MIME-Version: 1.0
From: David Benjamin <davidben@chromium.org>
Date: Fri, 12 Oct 2018 14:48:57 -0500
Message-ID: <CAF8qwaD4kdmSgesPbT0U5aFRM9Z_pV_i6b0AYwMUHqS-Fza6mA@mail.gmail.com>
To: "<tls@ietf.org>" <tls@ietf.org>
Cc: "svaldez@chromium.org" <svaldez@chromium.org>,
 Adam Langley <agl@chromium.org>
Content-Type: multipart/alternative; boundary="0000000000008c27db05780d61ad"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/PLtOD4kROZFfNtPKzSoMyIUOzuE>
Subject: [TLS] TLS 1.3 updates from Chrome
Precedence: list

--0000000000008c27db05780d61ad
Content-Type: text/plain; charset="UTF-8"

Dear all,

The upcoming release of Google Chrome 70 is expected to enable the final
version of TLS 1.3. As the release has progressed through our early release
channels, we have learned about some deployment issues we would like to
share with the community.

First, we are aware of some intolerance to the final TLS 1.3 code point,
0x0304. Prerelease versions of OpenSSL 1.1.1, namely -pre6 and earlier,
implemented the draft versions of TLS 1.3 incorrectly
<https://github.com/openssl/openssl/issues/7315>. Although the draft
versions used separate 0x7fxx code points for forward-compatibility,
OpenSSL incorrectly also interpreted 0x0304 as a draft version. These
servers will respond to a TLS 1.3 ClientHello with a draft version, rather
than TLS 1.2, and fail to interoperate.

Early adopters of OpenSSL should upgrade to the final 1.1.1 release. Those
that cannot upgrade quickly should disable the draft TLS 1.3 in
configuration. We do not believe this problem to be widespread and do not
intend to delay TLS 1.3 in Chrome for it.

Second, TLS 1.3 includes a downgrade signal
<https://tools.ietf.org/html/rfc8446#section-4.1.3> in the ServerHello
random field that could not be deployed in draft versions. This signal
strengthens
<https://crypto.iacr.org/2018/affevents/cwtls/medias/Karthik_Bhargavan.pdf>
TLS 1.3 connections while remaining fully backwards compatible with TLS 1.2
and earlier. Unfortunately, despite the solid compatibility story, we are
observing deployment issues.

We believe these are caused by non-compliant TLS-terminating proxies which,
rather than generating their own random values, copy the value from the
origin server. This behavior is incorrect for all
<https://tools.ietf.org/html/rfc5246#section-7.4.1.3> prior
<https://tools.ietf.org/html/rfc4346#section-7.4.1.3> versions
<https://tools.ietf.org/html/rfc2246#section-7.4.1.3> of TLS. When such a
proxy terminates a connection between a TLS 1.3 client and server, the
resulting pair of TLS 1.2 connections appear as a downgrade and are
rejected.

We are aware of two vendors whose products have this bug: Cisco and Palo
Alto Networks, although there may be more. We reported the issue to Cisco
in December 2017. They released the fix this past August and have published
an advisory
<https://www.cisco.com/c/dam/en/us/td/docs/security/firepower/SA/SW_Advisory_CSCvj93913.pdf>.
Palo Alto Networks recently discovered the issue on their devices and are
planning to release PAN-OS 8.1.4, PAN-OS 8.0.14, and PAN-OS 7.1.21 to fix
this, tentatively by Nov 30th.

As random values in security protocols are there for a reason and assumed
to be random by all security analysis, we would advise that all affected
vendors treat such flaws as security issues, and not mere functional flaws.
Additionally, vendors should note the Protocol Invariants
<https://tools.ietf.org/html/rfc8446#section-9.3> section of RFC 8446,
which points out areas historically dense in errors.

Due to the above, we will sadly be shipping TLS 1.3 in Chrome 70 with the
server-random check temporarily disabled. While we still have downgrade
protection via the Finished check, we consider this additional protection
an important part of TLS 1.3 and plan on re-enabling it in the near future.
Additionally, we are disabling the False Start
<https://tools.ietf.org/html/rfc7918> optimization on connections with the
downgrade signal, as False Start skips the Finished check. Note this
effectively disables the optimization on affected middleboxes. Vendors
should fix the underlying ServerHello random flaw to recover performance.

We would recommend other clients considering similar measures to also
disable False Start when the signal is present. To that end, we ask that
TLS 1.3 server deployments leave the signal enabled on the server. The
False-Start-only enforcement is valuable, and the server signal aids client
measurement. Compatibility issues can be mitigated instead on the client.

