Re: [TLS] TLS 1.3 draft 22 middlebox interaction

Yuhong Bao <> Sat, 02 December 2017 01:51 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 1047912943C for <>; Fri, 1 Dec 2017 17:51:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.875
X-Spam-Status: No, score=-0.875 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FORGED_HOTMAIL_RCVD2=0.874, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 7HEmQo1KGD3x for <>; Fri, 1 Dec 2017 17:51:32 -0800 (PST)
Received: from ( [IPv6:2a01:111:f400:fe4c::826]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 9CDDE12943D for <>; Fri, 1 Dec 2017 17:51:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=IW70WE82HbJ1XFL4B6PslCgepHe4ZGNyxj60T686+vA=; b=NwWXiI4xEj+wdHBuqaqoClNb/65JGXS+7OTSvZ4Y6BrwuU5eP3FMCTj5Xjc4p8sb05fiiAjJFEpgz/0avBcVAd7qPJM2D5NANF29XSvst7xs0/4qcF95HhjomvBxVvdcCaiuhgYTMga0VB4L1TNea8J4ZjvNDDuJNgLLdfI9FiX0o2+Hl4wfA4ytThbW8CP70H2gsf9OVOm17IglrIsmqNXcxoE8aCEn3h3GiMyO2NDFZVa0BAM8KM5sxyu8Zu+M79RdF+9WYYcDlnWmxJPv3Ko/tXWrwscqwYNERRxrSU8aDJGUUX9BT8evU5rO8vUJua2WFsv0T5NGiuNbvYGspg==
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id; Sat, 2 Dec 2017 01:51:14 +0000
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id via Frontend Transport; Sat, 2 Dec 2017 01:51:14 +0000
Received: from ([]) by ([]) with mapi id 15.20.0282.007; Sat, 2 Dec 2017 01:51:14 +0000
From: Yuhong Bao <>
To: David Benjamin <>, Eric Rescorla <>
CC: "" <>
Thread-Topic: [TLS] TLS 1.3 draft 22 middlebox interaction
Thread-Index: AQHTarPwCc0JmzJMxUiArZxt9jsP9KMumcAAgAAVeYCAAJtbkw==
Date: Sat, 2 Dec 2017 01:51:13 +0000
Message-ID: <>
References: <> <>, <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-incomingtopheadermarker: OriginalChecksum:313F44BD48402EC6F2F8AFDB875CCD6D10EDCBB1BECF00FBA303EDCEB8CD0C7A; UpperCasedChecksum:BEF129E6405BE6809D5B85105D45778E4227CF0BD7FB578DFDFC318BB4B4EF1B; SizeAsReceived:7375; Count:47
x-ms-exchange-messagesentrepresentingtype: 1
x-tmn: [mQY6V464mAErbViJqn0q03Oa2a054Qlyursxncn8Atu5ml2owpMW2jjz6WK2EK6t]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; SN1NAM04HT157; 6:y6qAAIodHXLwyERU96WUyUp7TA55gam9phT4qgoZFtaOLV2kAu1iFHIo/htfrtjZFSXdJymrSnhvNUsNR6ZULKxpG22NGPWiXY/L6bse9vxX8VjfBZTcPwUjBU3sQ0MfbtcoeCL759sPOGrjjuUBjxMPUxcQ1a/fXAYTiVpEtVFuBgdG1d0gLyd7cFT8wIUXvx734UKWQ7Nzq0cLSrKNPSv/tCTOG72EYYuwCssEQ4zQL/qkduWCVUcx1knrYp4Ke63I1N9mF8hGjr8Xo64GbBUjcZ/KA1ilq4H+N072L0Dli5MTNJbC6Ysmgv62/mOChHnXaJWXDqi+/pCNkpvpm2gdkqFTlqU/RJh0E2IhB0M=; 5:qrXActF/zCKG1yi2xS7ml4M6OAuu539RPMS8Gg/+HlYuxxwphiDgALX/pESuWHiRkSrS7bbSKGuo6YwhvwrlzDQhlEBrZ6F8Lr0E27LOpeT037FpZy+gvIubEZBxsKtncW7bmb8tUr+sFWYc3Br9qcRm9vwLQ6392eHJSOMzoAo=; 24:/ivmgW9KmvJoyqVYVSwVP7vy/RM5HhT3HnLiqSeYYtsIxdaIxFgkNmhKgS5cM+ZsCNQ/qOizv1Z6LNOjQR7fWVbKBKkltZ8t1XaGt06zmmo=; 7:vG/9IDhFsgQ8XAt9hOs/5saNFSVJC9dH1t+YtBDmcOfLAm3o23Rrs4nsc1+jLldj9yCbeWSCwWlqMxelCJIQ/ly/gkkINQ5VnB2M7XdaUY0nGgfLPegL2PtcLBIqx2AIlpR749LXXW1YzlEhfUPG19CTEBU4uXrNSFIRr0CWreMlpo59p9Jdi90oZXGJDR6PCCqLdx2jNz5H3X7vK2Jh8BkjQWJ/EAbMRWvIcCmB8fOd6QfOi13UHH1mlOiXC+7A
x-incomingheadercount: 47
x-eopattributedmessage: 0
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(201702061074)(5061506573)(5061507331)(1603103135)(2017031320274)(2017031324274)(2017031323274)(2017031322404)(1601125374)(1603101448)(1701031045); SRVR:SN1NAM04HT157;
x-ms-traffictypediagnostic: SN1NAM04HT157:
x-ms-office365-filtering-correlation-id: a06584fd-1d1b-4676-896e-08d539272b95
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(444000031); SRVR:SN1NAM04HT157; BCL:0; PCL:0; RULEID:(100000803101)(100110400095); SRVR:SN1NAM04HT157;
x-forefront-prvs: 0509245D29
x-forefront-antispam-report: SFV:NSPM; SFS:(7070007)(98901004); DIR:OUT; SFP:1901; SCL:1; SRVR:SN1NAM04HT157;; FPR:; SPF:None; LANG:;
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: a06584fd-1d1b-4676-896e-08d539272b95
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Dec 2017 01:51:14.0052 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Internet
X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN1NAM04HT157
Archived-At: <>
Subject: Re: [TLS] TLS 1.3 draft 22 middlebox interaction
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 02 Dec 2017 01:51:35 -0000

I was talking about that arms race not that long ago.

