[TLS] TLS 1.3 updates from Chrome
David Benjamin <davidben@chromium.org> Fri, 12 October 2018 19:49 UTC
Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 794A0130DC8 for <tls@ietfa.amsl.com>; Fri, 12 Oct 2018 12:49:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.25
X-Spam-Level:
X-Spam-Status: No, score=-9.25 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qhZ19oF07bDZ for <tls@ietfa.amsl.com>; Fri, 12 Oct 2018 12:49:11 -0700 (PDT)
Received: from mail-qk1-x72a.google.com (mail-qk1-x72a.google.com [IPv6:2607:f8b0:4864:20::72a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4A7181286E3 for <tls@ietf.org>; Fri, 12 Oct 2018 12:49:11 -0700 (PDT)
Received: by mail-qk1-x72a.google.com with SMTP id v68-v6so8377450qka.2 for <tls@ietf.org>; Fri, 12 Oct 2018 12:49:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:from:date:message-id:subject:to:cc; bh=sgJlHeLYmKwmGKJTFbE/3pGAtYOn/tOKPDGb3rpbe6g=; b=At+3Jhuz/1QdVtqA+NElVgkPqoEHlsKGq+bJkdOKKVI2dPjZgjPpNpvugP/ggZ/Yai kHLZWzc3glx1m0UyhTuctq2a1BpeBmISZQQgT/kaRKseO6AO+YJxyX0pLdPZTnIvFah/ ySTH8o0x3SNWeVq49gUGk6WObOmcYAqEOkSQk=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=sgJlHeLYmKwmGKJTFbE/3pGAtYOn/tOKPDGb3rpbe6g=; b=RLqlAJggfI67qBT7Qs5Gr8wmmhFBiGeTyezlEMb8D2G4fagTo8oqZIvzUcXz7sme+k P2MYHRqSALJPZkabEm4KmT4v4y2lqIuQWWMlys+j567tqbjO7fmo2ADdCNVbJtTF6d1T 9eP+VyhgZCdpawU9siZw7QNZVH0ymayT//hOD7SIbkdEh0gePwUko6azvUF1QaGbBwYB VVvsKyFJrTea3Z75hI0nje7jEQ2yHhVEM8PVHYW6AQQYDaRIe854lSNn2tfRdRF3zvzk 9l1EcqXrUDY30ZH8Asy0fAPUFfYAVupYyMxlCbZgRQgF37VMQY8pkIn+LGkFXZnjKqj2 59Rg==
X-Gm-Message-State: ABuFfoi90+1lJGH7uH011evQW+ZS2lLT/g2VxUeLcUjbH8xFF4NOpeaI MbUH2z0y4qeC6vNtjQwgLh7WD96NFiIHoDP7zcrRIUGxIQ==
X-Google-Smtp-Source: ACcGV62u7RgcB+hF0uJzifVA7+uTRHzWlqH7G7ioPk+r+n0D1+Y85ipXbfhKR3OydMbYlvfEvDxlu61wDMVL0y9Ud7s=
X-Received: by 2002:a37:4ece:: with SMTP id c197-v6mr7033875qkb.320.1539373750002; Fri, 12 Oct 2018 12:49:10 -0700 (PDT)
MIME-Version: 1.0
From: David Benjamin <davidben@chromium.org>
Date: Fri, 12 Oct 2018 14:48:57 -0500
Message-ID: <CAF8qwaD4kdmSgesPbT0U5aFRM9Z_pV_i6b0AYwMUHqS-Fza6mA@mail.gmail.com>
To: "<tls@ietf.org>" <tls@ietf.org>
Cc: "svaldez@chromium.org" <svaldez@chromium.org>, Adam Langley <agl@chromium.org>
Content-Type: multipart/alternative; boundary="0000000000008c27db05780d61ad"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/PLtOD4kROZFfNtPKzSoMyIUOzuE>
Subject: [TLS] TLS 1.3 updates from Chrome
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Oct 2018 19:49:14 -0000
Dear all, The upcoming release of Google Chrome 70 is expected to enable the final version of TLS 1.3. As the release has progressed through our early release channels, we have learned about some deployment issues we would like to share with the community. First, we are aware of some intolerance to the final TLS 1.3 code point, 0x0304. Prerelease versions of OpenSSL 1.1.1, namely -pre6 and earlier, implemented the draft versions of TLS 1.3 incorrectly <https://github.com/openssl/openssl/issues/7315>. Although the draft versions used separate 0x7fxx code points for forward-compatibility, OpenSSL incorrectly also interpreted 0x0304 as a draft version. These servers will respond to a TLS 1.3 ClientHello with a draft version, rather than TLS 1.2, and fail to interoperate. Early adopters of OpenSSL