Re: [TLS] TLS 1.3 draft 22 middlebox interaction
David Benjamin <davidben@chromium.org> Fri, 01 December 2017 16:35 UTC
Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E8C8D128A32 for <tls@ietfa.amsl.com>; Fri, 1 Dec 2017 08:35:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H3DFFbycZZnX for <tls@ietfa.amsl.com>; Fri, 1 Dec 2017 08:35:07 -0800 (PST)
Received: from mail-qt0-x233.google.com (mail-qt0-x233.google.com [IPv6:2607:f8b0:400d:c0d::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BF06A126DCA for <tls@ietf.org>; Fri, 1 Dec 2017 08:35:06 -0800 (PST)
Received: by mail-qt0-x233.google.com with SMTP id u10so13714874qtg.2 for <tls@ietf.org>; Fri, 01 Dec 2017 08:35:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=fJXiuNTC+7DOLowHNz+EuBroaw+apoIRscn8La75nlk=; b=Ki7bOLeuC6fJS9moPrck0+koT+C8RlvRKqs7m7pmVyBYMs7nOZWVXD2cdaqEERfyKT zMJBz6sMPmGvBiz6Q0brasESl+x4/28hCWpmZbU+ePqy66aTVeGlmyzX8t9EWGR/e05W j4lZjp1+0tGsFFrRlNrExSEwo06RdhEKZVv1k=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=fJXiuNTC+7DOLowHNz+EuBroaw+apoIRscn8La75nlk=; b=MuM7D5cGBX8kf0IfEJ1ru239cA5j8lXX5TPeOhe2TWScqNPa4gfLKVWycnnNaPhoqN tiTTKLZWxWeMdRKv2GszSlZoL6vcxDfCNgwpM/mY6Lc+Nl9h/wMjt4JGD0u8FuUcw4ms aDnVld8JF5o5YLzhiqzSLpVbrUbiaZaMjbqyzDkHimmOcuTeGNsubkrTVP0FQaQW9XUV Jxs+RXUcKfCEYRXLR4qVE7DzH6MluFhHMbA5VyrQjjlU1x0pV9YNZ4SkMnz6EMjbrfnU D9pfARSwQeGh8b0U8La9rl8qSKf684QkZdS43XoYbIYM5T1JjLnyqZq60ouYhz3HjBh8 68xQ==
X-Gm-Message-State: AKGB3mLrbqeLvdbm1VJvC6So68MUzKG/1hqynoawdno9dnMS4HZrtEFP D5ydYwzbY3NIE8ot3a2k82+1HSbzFj06yG1cUsBY
X-Google-Smtp-Source: AGs4zMaS5b+a76YspUjHqcjCdoSenY+3jtVp2G8qF/mHxbG9M5aOrZQ3P71uCzFIdt0M5xza8YlbH4fOpN5+1TdY4eQ=
X-Received: by 10.237.37.177 with SMTP id x46mr9848770qtc.76.1512146105551; Fri, 01 Dec 2017 08:35:05 -0800 (PST)
MIME-Version: 1.0
References: <DB4A1029-DBE2-44D1-97F5-DFFF13BAB52A@nerd.ninja> <CABcZeBNw+X3YCru+BXyfr_J=_mwNcpp1r5E3-ZGiEUij8xJjTg@mail.gmail.com>
In-Reply-To: <CABcZeBNw+X3YCru+BXyfr_J=_mwNcpp1r5E3-ZGiEUij8xJjTg@mail.gmail.com>
From: David Benjamin <davidben@chromium.org>
Date: Fri, 01 Dec 2017 16:34:53 +0000
Message-ID: <CAF8qwaBSWs-GbrPqyvKTj8RcS5KmVOwb28ZZ+60v9FYse3JhhA@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: R du Toit <r@nerd.ninja>, "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="001a113fe8b278f83f055f49f36e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/XATqP26yFFCTOxNnSVk9JjUh0tg>
Subject: Re: [TLS] TLS 1.3 draft 22 middlebox interaction
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Dec 2017 16:35:10 -0000
On Fri, Dec 1, 2017 at 10:18 AM Eric Rescorla <ekr@rtfm.com> wrote: > On Fri, Dec 1, 2017 at 6:47 AM, R du Toit <r@nerd.ninja> wrote: > >> I want to provide some feedback that might be useful to the TLS WG: >> Firefox Nightly TLS 1.3 (draft 22) sessions to tls13.crypto.mozilla.org >> is triggering an interesting failure in at least one middlebox. >> >> >> >> The middlebox in question supports TLS 1.3, but only drafts 18 through >> 21. The FF Nightly ClientHello *supported_versions* extension >> advertises support for TLS 1.2 and TLS 1.3 (draft 22), which the middlebox >> then interprets as only advertising support for TLS 1.2, ignoring the >> 0x7f16 as if it is a "grease" value. The middlebox only perfoms protocol >> checks and does not actually modify anything - the session completes >> without any issues, which shows that the draft 22 middlebox measures are >> effective. FF Nightly then starts a resumed TLS 1.3 (draft 22) session >> that includes 0-RTT early data. The middlebox performs a protocol check on >> the ClientHello and determines that the client is trying to negotiate TLS >> 1.2 (per the logic of the first session). Shortly afterwards the 0-RTT >> AppData record arrives, which then triggers a protocol error in the >> middlebox. "D.3. 