From: TLS <> on behalf of David Benjamin <>
Sent: Friday, December 1, 2017 8:34:53 AM
To: Eric Rescorla
Subject: Re: [TLS] TLS 1.3 draft 22 middlebox interaction

On Fri, Dec 1, 2017 at 10:18 AM Eric Rescorla <<>> wrote:
On Fri, Dec 1, 2017 at 6:47 AM, R du Toit <<>> wrote:
I want to provide some feedback that might be useful to the TLS WG:  Firefox Nightly TLS 1.3 (draft 22) sessions to<> is triggering an interesting failure in at least one middlebox.

The middlebox in question supports TLS 1.3, but only drafts 18 through 21.  The FF Nightly ClientHello supported_versions extension advertises support for TLS 1.2 and TLS 1.3 (draft 22), which the middlebox then interprets as only advertising support for TLS 1.2, ignoring the 0x7f16 as if it is a "grease" value.  The middlebox only perfoms protocol checks and does not actually modify anything - the session completes without any issues, which shows that the draft 22 middlebox measures are effective.  FF Nightly then starts a resumed TLS 1.3 (draft 22) session that includes 0-RTT early data.  The middlebox performs a protocol check on the ClientHello and determines that the client is trying to negotiate TLS 1.2 (per the logic of the first session).  Shortly afterwards the 0-RTT AppData record arrives, which then triggers a protocol error in the middlebox.   "D.3. 0-RTT backwards compatibility" of the draft 22 specification describes the problem, but in the context of "older server" being "only supports up to TLS 1.2".  This particular middlebox can also be thought of as "older" because it only supports TLS 1.3 drafts 18 through 21.

Obviously the middlebox will soon have support for draft 22, but it does raise some questions:

1. I understand that some of these transition effects will go away as soon as draft support is replaced with actual 0x0304 support, but were 0-RTT sessions used in the recent TLS 1.3 middlebox resiliency experiments?  The scenario above shows that some middleboxes might (by luck?) not break full TLS 1.3 sessions, but those same middleboxes might fail with subsequent 0-RTT early data.

We haven't been testing that. I do expect to see some 0-RTT bustage, but falling back to a full handshake at that point isn't a security issue, and so can be handled in the conventional reconnect way. We (Firefox) also are looking at testing for middlebox compat explicitly and turning off features like 0-RTT and TFO (which we already see problems with) if needed.

2. Should middleboxes that understand the supported_versions extension get out of the loop immediately (as in ignore traffic after ClientHello) when it sees 0x7fNN, where NN is larger than the highest draft version supported by the middlebox?  How would that be different from other "grease" values?   I understand that this might just be a temporary measure until 0x7fXX goes away (hopefully soon!).

First, they shouldn't look at #s. Second, it depends what kind if middlebox you are. If you're a protocol enforcing middlebox (ugh, these shouldn't exist) you should get out of the way. If you're a MITM device you should just negotiate a lower version.

3. Is there a plan for phasing out draft support once TLS 1.3 is finalized as RFC?  Servers can stop supporting 0x7fxx as soon as 0x0304 is ready, but what should a middlebox do if 0x7fxx is seen post RFC?

I would expect people to just signal the RFC version relatively shortly after RFC. That's what we (Firefox) plans to do.

To answer your question more directly, as EKR noted above, post-RFC and pre-RFC, middleboxes should not behave differently for 0x0304, 0x7fxx, 0x1234, or 0x0305. If you did not terminate the connection, you don't get to parse variant-dependent fields.

Someday the TLSWG will design TLS 1.4 which, like TLS 1.3, has free reign to change everything past the ServerHello again. Or perhaps we'll design a new cipher suite or extension that changes things. New capabilities may be signaled by the client anywhere in the ClientHello. Recall that past TLS 1.2 extensions have injected new messages in the handshake and changed the format of the Certificate message. Adding ECDHE and PSK cipher suites changed how ClientKeyExchange and ServerKeyExchange worked. Earlier drafts of TLS 1.3 completely changed the handshake.

I started writing some text on version invariants to make these rules clearer. They were the assumed rules in TLS 1.2, but draft-22 reflects that the network did not honor them. I'll finish that up and make a PR. I do not believe writing this in text will be sufficient, but it is evidently necessary.

TLS's versioning invariants are quite simple: if you are not terminating the TLS connection (i.e. the ClientHello was not produced by you), you MUST NOT process any message beyond the ClientHello. If you produced the ClientHello, you can reasonably expect to understand the response and can act as an endpoint does.

Any middleware violating this invariant is non-compliant and at risk of breaking as endpoints and the protocol evolve. Alas, this was insufficiently GREASEd from SSL 3.0 through TLS 1.2, so we had to grandfather in existing violations via draft 22.

Future violations, however, continue to be non-compliant and you should expect them to break, and quite rapidly as draft-22 shows we need more ideas in the vein of GREASE.