Re: [TLS] TLS interception technologies that can be used with TLS 1.3

Hubert Kario <hkario@redhat.com> Thu, 15 March 2018 11:38 UTC

Return-Path: <hkario@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF4A812946D for <tls@ietfa.amsl.com>; Thu, 15 Mar 2018 04:38:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, T_SPF_HELO_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F4O5aoTHvvgX for <tls@ietfa.amsl.com>; Thu, 15 Mar 2018 04:38:30 -0700 (PDT)
Received: from mx1.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 89C43128D2E for <tls@ietf.org>; Thu, 15 Mar 2018 04:38:30 -0700 (PDT)
Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id DBAC120CC6; Thu, 15 Mar 2018 11:38:29 +0000 (UTC)
Received: from pintsize.usersys.redhat.com (unknown [10.43.21.223]) by smtp.corp.redhat.com (Postfix) with ESMTP id 614AF202322B; Thu, 15 Mar 2018 11:38:29 +0000 (UTC)
From: Hubert Kario <hkario@redhat.com>
To: tls@ietf.org
Date: Thu, 15 Mar 2018 12:38:28 +0100
Message-ID: <2832089.SA8sAEVfAM@pintsize.usersys.redhat.com>
In-Reply-To: <9B30F837-8F6A-4AF0-A3BD-69F9AFED5D7B@gmail.com>
References: <CACsn0cmNuuG4dhkouNzb=RDfYwG25VaKN7cGhm21wfLk-NmS5A@mail.gmail.com> <9B30F837-8F6A-4AF0-A3BD-69F9AFED5D7B@gmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="nextPart1873430.cEgcKzYlD1"; micalg="pgp-sha512"; protocol="application/pgp-signature"
X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.1]); Thu, 15 Mar 2018 11:38:29 +0000 (UTC)
X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.1]); Thu, 15 Mar 2018 11:38:29 +0000 (UTC) for IP:'10.11.54.4' DOMAIN:'int-mx04.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'hkario@redhat.com' RCPT:''
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/WQzK3xnxzZo_Kg6cZowHnNX2Q1M>
Subject: Re: [TLS] TLS interception technologies that can be used with TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Mar 2018 11:38:32 -0000

On Thursday, 15 March 2018 05:51:31 CET Yoav Nir wrote:
> At the risk of stating the obvious, it’s because server owners want to use
> the same OpenSSL, NSS, SChannel, or whatever you call the Java library that
> everybody else uses. They’re all widely used, actively maintained, and
> essentially free.
> 
> None of these libraries support any of this functionality.

huh? Sure, it is not nicely packaged in to allow integration with 3rd party 
systems, and sometimes disabled by default, but it's hardly missing...

https://github.com/openssl/openssl/pull/1646

https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Key_Log_Format

https://bugs.chromium.org/p/chromium/issues/detail?id=393477

> > On 15 Mar 2018, at 2:16, Watson Ladd <watsonbladd@gmail.com>; wrote:
> > 
> > One can either use a static DH share, save the ephemerals on the
> > servers and export them, or log all the data on the servers.
> > 
> > These options don't require any change to the wire protocol: they just
> > require vendors supporting them. Why don't they meet the needs cited?
> > 
> > Sincerely,
> > Watson
> > 
> > _______________________________________________
> > TLS mailing list
> > TLS@ietf.org
> > https://www.ietf.org/mailman/listinfo/tls
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls


-- 
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00  Brno, Czech Republic