Re: [TLS] TLS1.3 Ticket Usage Across Versions
Benjamin Kaduk <bkaduk@akamai.com> Sat, 13 November 2021 01:23 UTC
Return-Path: <bkaduk@akamai.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 460F73A0EAE for <tls@ietfa.amsl.com>; Fri, 12 Nov 2021 17:23:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZW8sZGpsg3fe for <tls@ietfa.amsl.com>; Fri, 12 Nov 2021 17:23:36 -0800 (PST)
Received: from mx0a-00190b01.pphosted.com (mx0a-00190b01.pphosted.com [IPv6:2620:100:9001:583::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ACD993A0EAD for <tls@ietf.org>; Fri, 12 Nov 2021 17:23:36 -0800 (PST)
Received: from pps.filterd (m0050093.ppops.net [127.0.0.1]) by m0050093.ppops.net-00190b01. (8.16.1.2/8.16.1.2) with ESMTP id 1ACMFaN4003070; Sat, 13 Nov 2021 01:23:35 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=date : from : to : cc : subject : message-id : references : mime-version : content-type : content-transfer-encoding : in-reply-to; s=jan2016.eng; bh=btcfIa//3vsddS2NcVr7In+KLqVJzZ1MxIpRUxq3aYo=; b=TWmrZo6AzJToX1SlYhRTmfA7lLdfxU/mGYP0ndRx5B02pR+cZt+CmDUX7bBmVo3XXasv RUyHA9W2eiHB2pzdrH4wGqSQ3ONOaXWG7opdWIcCTMHVrbVMMIAxQD2WnrSmj3/gINPJ wRVGIdX80RszcMv6ZttG9XCrZ5iugybF+Ruus9mfbOjetctvc24BKOJXPZJShn70dMYR sE5mIJJIWOmlQqDG5h/qmb7eYZJNTbjMnbbv6P1/AwJGDl8lLLl3ZQp5wQjMQ25ygL77 bYOP2dhm+7+cMNJPWCm6mGXngAKlGuOzqmQ2GVyAJAhsNwp0pZRvkgiV0dBr2QdRLfBH 0A==
Received: from prod-mail-ppoint6 (prod-mail-ppoint6.akamai.com [184.51.33.61] (may be forged)) by m0050093.ppops.net-00190b01. (PPS) with ESMTPS id 3ca0wg3grx-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sat, 13 Nov 2021 01:23:34 +0000
Received: from pps.filterd (prod-mail-ppoint6.akamai.com [127.0.0.1]) by prod-mail-ppoint6.akamai.com (8.16.1.2/8.16.1.2) with SMTP id 1AD1JDCP023107; Fri, 12 Nov 2021 20:23:33 -0500
Received: from email.msg.corp.akamai.com ([172.27.123.31]) by prod-mail-ppoint6.akamai.com with ESMTP id 3c81umntcs-4 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Fri, 12 Nov 2021 20:23:33 -0500
Received: from USMA1EX-CAS1.msg.corp.akamai.com (172.27.123.30) by usma1ex-dag1mb4.msg.corp.akamai.com (172.27.123.104) with Microsoft SMTP Server (TLS) id 15.0.1497.24; Fri, 12 Nov 2021 20:21:13 -0500
Received: from akamai.com (172.19.16.134) by USMA1EX-CAS1.msg.corp.akamai.com (172.27.123.30) with Microsoft SMTP Server (TLS) id 15.0.1497.24 via Frontend Transport; Fri, 12 Nov 2021 20:21:13 -0500
Date: Fri, 12 Nov 2021 17:21:11 -0800
From: Benjamin Kaduk <bkaduk@akamai.com>
To: Steven Collison <steven@raycoll.com>
CC: tls@ietf.org
Message-ID: <20211113012111.GJ6443@akamai.com>
References: <23EC35FA-D689-4CF9-8D5C-8ECF75B80746@raycoll.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <23EC35FA-D689-4CF9-8D5C-8ECF75B80746@raycoll.com>
User-Agent: Mutt/1.9.4 (2018-02-28)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.425, 18.0.790 definitions=2021-11-12_05:2021-11-11, 2021-11-12 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 bulkscore=0 phishscore=0 malwarescore=0 adultscore=0 spamscore=0 mlxlogscore=999 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2110150000 definitions=main-2111130004
X-Proofpoint-GUID: YXgbzROIS30MbwCBE2t90O_xeV1FV7WC
X-Proofpoint-ORIG-GUID: YXgbzROIS30MbwCBE2t90O_xeV1FV7WC
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.790,Hydra:6.0.425,FMLib:17.0.607.475 definitions=2021-11-12_05,2021-11-12_01,2020-04-07_01
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxscore=0 lowpriorityscore=0 spamscore=0 mlxlogscore=999 phishscore=0 malwarescore=0 adultscore=0 bulkscore=0 priorityscore=1501 clxscore=1011 suspectscore=0 impostorscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2110150000 definitions=main-2111130004
