IETF Logo Mail Archive

Re: [TLS] Update on TLS 1.3 Middlebox Issues

Hannes Tschofenig <hannes.tschofenig@gmx.net> Tue, 10 October 2017 09:12 UTC

Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EEC2F134B21 for <tls@ietfa.amsl.com>; Tue, 10 Oct 2017 02:12:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o-LaFSIESMT6 for <tls@ietfa.amsl.com>; Tue, 10 Oct 2017 02:12:08 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.22]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 75B5F1321DE for <tls@ietf.org>; Tue, 10 Oct 2017 02:12:07 -0700 (PDT)
Received: from [192.168.91.203] ([80.92.122.248]) by mail.gmx.com (mrgmx102 [212.227.17.168]) with ESMTPSA (Nemesis) id 0M5IdH-1d46rV07mZ-00zSaN; Tue, 10 Oct 2017 11:12:02 +0200
To: mrex@sap.com, Ilari Liusvaara <ilariliusvaara@welho.com>
Cc: Adam Langley <agl@imperialviolet.org>, "tls@ietf.org" <tls@ietf.org>
References: <CABcZeBMoW8B78C5UmLqAim4X=jQ8jVRYTP-L7RVnU3AScdFvFw@mail.gmail.com> <20171007091720.012fdb7b@pc1> <CAMfhd9W-=-b4V0tX74k=thE9J2Vet-RH7a-XzkxLutRMT2_5Pg@mail.gmail.com> <20171007172822.6plag25tzae6wzi4@LK-Perkele-VII> <20171009172101.BD9C8404A@ld9781.wdf.sap.corp> <20171009181631.un6hecfgsc7gt5hv@LK-Perkele-VII> <20171010085226.54FF5404A@ld9781.wdf.sap.corp>
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Openpgp: id=071A97A9ECBADCA8E31E678554D9CEEF4D776BC9
Message-ID: <d9b27c27-4b6b-8d1c-38a7-d24ad34626e8@gmx.net>
Date: Tue, 10 Oct 2017 11:11:59 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0
MIME-Version: 1.0
In-Reply-To: <20171010085226.54FF5404A@ld9781.wdf.sap.corp>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Provags-ID: V03:K0:afYPd0Lo9zwGfxipEqDHrTxmOWnKvSgy/I7wE87JlQOeo98AoOR 9FoJ38U/EDrDhlmNrBNK1sQfOiF6ppi7w+rVnVjHJQYcv2H8d/T+qIHTynPzOZGHOhL9Abo px9uAJ5tAgMMY+aAFECaxw7vpgYdUHGOErvk0K/lXDtVQ9b12uOQIfypauzCC5t3irgFS7M LUftkhTihRtejUnfiV3pw==
X-UI-Out-Filterresults: notjunk:1;V01:K0:KhV9dEA47/I=:ZGfwcTbze3Qgkar42TSTXV Gktfs5+BMo3oEKp2mHxpmwqBWkEvUrXj6ACBnAE+EAFKUFwgX+nr+Df9MUiTEKeJcdmlC3abN Flu9Ci4SzsfT/pkY/yP9SjexJk+DHQbCqt+RMxL5XWQ27wA/o/5DuJSliA8XGSPU9AKQnxrfU CEKoZoRsTGguVc+IMyRQTK4SmQ207SzyvZC4Rbm5MheReKstJ92p01dZ4J8weRFVoluxRdatH Y23rtn/uE5ZjzKnGESYpM3OzNDTD8JmAhkM8x4oVIyX7rwSKmxYsCk/+M2+Y1wEax+UYeOsOr XnItFKS3D/FpiG0TLTAQIUZyi1Zz7382VZnGxH4hbDY5sn6AzZO12pLTmXfIptWjb+dpfiNBG O/xdf5FJxprJnRRp0sqXNQL5qrJvyq3dgBXKVxQQhksJCKBpaQWjt+zMhmfmI4BqgKUEdW/FS b2XIXzCEMQPzqOqkkpfucXW+QRXrLWWKZQffndNtRtSZtQyh5RcN7b0/108c37Rd2bazgZ3fq ZnO9z1GncWw1oiE1ZHYd4nHe9GVTzKA3fNkY8BVzmN2tYUNOyoWNLIxg+tW3urhjMeOowAhUM wUeDBdHo4SZ9HEJKlGF7N8+ubvzVQ4JG4lpHMJKo+GaLLMfbe837WfSLDwDLxlsVpa6AQhtGx MrgvlfgaLjLzKD9fw5xVG+sQJYquckCqWPzNI59fVvCXRTioqNX8JFXXd7zRhw9FfvwdEiSOO Q5KgxbxkXDTcauiwlGiYOKgYpwIVMDj6rNiML9LaaKvcxKlk0Xt1oTgEttnvSutxVYhfBj9gZ m5UZLj+13gDz1ziLSAXMcS7At5or3zOgQLgh4TvbwJNBRVQeIQ=
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/UOXjIvAjsjwUZZ-tB35a3ZmB_zQ>
Subject: Re: [TLS] Update on TLS 1.3 Middlebox Issues
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Oct 2017 09:12:09 -0000

Hi Martin,

On 10/10/2017 10:52 AM, Martin Rex wrote:
> Nope, none at all.  I'm _not_ asking for protocol changes, just that
> the TLS handshake continues to end with CCS + HS, and ContentTypes
> remain visible.  Contents of all handshake messages, and whether
> and how that content is protected, remains subject to negotiated
> protocol version which may vary significantly.

FWIW: Making the ContentType visible is a protocol change since the
current version of the TLS / DTLS 1.3 protocol encrypts them.

Ciao
Hannes

PS: I think sending fake ChangeCipherSpec messages around is a terrible
idea.

v2.23.0 | Report a Bug | By Email