should upgrade to the final 1.1.1 release. Those that cannot upgrade quickly should disable the draft TLS 1.3 in configuration. We do not believe this problem to be widespread and do not intend to delay TLS 1.3 in Chrome for it. Second, TLS 1.3 includes a downgrade signal <https://tools.ietf.org/html/rfc8446#section-4.1.3> in the ServerHello random field that could not be deployed in draft versions. This signal strengthens <https://crypto.iacr.org/2018/affevents/cwtls/medias/Karthik_Bhargavan.pdf> TLS 1.3 connections while remaining fully backwards compatible with TLS 1.2 and earlier. Unfortunately, despite the solid compatibility story, we are observing deployment issues. We believe these are caused by non-compliant TLS-terminating proxies which, rather than generating their own random values, copy the value from the origin server. This behavior is incorrect for all <https://tools.ietf.org/html/rfc5246#section-7.4.1.3> prior <https://tools.ietf.org/html/rfc4346#section-7.4.1.3> versions <https://tools.ietf.org/html/rfc2246#section-7.4.1.3> of TLS. When such a proxy terminates a connection between a TLS 1.3 client and server, the resulting pair of TLS 1.2 connections appear as a downgrade and are rejected. We are aware of two vendors whose products have this bug: Cisco and Palo Alto Networks, although there may be more. We reported the issue to Cisco in December 2017. They released the fix this past August and have published an advisory <https://www.cisco.com/c/dam/en/us/td/docs/security/firepower/SA/SW_Advisory_CSCvj93913.pdf>. Palo Alto Networks recently discovered the issue on their devices and are planning to release PAN-OS 8.1.4, PAN-OS 8.0.14, and PAN-OS 7.1.21 to fix this, tentatively by Nov 30th. As random values in security protocols are there for a reason and assumed to be random by all security analysis, we would advise that all affected vendors treat such flaws as security issues, and not mere functional flaws. Additionally, vendors should note the Protocol Invariants <https://tools.ietf.org/html/rfc8446#section-9.3> section of RFC 8446, which points out areas historically dense in errors. Due to the above, we will sadly be shipping TLS 1.3 in Chrome 70 with the server-random check temporarily disabled. While we still have downgrade protection via the Finished check, we consider this additional protection an important part of TLS 1.3 and plan on re-enabling it in the near future. Additionally, we are disabling the False Start <https://tools.ietf.org/html/rfc7918> optimization on connections with the downgrade signal, as False Start skips the Finished check. Note this effectively disables the optimization on affected middleboxes. Vendors should fix the underlying ServerHello random flaw to recover performance. We would recommend other clients considering similar measures to also disable False Start when the signal is present. To that end, we ask that TLS 1.3 server deployments leave the signal enabled on the server. The False-Start-only enforcement is valuable, and the server signal aids client measurement. Compatibility issues can be mitigated instead on the client. David
- [TLS] TLS 1.3 updates from Chrome David Benjamin
- Re: [TLS] TLS 1.3 updates from Chrome Hanno Böck
- Re: [TLS] TLS 1.3 updates from Chrome Eric Rescorla