David

--0000000000008c27db05780d61ad
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div>Dear all,</div><div><br></div><div>The upcoming relea=
se of Google Chrome 70 is expected to enable the final version of TLS 1.3. =
As the release has progressed through our early release channels, we have l=
earned about some deployment issues we would like to share with the communi=
ty.</div><div><br></div><div>First, we are aware of some intolerance to the=
 final TLS 1.3 code point, 0x0304. Prerelease versions of OpenSSL 1.1.1, na=
mely -pre6 and earlier, implemented the draft versions of TLS 1.3 <a href=
=3D"https://github.com/openssl/openssl/issues/7315">incorrectly</a>. Althou=
gh the draft versions used separate 0x7fxx code points for forward-compatib=
ility, OpenSSL incorrectly also interpreted 0x0304 as a draft version. Thes=
e servers will respond to a TLS 1.3 ClientHello with a draft version, rathe=
r than TLS 1.2, and fail to interoperate.</div><div><br></div><div>Early ad=
opters of OpenSSL should upgrade to the final 1.1.1 release. Those that can=
not upgrade quickly should disable the draft TLS 1.3 in configuration. We d=
o not believe this problem to be widespread and do not intend to delay TLS =
1.3 in Chrome for it.</div><div><br></div><div>Second, TLS 1.3 includes a <=
a href=3D"https://tools.ietf.org/html/rfc8446#section-4.1.3">downgrade sign=
al</a> in the ServerHello random field that could not be deployed in draft =
versions. This signal <a href=3D"https://crypto.iacr.org/2018/affevents/cwt=
ls/medias/Karthik_Bhargavan.pdf">strengthens</a> TLS 1.3 connections while =
remaining fully backwards compatible with TLS 1.2 and earlier. Unfortunatel=
y, despite the solid compatibility story, we are observing deployment issue=
s.</div><div><br></div><div>We believe these are caused by non-compliant TL=
S-terminating proxies which, rather than generating their own random values=
, copy the value from the origin server. This behavior is incorrect for <a =
href=3D"https://tools.ietf.org/html/rfc5246#section-7.4.1.3">all</a> <a hre=
f=3D"https://tools.ietf.org/html/rfc4346#section-7.4.1.3">prior</a> <a href=
=3D"https://tools.ietf.org/html/rfc2246#section-7.4.1.3">versions</a> of TL=
S. When such a proxy terminates a connection between a TLS 1.3 client and s=
erver, the resulting pair of TLS 1.2 connections appear as a downgrade and =
are rejected.</div><div><br></div><div>We are aware of two vendors whose pr=
oducts have this bug: Cisco and Palo Alto Networks, although there may be m=
ore. We reported the issue to Cisco in December 2017. They released the fix=
 this past August and have published an <a href=3D"https://www.cisco.com/c/=
dam/en/us/td/docs/security/firepower/SA/SW_Advisory_CSCvj93913.pdf">advisor=
y</a>. Palo Alto Networks recently discovered the issue on their devices an=
d are planning to release PAN-OS 8.1.4, PAN-OS 8.0.14, and PAN-OS 7.1.21 to=
 fix this, tentatively by Nov 30th.</div><div><br></div><div>As random valu=
es in security protocols are there for a reason and assumed to be random by=
 all security analysis, we would advise that all affected vendors treat suc=
h flaws as security issues, and not mere functional flaws. Additionally, ve=
ndors should note the <a href=3D"https://tools.ietf.org/html/rfc8446#sectio=
n-9.3">Protocol Invariants</a> section of RFC 8446, which points out areas =
historically dense in errors.</div><div><br></div><div>Due to the above, we=
 will sadly be shipping TLS 1.3 in Chrome 70 with the server-random check t=
emporarily disabled. While we still have downgrade protection via the Finis=
hed check, we consider this additional protection an important part of TLS =
1.3 and plan on re-enabling it in the near future. Additionally, we are dis=
abling the <a href=3D"https://tools.ietf.org/html/rfc7918">False Start</a> =
optimization on connections with the downgrade signal, as False Start skips=
 the Finished check. Note this effectively disables the optimization on aff=
ected middleboxes. Vendors should fix the underlying ServerHello random fla=
w to recover performance.</div><div><br></div><div>We would recommend other=
 clients considering similar measures to also disable False Start when the =
signal is present. To that end, we ask that TLS 1.3 server deployments leav=
e the signal enabled on the server. The False-Start-only enforcement is val=
uable, and the server signal aids client measurement. Compatibility issues =
can be mitigated instead on the client.</div><div><br></div><div>David</div=
></div>

--0000000000008c27db05780d61ad--