Re: [TLS] What counts as the same ClientHello?
"Short, Todd" <tshort@akamai.com> Tue, 29 August 2017 13:40 UTC
Return-Path: <tshort@akamai.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4C7CD132A81 for <tls@ietfa.amsl.com>; Tue, 29 Aug 2017 06:40:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pyKiLYPXtJuL for <tls@ietfa.amsl.com>; Tue, 29 Aug 2017 06:39:58 -0700 (PDT)
Received: from mx0a-00190b01.pphosted.com (mx0a-00190b01.pphosted.com [67.231.149.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A3BCE13217D for <tls@ietf.org>; Tue, 29 Aug 2017 06:39:58 -0700 (PDT)
Received: from pps.filterd (m0122333.ppops.net [127.0.0.1]) by mx0a-00190b01.pphosted.com (8.16.0.21/8.16.0.21) with SMTP id v7TDbuwW000307; Tue, 29 Aug 2017 14:39:54 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=jan2016.eng; bh=fREg7PfoVrZl1J65US8/e3szZEiEhcTX7N5xOof/aFA=; b=StneLq80ZuYys6qJLqlRpgLEuY5YfLKvSO2ruA4pFIJBLD5WZOnn7KK/jB1cxfVuN6BE pwgPFZOMa8/nZwGichlMArQ/1pqMw+uOCPMhW2HXcBP0Ahq4kUjqT0ArCxK0vA/VdjBS /iVZw2KWCHu15NbJzTzslh3Jl8lS4YHu7ArXTX895wmlkqJGwuOIbHRmHbOHYXXyfw2p BVJb0Z27G2UMGAjMhx2PZ2M1KX/zCBJrTi/sr1l7/Ax6Op7RqVVbxChKD+70FVu4SGwP McTkq0T6K167SdV5ZSTnJqQ6ZkyIwFKr6tAykZxZMwh+t+rdZ4JTXWpuzIrR/qEx178u Qw==
Received: from prod-mail-ppoint3 ([96.6.114.86]) by mx0a-00190b01.pphosted.com with ESMTP id 2ck08414j3-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 29 Aug 2017 14:39:54 +0100
Received: from pps.filterd (prod-mail-ppoint3.akamai.com [127.0.0.1]) by prod-mail-ppoint3.akamai.com (8.16.0.17/8.16.0.17) with SMTP id v7TDa1Xn030616; Tue, 29 Aug 2017 09:39:53 -0400
Received: from email.msg.corp.akamai.com ([172.27.123.30]) by prod-mail-ppoint3.akamai.com with ESMTP id 2ck4aw5sd6-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Tue, 29 Aug 2017 09:39:53 -0400
Received: from USMA1EX-DAG1MB5.msg.corp.akamai.com (172.27.123.105) by usma1ex-dag3mb4.msg.corp.akamai.com (172.27.123.56) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Tue, 29 Aug 2017 06:39:52 -0700
Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com (172.27.123.101) by usma1ex-dag1mb5.msg.corp.akamai.com (172.27.123.105) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Tue, 29 Aug 2017 09:39:52 -0400
Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com ([172.27.123.101]) by usma1ex-dag1mb1.msg.corp.akamai.com ([172.27.123.101]) with mapi id 15.00.1263.000; Tue, 29 Aug 2017 09:39:52 -0400
From: "Short, Todd" <tshort@akamai.com>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
CC: Ilari Liusvaara <ilariliusvaara@welho.com>, Noah Robbin <Noah_Robbin@symantec.com>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] What counts as the same ClientHello?
Thread-Index: AQHTG28woLw1mAaE8UCKW3rg0dt+vaKREooAgAprToCAACbrgA==
Date: Tue, 29 Aug 2017 13:39:51 +0000
Message-ID: <9989C9A4-2F70-44E4-BC13-62A260EBF86E@akamai.com>
References: <89458B97-EEB1-4F3C-8624-796447B21CC2@symantec.com> <20170822201354.ojkuap7simes4g4v@LK-Perkele-VII> <0d245ef4-78c7-3050-0d52-0a185180476e@gmx.net>
In-Reply-To: <0d245ef4-78c7-3050-0d52-0a185180476e@gmx.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [172.19.43.105]
Content-Type: multipart/alternative; boundary="_000_9989C9A42F7044E4BC1362A260EBF86Eakamaicom_"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-08-29_03:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=0 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1707230000 definitions=main-1708290205
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-08-29_03:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 impostorscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1707230000 definitions=main-1708290205
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/RmVDSuCOj5Pi8BWzXTtB4exeFvE>
Subject: Re: [TLS] What counts as the same ClientHello?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Aug 2017 13:40:01 -0000
Hannes: The ID indicates that the two ClientHellos must be identical except for the fields explicitly listed. If you strongly disagree, then you should request a change to the ID. I understand your opinions on the matter; but as written, the ID requires those fields extensions to be the same. Here is the text in question, emphasis mine: 4.1.2<https://tools.ietf.org/html/draft-ietf-tls-tls13-21#section-4.1.2>. Client Hello When a client first connects to a server, it is REQUIRED to send the ClientHello as its first message. The client will also send a ClientHello when the server has responded to its ClientHello with a HelloRetryRequest. In that case, the client MUST send the same ClientHello (without modification) except: - If a "key_share" extension was supplied in the HelloRetryRequest, replacing the list of shares with a list containing a single KeyShareEntry from the indicated group. - Removing the "early_data" extension (Section 4.2.9<https://tools.ietf.org/html/draft-ietf-tls-tls13-21#section-4.2.9>) if one was present. Early data is not permitted after HelloRetryRequest. - Including a "cookie" extension if one was provided in the HelloRetryRequest. - Updating the "pre_shared_key" extension if present by recomputing the "obfuscated_ticket_age" and binder values and (optionally) removing any PSKs which are incompatible with the server's indicated cipher suite. To avoid DOS and maintenance of state, the server should not maintain any of this information (except, perhaps indirectly via the cookie) if an HRR is returned. Thus the ClientHello is sent with all the information provided again. Yes, it’s a slight waste of bandwidth, but I’d rather use bandwidth that fleets away like time (use it or lose it), than memory in my device. This also permits multiple methods of implementation of the initial connection if all the information is provided again. -- -Todd Short // tshort@akamai.com<mailto:tshort@akamai.com> // "One if by land, two if by sea, three if by the Internet." On Aug 29, 2017, at 7:20 AM, Hannes Tschofenig <hannes.tschofenig@gmx.net<mailto:hannes.tschofenig@gmx.net>> wrote: Hi Noah, Todd, Ilari, the HRR is used for two purposes, namely * to report an error (with the key shares), and * for DoS protection. In both cases it feels excessive to require that the two ClientHellos are the same (with some minor exceptions). I see this as particularly problematic for the use with DTLS since with connectionless transport protocols the use of the HRR is obviously common and we are essentially wasting bytes on the wire for no good reason(with every handshake). For the return-routability check there will be a cookie in the HRR and the RR check is useful primarily for connectionless transports. Re-transmitting the same information twice in this case is of doubtful value since (a) either the cookie contains the necessary info already or (b) the second ClientHello carries the relevant information. Does this make sense? Ciao Hannes On 08/22/2017 10:13 PM, Ilari Liusvaara wrote: On Tue, Aug 22, 2017 at 05:50:49PM +0000, Noah Robbin wrote: Hello Todd! I also did not see a reason why the random values had to be the same but the language does mandate it. I really do not think there is any technical or security reason why the randoms have to be the same. After all, TLS 1.3 does not directly use the randoms anywhere (they only affect things indirectly via hashes of the handshake). You make a good argument for not altering the padding on the second ClientHello. I read that argument as "TLS 1.3 implementations should not need padding". I took a look at struct ClientHello and the extensions list: There are technical reasons for not altering (the client has no idea what the heck server did with these): - server_name - max_fragment_length - status_request - signature_algorithms - use_srtp - heartbeat - application_layer_protocol_negotiation - signed_certificate_timestamp - client_certificate_type - server_certificate_type - psk_key_exchange_modes (due to side-effects) - certificate_authorities - post_handshake_auth The following are explicitly listed as to be altered/deleted: - key_share - pre_shared_key - early_data - cookie The following do not negotiate state: - <random> - padding The following can't appear in ClientHello: - oid_filters The following client gains information about in HRR: - <ciphersuites> - supported_groups (partially if key_share was not present). - supported_versions (the client knows what server selected). However the last group seems to be kind of things that are rather questionable to prune (might be okay, but those make me wary). Also, I came accross one edge case: What if client discovers that all tickets in pre_shared_key are incompatible? The definition does not allow 0 tickets, so choices are: 1) Leave all the tickets (which is not going to work) in. 2) Leave one ticket (which is not going to work) in. 3) Strip the entiere extension. -Ilari _______________________________________________ TLS mailing list TLS@ietf.org<mailto:TLS@ietf.org> https://www.ietf.org/mailman/listinfo/tls _______________________________________________ TLS mailing list TLS@ietf.org<mailto:TLS@ietf.org> https://www.ietf.org/mailman/listinfo/tls
- [TLS] What counts as the same ClientHello? Noah Robbin
- Re: [TLS] What counts as the same ClientHello? Short, Todd
- Re: [TLS] What counts as the same ClientHello? Ilari Liusvaara
- Re: [TLS] What counts as the same ClientHello? Noah Robbin
- Re: [TLS] What counts as the same ClientHello? Ilari Liusvaara
- Re: [TLS] What counts as the same ClientHello? Hannes Tschofenig
- Re: [TLS] What counts as the same ClientHello? Short, Todd
- Re: [TLS] What counts as the same ClientHello? Benjamin Kaduk
- Re: [TLS] What counts as the same ClientHello? Eric Rescorla
- Re: [TLS] What counts as the same ClientHello? Benjamin Kaduk
- Re: [TLS] What counts as the same ClientHello? Eric Rescorla
- Re: [TLS] [EXT] Re: What counts as the same Clien… Noah Robbin
- Re: [TLS] What counts as the same ClientHello? Ilari Liusvaara
- Re: [TLS] [EXT] Re: What counts as the same Clien… Eric Rescorla
- Re: [TLS] What counts as the same ClientHello? Ilari Liusvaara
- Re: [TLS] What counts as the same ClientHello? Martin Thomson
- Re: [TLS] What counts as the same ClientHello? Hubert Kario
- Re: [TLS] What counts as the same ClientHello? Ilari Liusvaara