IETF Logo Mail Archive

Re: [TLS] Securely disabling ECH

ietf@dennis-jackson.uk Mon, 10 October 2022 08:15 UTC

Return-Path: <ietf@dennis-jackson.uk>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E4011C14CF1B for <tls@ietfa.amsl.com>; Mon, 10 Oct 2022 01:15:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.106
X-Spam-Level:
X-Spam-Status: No, score=-7.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=dennis-jackson.uk
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x1Ev-nxzrFEn for <tls@ietfa.amsl.com>; Mon, 10 Oct 2022 01:15:38 -0700 (PDT)
Received: from mout-p-101.mailbox.org (mout-p-101.mailbox.org [80.241.56.151]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E953BC14F72C for <tls@ietf.org>; Mon, 10 Oct 2022 01:15:37 -0700 (PDT)
Received: from smtp202.mailbox.org (smtp202.mailbox.org [IPv6:2001:67c:2050:b231:465::202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-101.mailbox.org (Postfix) with ESMTPS id 4MmBYc1s6Rz9sRV for <tls@ietf.org>; Mon, 10 Oct 2022 10:15:32 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dennis-jackson.uk; s=MBO0001; t=1665389732; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=64NOhQrQBw0Bb3ovh6CqwZ7RPzxRh4H+7pL92iovQFE=; b=SHDWU4LxLkNdQK+lxXGkKvS6tjHNQFRdI7F897IDhRTpYcan+l/FbhyHn4okXOYamsS2VZ kOX45XtMZHq6hJK8Tw/DwtRknv7n3g1GEQUaIRQ43CRaXcwlpbCkYHC9Fda99nwht+6IKC ZNjUzAedfNGdVpseg9kpF4As3Y4hwKfPvb9jeYv9yVMI4RNJWF9YOzOEfKBRcJXH/VPQ59 qNzPCw5Wr46TSzBiX17k5uT+Shl2GMsMa5IdPzww4RQz72WDhNL3QSrCm9aI9+lRzF8aWJ tjRSHdHGDDGCe0EakZ6v3vxjf7tDrs49o8UgEV9SF0JrIFLv0kjKFt7sk1UrCw==
Content-Type: multipart/alternative; boundary="------------hGI4vkKyM8I8N8j7YT8rI4cy"
Message-ID: <5f60150d-f066-06f6-c837-3aab6cfdf608@dennis-jackson.uk>
Date: Mon, 10 Oct 2022 09:15:01 +0100
MIME-Version: 1.0
Content-Language: en-US
To: tls@ietf.org
References: <D329A151-5F0B-427D-96FE-995170658555@akamai.com> <DE09B6CD-288A-4D10-989D-0FFC7D190F17@gmail.com>
From: ietf@dennis-jackson.uk
In-Reply-To: <DE09B6CD-288A-4D10-989D-0FFC7D190F17@gmail.com>
X-Rspamd-Queue-Id: 4MmBYc1s6Rz9sRV
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/_cH84LZEpcU2nex2Z6RG346HI8c>
Subject: Re: [TLS] Securely disabling ECH
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Oct 2022 08:15:43 -0000

Hi,

provided the middlebox is authoritative (has a valid TLS certificate for 
the server in question), then Firefox will carry out the described retry 
behavior. Currently all ECH support is disabled behind a pref by 
default, but you can enable it by setting network.dns.echconfig.enabled 
to true. You will also need to enable DNS over HTTPS and browse to a 
domain with an ECH config.

Best,
Dennis


On 08/10/2022 04:40, Safe Browsing wrote:
> Hi Rich,
>
> When I say “authoritative”, I mean it in the true TLS sense, in the 
> way that I believe the ECH draft also suggests and requires.
>
> In other words, the middlebox serves a cert to the client that is 
> cryptographically valid for the said public name of the client facing 
> server.
>
> How can that be when the client facing server guards its private key 
> properly? By re-signing the server certificate on the middlebox with a 
> private key, local to the middle box only, for which the corresponding 
> certificate has been installed in the trust store of the client, 
> before sending it on to the client. Only after the original server 
> certificate has been validated properly on the middlebox, of 
> course. Message digests being managed accordingly/appropriately.
>
> That is a very typical setup for most (all?) TLS inspection devices 
> (next gen firewalls and such).
>
> Thus this part of ECH, requiring the middlebox to be authoritative for 
> the server, is well understood and prolifically exercised in inspected 
> TLS sessions today. What is new is that these connections can now 
> fail/close, in the “securely disabling ECH” case, and the onus is on 
> the TLS client, not the application, to retry the connection without ECH.
>
> I am after such a client, if one exists already.
>
> Thank you.
>
> Sent from my phone
>
>> On Oct 7, 2022, at 11:41 AM, Salz, Rich <rsalz@akamai.com> wrote:
>>
>> 
>>
>>   * Client <-> *Middlebox* <-> Client-facing server <-> Backend server
>>
>>   * With "Middlebox" really meaning a middlebox like a firewall or
>>     similar.
>>
>> The middlebox is not allowed to modify traffic between the client and 
>> the server. Doing so would mean that the packets the client sent are 
>> not the ones that the server received, and the two message digests 
>> would disagree.  (If you think about things, it **has** to be this 
>> way, otherwise TLS would not be able to provide integrity guarantees.)
>>
>>   * From the draft, ECH seems to be designed to still allow
>>     successful TLS connection establishment if the
>>     encrypted_client_hello extension is dropped from the ClientHello
>>     on a conforming middlebox. Provided that the middlebox is
>>     authoritative for the client-facing server's public name, as
>>     reported/delivered by DNS to the client. We can assume that this
>>     is the case here.
>>
>> I do not understand what you mean by this.  The word “authoritative” 
>> is used to mean that it has a certificate and keypair and can do TLS 
>> termination. DNS giving the client a particular IP address is not 
>> authoritative. It can be confusing because DNS terminology uses 
>> authoritative to mean that a particular entity can prepare data used 
>> for DNS responses.  But it is not authoritative in the TLS sense.
>>
>> I think your questions can be answered with those two overall 
>> corrections above.  If not, please continue the thread.  (And feel 
>> free to repost from your note since I trimmed for brevity.)
>>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email