Re: [TLS] TLSv1.3 Cookies
Matt Caswell <frodo@baggins.org> Wed, 13 September 2017 15:32 UTC
Return-Path: <frodo@baggins.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 55F8D133055 for <tls@ietfa.amsl.com>; Wed, 13 Sep 2017 08:32:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_SORBS_SPAM=0.5, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TIszt2DGUurH for <tls@ietfa.amsl.com>; Wed, 13 Sep 2017 08:32:28 -0700 (PDT)
Received: from mx496502.smtp-engine.com (mx496502.smtp-engine.com [IPv6:2001:8d8:968:7d00::19:7e53]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9D945132949 for <tls@ietf.org>; Wed, 13 Sep 2017 08:32:28 -0700 (PDT)
Received: from mail-io0-f173.google.com (mail-io0-f173.google.com [209.85.223.173]) by mx496502.smtp-engine.com (Postfix) with ESMTPSA id F0D3E5E4 for <tls@ietf.org>; Wed, 13 Sep 2017 16:32:26 +0100 (BST)
Received: by mail-io0-f173.google.com with SMTP id v36so2943927ioi.1 for <tls@ietf.org>; Wed, 13 Sep 2017 08:32:26 -0700 (PDT)
X-Gm-Message-State: AHPjjUjCakOccLRPSyJwbY4GFgtK1dSm+usHLFUvNc65ncyshbeoo6Zi o+lYktit7mJ68JToZ2sJb456sJGxeU1wgccl1IQ=
X-Google-Smtp-Source: AOwi7QBDoFqRqmgwcZztpQxP8ca1xcPRHpYJpR2vZDUFdbxpiNeFXjeTt49smWPkcjChh4vlV/3i/d0SVL4tVovkbTo=
X-Received: by 10.107.197.198 with SMTP id v189mr7183535iof.94.1505316745264; Wed, 13 Sep 2017 08:32:25 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.79.165.25 with HTTP; Wed, 13 Sep 2017 08:32:24 -0700 (PDT)
In-Reply-To: <C27E03E9-1957-48E2-B9BB-9CFC1B0CA621@akamai.com>
References: <CAMoSCWYXWJMkFAdrcy033_bjMZjRUiU-V5f8MkoTXyvDfw+z6A@mail.gmail.com> <C27E03E9-1957-48E2-B9BB-9CFC1B0CA621@akamai.com>
From: Matt Caswell <frodo@baggins.org>
Date: Wed, 13 Sep 2017 16:32:24 +0100
X-Gmail-Original-Message-ID: <CAMoSCWaQSqEfM5KR3AT7Cj0-9xAwD+yyHMGApQ65nCKAdax4kg@mail.gmail.com>
Message-ID: <CAMoSCWaQSqEfM5KR3AT7Cj0-9xAwD+yyHMGApQ65nCKAdax4kg@mail.gmail.com>
To: "Short, Todd" <tshort@akamai.com>
Cc: "tls@ietf.org" <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/NxtYjCL2ml0VhG0LBpUZ6kh2_CE>
Subject: Re: [TLS] TLSv1.3 Cookies
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Sep 2017 15:32:30 -0000
On 13 September 2017 at 16:11, Short, Todd <tshort@akamai.com> wrote: > One comment below. > -- > -Todd Short > // tshort@akamai.com > // "One if by land, two if by sea, three if by the Internet." > > On Sep 13, 2017, at 10:53 AM, Matt Caswell <frodo@baggins.org> wrote: > > I am looking at trying to implement the TLSv1.3 stateless cookie > mechanism (in order to be able to support QUIC stateless retries). > > I am not clear how cookies are supposed to interact with early_data. > Consider the scenario where a server is operating statelessly. Because > there is no state each ClientHello looks like the first one it ever > saw. The server only knows that a particular ClientHello is actually a > ClientHello2 following an HRR because of the state held in the cookie. > > What happens when a client attempts to send early data to such a > server? The server will process the ClientHello and determine that > there is no cookie, sends back an HRR and then forgets all of its > state and waits for the next ClientHello. However what it actually > gets next is early_data. It does not know that that early data > followed an earlier ClientHello (because it is stateless) so it does > not know to skip the records. It just looks like illegal records so, > presumably, it will respond with an alert. > > > In this case, the client must have previously connected to the server, so it > knows what parameters the server supports, and should only use those, > preventing an HRR from being generated. Well, that's not the case with a cookie. The server may choose to request a cookie even though all the rest of the parameters are ok can't it? Also what is acceptable to the server may change over time. The ticket may now be invalid because the configuration has changed etc. A client may also not know what groups are acceptable to a server even though it has a ticket, e.g. in the first handshake client sends an X25519 key_share, server responds with an HRR requesting P-256 and then the handshake continues to completion. The server is not obligated to provide supported_groups in its EE message - and even if it did the client is not obligated to remember it. Therefore it is perfectly valid in the second handshake for the client to send an X25519 key_share again along with early_data. Matt
- [TLS] TLSv1.3 Cookies Matt Caswell
- Re: [TLS] TLSv1.3 Cookies Ilari Liusvaara
- Re: [TLS] TLSv1.3 Cookies Short, Todd
- Re: [TLS] TLSv1.3 Cookies Eric Rescorla
- Re: [TLS] TLSv1.3 Cookies Matt Caswell
- Re: [TLS] TLSv1.3 Cookies Matt Caswell
- Re: [TLS] TLSv1.3 Cookies Matt Caswell
- Re: [TLS] TLSv1.3 Cookies Eric Rescorla
- Re: [TLS] TLSv1.3 Cookies Ilari Liusvaara
- Re: [TLS] TLSv1.3 Cookies Matt Caswell