Re: [TLS] FYI, RFC7250 (raw public keys) to be supported in OpenSSL ~3.2
Achim Kraus <achimkraus@gmx.net> Sun, 22 January 2023 21:01 UTC
Return-Path: <achimkraus@gmx.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D5B53C14CEFA for <tls@ietfa.amsl.com>; Sun, 22 Jan 2023 13:01:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.798
X-Spam-Level:
X-Spam-Status: No, score=-2.798 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmx.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pH2uCS1oDtuA for <tls@ietfa.amsl.com>; Sun, 22 Jan 2023 13:01:47 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.18]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8AF63C14CEE4 for <tls@ietf.org>; Sun, 22 Jan 2023 13:01:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=s31663417; t=1674421304; bh=smIbZDtQcVZ95/JU/gNIKe1XtB128luZs0HdmSkfvCg=; h=X-UI-Sender-Class:Date:Subject:To:References:From:In-Reply-To; b=Lew8GqjBTEDieTRuMSQSbTNdiFDtsP7UcWjHhPWK3t/QbV2NYWkerSEvIncC2Mdtr YOzZN6M6yw9E3AenNhPNOpQ2m4snDjCPqxGsiTm3VsV3ejTvqrWU2NCIkKX7KWw3O8 B3Nj/bEPBdsZOSyo5NW7lG1+5oBaHJbmGtIt0tGScZG+4Gnn6V597Yi7ZBQwj05W3Q 4ZUMGAXkgzU2adS1K7iITJ9kEfRYzU+A2CZVd44GxlWs6e7D2Qv4zMK2t0uHyOodeg ipwIOU8yLbZGeXPgLa9TFmFCSiSqVDKWudF9qE6EKjk/Kt5XGGM37oN6UQysfKzd4O BcbimqMdo9TwQ==
X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a
Received: from [192.168.178.10] ([5.146.192.44]) by mail.gmx.net (mrgmx004 [212.227.17.190]) with ESMTPSA (Nemesis) id 1MuUj2-1oTNke2SYc-00rXFH; Sun, 22 Jan 2023 21:56:34 +0100
Message-ID: <16be7100-3214-a6a6-8344-e81943527aed@gmx.net>
Date: Sun, 22 Jan 2023 21:56:32 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.4.2
To: tls@ietf.org, Viktor Dukhovni <ietf-dane@dukhovni.org>
References: <Y82fYuDBJjtSvrGq@straasha.imrryr.org>
Content-Language: de-AT-frami, en-US
From: Achim Kraus <achimkraus@gmx.net>
In-Reply-To: <Y82fYuDBJjtSvrGq@straasha.imrryr.org>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: quoted-printable
X-Provags-ID: V03:K1:c2KPxItU2X+yIbXO0ONT2lsud7qxyxkI/KwC+B6pgOp++oPWg44 CRt50OpnbvwqGgRvg3P0hFSzeF3duXtzb53HzNpHfMTvzZ4RcsrUg5iwwtJhkTfG3YgwB47 EDOKJQcHzRkh0TtxpN5n9hYk018GpDg4d5E/FP1jNy32+HG1Ph5PhaHHZhAAy+oAXOVtmNX CMXBIAvOBmNTBIzY5f81A==
UI-OutboundReport: notjunk:1;M01:P0:DGDK48og3pc=;ILAYPnpWxgkLRLqNpvOd8LZmaVn TNv5bdJ9FCO7LFAIwGptHQTiH9dkv11sRM/FZaRK/sBdPz83yTyraczxyObR/HBIgkbPf8tY9 1xnSQ1zQjnOpr4RI4ZFVUKjS9lhT5RqjTalVlliAgBv9RqFrMKEm+Eb1jbPhzXjHGk3pK/j9I lospchbkqQCo3i/pk4osS5om/v2K3X+UjzihjwT3xojnwiCJkHXG6iZoJihgiY1eA6CFihcfY ABWpowf6cAiyCIwGtv4Io4oLovwo/+kGqC5cXolvZ0XVwgsGkDCd+tar7nDtsNBL3cfRNVvib gc3jHebLEQUL4DOiKXFPyl61QFseSktIdN6AZQ/F6nEdqj41CTVobmepk2fMYbTjYCL5GgD4F vdaINjyVtQlgARc/fYfp0II0a35L2fjmb+ZFxFg5Bc9fdoHHWBWazQSKYuvFsxVYbQUT6bCHD Ws56c+ol7ebCmf9+OGm4GBYyujvwyKAtxjSZf+MdEFmwq3T4dLjegrEXc7WTGm5Dia4iZTp7L F+/YhXhUA2rNDkXM+NHwogeaehPoc7fHDxzwQVksgeemT+jbRkzeZgFCTcVORE9Ibdb5KMWuD jemBKsqIYD10+jFnSyWb0AKNYGnrnm0bv5e57T8RDRVRaScgBJBJsSqbjZX51xQ9wNKEfFMX7 R9LnNY/QcOJ2ryiB4370gQsIlUimWi3K3pmaO1m+/nzxps6tulnwOncqdCIJh0mCydWnm5jXB 9pbZyoRSnRYdtI3AMxYRkM29nu56dWONRhvYDeMhoPoo3ykvGF3l5h1uL7esj2MLCeU4KNdb5 XmRVhSFKcAeGtqA5tB46K+xcIKH5G81ZGmFWc351hJIOHI2L7OykdguByrPH9um2A/rmf3m/k SqIXYkcqe+GksKnrCZb5QNv1C5HmQwvdmHgYE3gSmUMyTTcsiRePfHDnat3t5L0M8bhWv/HJk XWDXm9n4pxOHNRsD1ONdy6I2yaE=
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/JRZw6jl7GRBz3dBVhZICEubMNZo>