0-RTT backwards compatibility" of the draft 22 >> specification describes the problem, but in the context of "older server" >> being "only supports up to TLS 1.2". This particular middlebox can also be >> thought of as "older" because it only supports TLS 1.3 drafts 18 through 21. >> >> >> >> Obviously the middlebox will soon have support for draft 22, but it does >> raise some questions: >> >> >> >> 1. I understand that some of these transition effects will go away as >> soon as draft support is replaced with actual 0x0304 support, but were >> 0-RTT sessions used in the recent TLS 1.3 middlebox resiliency >> experiments? The scenario above shows that some middleboxes might (by >> luck?) not break full TLS 1.3 sessions, but those same middleboxes might >> fail with subsequent 0-RTT early data. >> > > We haven't been testing that. I do expect to see some 0-RTT bustage, but > falling back to a full handshake at that point isn't a security issue, and > so can be handled in the conventional reconnect way. We (Firefox) also are > looking at testing for middlebox compat explicitly and turning off features > like 0-RTT and TFO (which we already see problems with) if needed. > > > 2. Should middleboxes that understand the *supported_versions* extension >> get out of the loop immediately (as in ignore traffic after ClientHello) >> when it sees 0x7fNN, where NN is larger than the highest draft version >> supported by the middlebox? How would that be different from other >> "grease" values? I understand that this might just be a temporary measure >> until 0x7fXX goes away (hopefully soon!). >> > > First, they shouldn't look at #s. Second, it depends what kind if > middlebox you are. If you're a protocol enforcing middlebox (ugh, these > shouldn't exist) you should get out of the way. If you're a MITM device you > should just negotiate a lower version. > > > >> 3. Is there a plan for phasing out draft support once TLS 1.3 is >> finalized as RFC? Servers can stop supporting 0x7fxx as soon as 0x0304 is >> ready, but what should a middlebox do if 0x7fxx is seen post RFC? >> > > I would expect people to just signal the RFC version relatively shortly > after RFC. That's what we (Firefox) plans to do. > To answer your question more directly, as EKR noted above, post-RFC and pre-RFC, middleboxes should not behave differently for 0x0304, 0x7fxx, 0x1234, or 0x0305. If you did not terminate the connection, you don't get to parse variant-dependent fields. Someday the TLSWG will design TLS 1.4 which, like TLS 1.3, has free reign to change everything past the ServerHello again. Or perhaps we'll design a new cipher suite or extension that changes things. New capabilities may be signaled by the client anywhere in the ClientHello. Recall that past TLS 1.2 extensions have injected new messages in the handshake and changed the format of the Certificate message. Adding ECDHE and PSK cipher suites changed how ClientKeyExchange and ServerKeyExchange worked. Earlier drafts of TLS 1.3 completely changed the handshake. I started writing some text on version invariants to make these rules clearer. They were the assumed rules in TLS 1.2, but draft-22 reflects that the network did not honor them. I'll finish that up and make a PR. I do not believe writing this in text will be sufficient, but it is evidently necessary. TLS's versioning invariants are quite simple: if you are not terminating the TLS connection (i.e. the ClientHello was not produced by you), you MUST NOT process any message beyond the ClientHello. If you produced the ClientHello, you can reasonably expect to understand the response and can act as an endpoint does. Any middleware violating this invariant is non-compliant and at risk of breaking as endpoints and the protocol evolve. Alas, this was insufficiently GREASEd from SSL 3.0 through TLS 1.2, so we had to grandfather in existing violations via draft 22. Future violations, however, continue to be non-compliant and you should expect them to break, and quite rapidly as draft-22 shows we need more ideas in the vein of GREASE. David
- Re: [TLS] TLS 1.3 draft 22 middlebox interaction Eric Rescorla
- [TLS] TLS 1.3 draft 22 middlebox interaction R du Toit
- Re: [TLS] TLS 1.3 draft 22 middlebox interaction David Benjamin
- Re: [TLS] TLS 1.3 draft 22 middlebox interaction Yuhong Bao
- Re: [TLS] TLS 1.3 draft 22 middlebox interaction Hanno Böck
- Re: [TLS] TLS 1.3 draft 22 middlebox interaction Salz, Rich
- Re: [TLS] TLS 1.3 draft 22 middlebox interaction Ilari Liusvaara
- Re: [TLS] TLS 1.3 draft 22 middlebox interaction Hubert Kario
- Re: [TLS] TLS 1.3 draft 22 middlebox interaction Salz, Rich
- Re: [TLS] TLS 1.3 draft 22 middlebox interaction Hubert Kario
- Re: [TLS] TLS 1.3 draft 22 middlebox interaction R du Toit