in "retry_configs" contains a supported version, or an earlier TLS version was negotiated, or the server did not supply an "encrypted_client_hello" extension in its EncryptedExtensions message, the client can regard ECH as securely disabled by the server. It SHOULD retry the handshake with a new transport connection and ECH disabled. If the client does not retry, it MUST report an error to the calling application. Clients SHOULD implement a holdoff on ECH-enabled connections to an SNI for which ECH has been securely disabled. I.e., those connections made after the ECH-disabled retry. Clients SHOULD still send a GREASE ECH extension (see {{grease-ech}}) for ECH-disabled connections made during the holdoff period. Thanks, Elardus (suggested diffs to the specification below) @@ -852,10 +852,11 @@ If the server supplied an "encrypted_client_hello" extension in its EncryptedExtensions message, the client MUST check that it is syntactically valid and the client MUST abort the connection with a "decode_error" alert otherwise. If an earlier TLS version was negotiated, the client MUST NOT enable -the False Start optimization {{RFC7918}} for this handshake. If both -authentication and the handshake complete successfully, the client MUST perform -the processing described below then abort the connection with an "ech_required" -alert before sending any application data to the server. +the False Start optimization {{RFC7918}} for this handshake. + +If both authentication and the handshake complete successfully, the client MUST +perform the processing described below then abort the connection with an +"ech_required" alert before sending any application data to the server. If the server provided "retry_configs" and if at least one of the values contains a version supported by the client, the client can regard the ECH keys @@ -876,15 +877,21 @@ because the client will send cookies to the server in parallel connections, using the retry configurations for these parallel connections does not introduce a new tracking vector. +Clients SHOULD implement a limit on ECH-enabled retries caused by the secure +replacement of ECH keys by "retry_configs". If the client does not retry, it +MUST report an error to the calling application. + If none of the values provided in "retry_configs" contains a supported version, -or an earlier TLS version was negotiated, the client can regard ECH as securely -disabled by the server, and it SHOULD retry the handshake with a new transport -connection and ECH disabled. - -Clients SHOULD implement a limit on retries caused by receipt of "retry_configs" -or servers which do not acknowledge the "encrypted_client_hello" extension. If -the client does not retry in either scenario, it MUST report an error to the -calling application. +or an earlier TLS version was negotiated, or the server did not supply an +"encrypted_client_hello" extension in its EncryptedExtensions message, the +client can regard ECH as securely disabled by the server. It SHOULD retry +the handshake with a new transport connection and ECH disabled. If the client +does not retry, it MUST report an error to the calling application. + +Clients SHOULD implement a holdoff on ECH-enabled connections to an SNI for +which ECH has been securely disabled. I.e., those connections made after the +ECH-disabled retry. Clients SHOULD still send a GREASE ECH extension (see +{{grease-ech}}) for ECH-disabled connections made during the holdoff period. ### Authenticating for the Public Name {#auth-public-name}
- [TLS] Input on ECH specification Elardus Erasmus
- Re: [TLS] Input on ECH specification Stephen Farrell
- Re: [TLS] Input on ECH specification Elardus Erasmus
- Re: [TLS] Input on ECH specification Elardus Erasmus
- Re: [TLS] Input on ECH specification Eric Rescorla