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/O0u-_7F7Ho2HONv37l31VBzXRiQ>
Subject: Re: [TLS] TLS1.3 Ticket Usage Across Versions
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 13 Nov 2021 01:23:42 -0000
On Fri, Nov 12, 2021 at 04:23:12PM -0800, Steven Collison wrote: > Hello, > > While testing a TLS1.3 client implementation, I found an unexpected > behavior. Specific sequence: > 1. Client negotiates TLS1.3 with Server. > 2. Server sends NST with a valid ticket. > 3. Client reconnects to the same Server. The ClientHello contains both the > `session_ticket` and `pre_shared_key` extensions. The value of the > `psk_identity` is equal to the value of the `session_ticket`. > > Is it ever valid for a client to populate both extensions with the same > ticket value? Even if the client reconnects and lands on a different server > node that only supports TLS1.2, resumption should fail because the protocol > version should be included as part of the session state. The > `session_ticket` extension data in this example is at least wasted data. > > I did not see anything in the spec(neither 8446 2.2 nor 4.6.1) that > explicitly disallows this. 2.2 contains “Both mechanisms are obsoleted in > TLS 1.3.” when referring to `session_ticket` and `session_id` resumption, > but that may not be clear enough. "Obsoleted in TLS 1.3" is not a very good argument, since we do allow sending a ClientHello that will be valid for both TLS 1.2 and TLS 1.3. I think the relevant requirement here (phrased as binding on the server, but by extension on what the client should expect) is in https://datatracker.ietf.org/doc/html/rfc8446#section-4.6.1: Any ticket MUST only be resumed with a cipher suite that has the same KDF hash algorithm as that used to establish the original connection. There is some history to that part of the text that used to have a longer list of requirements (e.g., including matching SNI), but it got trimmed down over time to just this one, needed for safety of the key schedule. There is a certain reading that treats "KDF hash algorithm" as including the KDF construction itself, i.e., limiting the protocol version used, though there can be cases where the TLS 1.2 PRF uses the same hash algorithm used for a TLS 1.3 HKDF, so it's not an ironclad argument. Contrast this to the requirements for using early data, https://datatracker.ietf.org/doc/html/rfc8446#section-4.2.10: In order to accept early data, the server MUST have accepted a PSK cipher suite and selected the first key offered in the client's "pre_shared_key" extension. In addition, it MUST verify that the following values are the same as those associated with the selected PSK: - The TLS version number - The selected cipher suite - The selected ALPN [RFC7301] protocol, if any For early data, the TLS version is indeed specifically called out. My recollection of the discussions leading up to https://github.com/tlswg/tls13-spec/commit/fc685853ce52a320fa99cd46e48cf7f8954ff663 are that the TLS 1.3 session ticket was to be tied to the protocol version, but the text doesn't really seem to support that. So, in summary, I don't think it's ever actually valid to populate both, but I can't find solid evidence in RFC 8446 to support that claim in the amount of time I allocated to look for it just now. Thanks for asking; it's interesting to hear about such an unusual client implementation! -Ben
- Re: [TLS] TLS1.3 Ticket Usage Across Versions Benjamin Kaduk
- [TLS] TLS1.3 Ticket Usage Across Versions Steven Collison
- Re: [TLS] TLS1.3 Ticket Usage Across Versions David Benjamin
- Re: [TLS] TLS1.3 Ticket Usage Across Versions Steven Collison