Re: [TLS] TLS interception technologies that can be used with TLS 1.3

Richard Barnes <rlb@ipv.sx> Thu, 15 March 2018 22:16 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 24FC41241FC for <tls@ietfa.amsl.com>; Thu, 15 Mar 2018 15:16:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EMXOV97VTTi6 for <tls@ietfa.amsl.com>; Thu, 15 Mar 2018 15:16:07 -0700 (PDT)
Received: from mail-wm0-x230.google.com (mail-wm0-x230.google.com [IPv6:2a00:1450:400c:c09::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C8704126CC4 for <tls@ietf.org>; Thu, 15 Mar 2018 15:16:06 -0700 (PDT)
Received: by mail-wm0-x230.google.com with SMTP id w128so13299299wmw.0 for <tls@ietf.org>; Thu, 15 Mar 2018 15:16:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=F3KDWLAxXjy/ZYsxWblip0QAW/S50wkLBXSB6GK6eQc=; b=0/88OqFPr04Ndr5b/uLZhVE0DpPlKO8pFfqJbHNe25iw0kGf87cN1umlfVPQxmcK8Y yGlyocsXBlXnmoJkUSzEKNIBeijAO+1GjifBfbB7TNycpywQBOWbggPiTRhCSYwlQtNI 1FUxGOYBcACcCGLWZBqvTVP9WKRQuEcddH1yYZ4/LZivW1/IvN4jb2/A5Zr4U0mTxZL1 YYz1heg04RzOx/OdXXbClGFcHr9OQwkhBWN1+DZrCu0WVK2PV5b9DVlmX9q7h5K3bicI qZgufPIFXAo6xQ7vU3ZZp5WBlubvoZXDSpEUFGRW0noSLJ/3zt7io3IFVK0yRAuDxRNo ZwWw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=F3KDWLAxXjy/ZYsxWblip0QAW/S50wkLBXSB6GK6eQc=; b=tsx/3CkkyKDxGHLDy0PFWQW+gLf7IZMrvRto2BPeCagwe8v+rLo/5qjceboDibiQI2 CWEdRGtVJ7VxbxZ8TXpw7nVvzGMw0LXnxoFlZzKjVBvQaV0uq4p0pKgQM5UaBy1UrjB8 5Pk2WkeEPQJCNVzfGK6+KErGaPeO4hOFywOME4eaCt2n9oa/SuXo/U4GnOKedxElzqPR G8qJxfnGU+sID+jmnJwZPrCvXat+ZVVPFkNCG4NW1sWBGA9flq8B9xY8OUV6j4k2kVBR QQWcG+6HiuQZ6jsp9CC3+BH2VtK/s8NRDZb0dR4B4zFbd8/sbE24JfPZQXeKZcagrKzu 6aRA==
X-Gm-Message-State: AElRT7HsFheToMgInI8N+VE7TG5wTAWCz+sqNWqSgDK+fZvE+OKuTY6u Ps300azOKNtuPmfrxC0UxQPuELOG/4kaAu4GdzjjyA==
X-Google-Smtp-Source: AG47ELsKuJwRmz7C/SuBipEc57y1R0sR6wMr9efS0Ds7rykfDL3hpeECZ4zvS3UM1TljODVsmVXQMN25kN6+ZvCYQYY=
X-Received: by 10.28.66.65 with SMTP id p62mr5792645wma.8.1521152165268; Thu, 15 Mar 2018 15:16:05 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.28.12.140 with HTTP; Thu, 15 Mar 2018 15:16:04 -0700 (PDT)
In-Reply-To: <5CFD360D-818E-41A0-A140-59C283DC6CB0@akamai.com>
References: <CACsn0cmNuuG4dhkouNzb=RDfYwG25VaKN7cGhm21wfLk-NmS5A@mail.gmail.com> <9B30F837-8F6A-4AF0-A3BD-69F9AFED5D7B@gmail.com> <2832089.SA8sAEVfAM@pintsize.usersys.redhat.com> <6BC4335A-D2E9-41FC-9F72-04B06594883B@gmail.com> <5CFD360D-818E-41A0-A140-59C283DC6CB0@akamai.com>
From: Richard Barnes <rlb@ipv.sx>
Date: Thu, 15 Mar 2018 18:16:04 -0400
Message-ID: <CAL02cgQQ7vve5+ndj1tUNgO+eH8cro2Mhhwj-bfBK=BnxECfRw@mail.gmail.com>
To: "Salz, Rich" <rsalz@akamai.com>
Cc: Yoav Nir <ynir.ietf@gmail.com>, Hubert Kario <hkario@redhat.com>, "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="94eb2c06d65675e07705677ad6b6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/ZN3MTn3Q4IvKQcrtM61S7puzzuw>
Subject: Re: [TLS] TLS interception technologies that can be used with TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Mar 2018 22:16:10 -0000

Just to confirm that I understand the scope of the discussion here:

- TLS libraries have facilities to export keys from the library
- Obviously, it's possible to ship these exported keys elsewhere (`tail -f
$SSLKEYLOGFILE | nc $LOGBOX`)

So all we're really talking about is whether to define a way to do the
shipment of the exported keys in-band to the TLS session.


On Thu, Mar 15, 2018 at 3:05 PM, Salz, Rich <rsalz@akamai.com>; wrote:

> This is what OpenSSL provides:
>     https://www.openssl.org/docs/manmaster/man3/SSL_CTX_get_
> keylog_callback.html
>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>