Subject: Re: [TLS] FYI, RFC7250 (raw public keys) to be supported in OpenSSL ~3.2
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 22 Jan 2023 21:01:50 -0000
Hello Viktor, > Thanks to Todd Short, RFC7250 raw public keys should be available in > OpenSSL ~3.2. Applications that use unauthenticated opportunistic TLS, Sounds great. Especially for IoT/constraint use-cases that's a real benefit. Just in the case, someone is interested, I asked a couple of months ago, if https://datatracker.ietf.org/doc/html/draft-ietf-tls-subcerts-10 has some considerations about certificate types without a validation date. See https://github.com/tlswg/tls-subcerts/issues/107 > The pull request <https://github.com/openssl/openssl/pull/18185> is > still a work in progress, but complete enough for application > integration testing. I will try to test next week the DTLS interoperability with Eclipse/tinydtls Eclipse/Californium best regards Achim Am 22.01.23 um 21:41 schrieb Viktor Dukhovni: > Thanks to Todd Short, RFC7250 raw public keys should be available in > OpenSSL ~3.2. Applications that use unauthenticated opportunistic TLS, > employ DANE or have other ways to avoid X.509 certificates and make do > with raw peer public keys can avoid the overhead of receiving and > processing certificate chains. > > The pull request <https://github.com/openssl/openssl/pull/18185> is > still a work in progress, but complete enough for application > integration testing. Likely too late for OpenSSL 3.1 (in beta now), but > seems likely to land by 3.2. The TODO items on the OpenSSL side are > at this point IMHO minor. Review eyeballs of course always appreciated. > > I have a Postfix branch with a reasonably complete implementation: > > # posttls-finger -c <domain> > posttls-finger: <mxhost>[192.0.2.1]:25: raw public key fingerprint=<...> > posttls-finger: <mxhost>[192.0.2.1]:25: Matched DANE raw public key: 3 1 1 <...> > posttls-finger: Verified TLS connection established to <mxhost>[192.0.2.1]:25: > TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) > key-exchange X25519 > server-signature RSA-PSS (2048 bits) > server-digest SHA256 > > based on the the current state of the pull request. >
- [TLS] FYI, RFC7250 (raw public keys) to be suppor… Viktor Dukhovni
- Re: [TLS] FYI, RFC7250 (raw public keys) to be su… Achim Kraus
- Re: [TLS] FYI, RFC7250 (raw public keys) to be su… John Mattsson
- Re: [TLS] FYI, RFC7250 (raw public keys) to be su… Viktor Dukhovni
- Re: [TLS] FYI, RFC7250 (raw public keys) to be su… Salz, Rich
- Re: [TLS] FYI, RFC7250 (raw public keys) to be su… Viktor Dukhovni
- Re: [TLS] FYI, RFC7250 (raw public keys) to be su… Viktor Dukhovni
- Re: [TLS] FYI, RFC7250 (raw public keys) to be su… Viktor Dukhovni
- Re: [TLS] FYI, RFC7250 (raw public keys) to be su… John Mattsson
- Re: [TLS] FYI, RFC7250 (raw public keys) to be su… Viktor Dukhovni
- Re: [TLS] FYI, RFC7250 (raw public keys) to be su… Achim Kraus
- Re: [TLS] FYI, RFC7250 (raw public keys) to be su… Achim Kraus
- [TLS] TLS 1.2, RFC7250 RPK and (not sending) clie… Viktor Dukhovni
- Re: [TLS] TLS 1.2, RFC7250 RPK and (not sending) … Achim Kraus
- Re: [TLS] TLS 1.2, RFC7250 RPK and (not sending) … Viktor Dukhovni
- Re: [TLS] TLS 1.2, RFC7250 RPK and (not sending) … Ilari Liusvaara