Re: [TLS] Working Group Last Call for draft-ietf-tls-tls13-18 (Martin Rex) Fri, 28 October 2016 18:23 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 75DA4129593 for <>; Fri, 28 Oct 2016 11:23:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.922
X-Spam-Status: No, score=-6.922 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id w9LAZ5jED7GP for <>; Fri, 28 Oct 2016 11:23:45 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 3FFD61294A8 for <>; Fri, 28 Oct 2016 11:23:45 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 3t5BwH2HyVz26CG; Fri, 28 Oct 2016 20:23:43 +0200 (CEST)
X-purgate-ID: 152705::1477679023-0000521C-35536832/0/0
X-purgate-size: 2574
X-purgate: clean
X-purgate: This mail is considered clean (visit for further information)
X-purgate-Ad: Categorized by eleven eXpurgate (R)
X-purgate-type: clean
X-SAP-SPAM-Status: clean
Received: from ( []) by (Postfix) with ESMTP id 3t5BwG48nKzkp5T; Fri, 28 Oct 2016 20:23:42 +0200 (CEST)
Received: by (Postfix, from userid 10159) id 842351A56E; Fri, 28 Oct 2016 20:23:42 +0200 (CEST)
In-Reply-To: <>
To: Eric Rescorla <>
Date: Fri, 28 Oct 2016 20:23:42 +0200
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <>
Archived-At: <>
Cc: "" <>
Subject: Re: [TLS] Working Group Last Call for draft-ietf-tls-tls13-18
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 28 Oct 2016 18:23:46 -0000

If the server_name remains in plaintext and full sight in ClientHello
(where it needs to be for TLSv1.2 backwards compatibility anyway),
then I don't have an issue.  (I'm sorry for not reading the draft in full).

Eric Rescorla wrote:
>> (2) hiding of the TLS extension SNI.
>>     Right now it is perferctly fine to implement TLS extensions SNI
>>     on the server completely outside the TLS protocol stack to route
>>     to single-cert SNI-unaware backends.  The current proposal
>>     suggest to move TLS extension SNI into the encrypted part, if
>>     my superficial reading of the draft is correct, so TLSv1.3
>>     will not fly with existing architectures where spreading of
>>     TLS requests on the server-side based on TLS extension SNI
>>     is done outside of the TLS protocol stack (i.e. bottleneck-less
>>     without having to open TLS).
> This isn't quite right. In RFC 6066, the client sends its server_name
> extension in ClientHello and the server responds with an empty
> server_name in its ServerHello to indicate that it accepted SNI.

Yes, I know that rfc6066 suggests the server responds with an empty SNI
extension.  This kind of server response is is a complete waste,
and server-side SNI works just fine with the server not returning
an empty SNI extension.

>    A server that receives a client hello containing the "server_name"
>    extension MAY use the information contained in the extension to guide
>    its selection of an appropriate certificate to return to the client,
>    and/or other aspects of security policy.  In this event, the server
>    SHALL include an extension of type "server_name" in the (extended)
>    server hello.  The "extension_data" field of this extension SHALL be
>    empty.
> In TLS 1.3, the client's extension remains where it is, but the server's
> extension is in EncryptedExtensions. This shouldn't interfere with
> configurations such as the one you describe, as the server already
> needed to insert the SNI field itself and hash it into Finished.

Nope, the server doesn't need to insert anything at all.  The empty
TLS extensions SNI in ServerHello is completely superflouous.

If this is really about "hinding the empty TLS extension SNI response",
while leaving the actualy server_name in full sight in the cleartext
ClientHello, why not just dropping the ServerHello TLS extension SNI
response and be done with it?  It really has no functional value other
than information discovery for scanners (the bad guys).