Re: [TLS] ECH and resumption - what to put in SNI?

David Benjamin <> Fri, 25 June 2021 16:01 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id C47AA3A058F for <>; Fri, 25 Jun 2021 09:01:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -9.448
X-Spam-Status: No, score=-9.448 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.198, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.248, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id YbHPLyXQAGrB for <>; Fri, 25 Jun 2021 09:01:30 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::42f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id C76633A0542 for <>; Fri, 25 Jun 2021 09:01:30 -0700 (PDT)
Received: by with SMTP id q192so8376512pfc.7 for <>; Fri, 25 Jun 2021 09:01:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=6HInnzf/6dYTtRQYI6jp6Aql70Q0KOkV1Iff5uPp1nQ=; b=ZzNbosdbQQLGShfvt422GkgjmrinwbSICgcYYppFYFqbLTbQLrgJfrXR3ljpC/YRgg goYO9NLCXu9OIcrPkvXOdpUULZti4L6ZWsdTJ73P/O9kU+J3S9Qs5kL+/x36qyovUwdk QAI5xhcAKe9DjZWkz4+z3YtVgVBmMTm1pQapY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=6HInnzf/6dYTtRQYI6jp6Aql70Q0KOkV1Iff5uPp1nQ=; b=uLwSOdHgIoNpxYsGbHRY0s/qr4LXYk0cR/KvZsT1CVm57DcU32c5lSphXPMAmFI2qq EGGXHhSEWqqNCn/uR8uSF2XBiYNS6MhMnIIFuUOgyf1kOduzs/F/aBTwWkiazMAAah18 NuJpMF9OHRHd+L60FKmsN/V4etuoweKhJ46IJrk8rFnjnhPxmroAeEfLulDrBActydEQ 5VqcIihUsUTM0uLdk+cuxhTQbJUhQo6WL9ZsrrIf1am3EHN40iGtDFp+3/3R6dAHbZN5 OPYqPPIcYOeuoUw7n1X0K8MrFlVVwMuzmFLGMkOGG1tsFivnJV18X2x9V8ZSds3iduQn wMKQ==
X-Gm-Message-State: AOAM530RkOZYfJIxicnhdYeFMeRD6BOa5moKQ0bq0RI9SsUF5Ol39G0m mFMkC5HLeNkOZnsPjxeXdcGjHNYyIM5+dS4lmzcz
X-Google-Smtp-Source: ABdhPJw4JZ1Ea3XAExDf3oejqFbYLMUg8gKbXTVhdZhmjczOxqoRIYeXceNEyX4yfVvzYhn5iepuNwT8VN4NPf7hTgI=
X-Received: by 2002:a62:7616:0:b029:305:f420:49cc with SMTP id r22-20020a6276160000b0290305f42049ccmr11309745pfc.51.1624636888326; Fri, 25 Jun 2021 09:01:28 -0700 (PDT)
MIME-Version: 1.0
References: <> <>
In-Reply-To: <>
From: David Benjamin <>
Date: Fri, 25 Jun 2021 12:01:11 -0400
Message-ID: <>
To: Eric Rescorla <>
Cc: Stephen Farrell <>, "" <>
Content-Type: multipart/alternative; boundary="0000000000009eb4a805c599401e"
Archived-At: <>
Subject: Re: [TLS] ECH and resumption - what to put in SNI?
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 25 Jun 2021 16:01:36 -0000

In addition to needing to send ECH in case the server declines resumption,
we need to keep the ticket under encryption anyway. Without changing how
resumption works, there are a couple of attacks on cleartext tickets:

1. If the tickets from two backend servers are distinguishable from each
other, a cleartext ticket will tell you which backend server it was. This
isn't that implausible as ticket formats often start with a "key name" to
handle ticket rotations (RFC5077 even recommended this), and different
backend servers will use different key names if they don't intentionally
coordinate them.

2. Even if the backend servers have aligned their tickets, an attacker can
still check if the server believes a ticket is resumable with a server name
by sending a non-ECH ClientHello, copying the ticket, making up a fake
binder, and seeing if the server noticed the binder was bad. (Bad binders
are fatal to the connection, but the server only checks a binder once it's
decided to resume with a ticket.) This allows an attacker to confirm a
guess about the server name, up to ticket scope granularity.

Always sending ECH avoids both of these.

This is also the simplest answer and aligns with how we've done everything
else in TLS. The client always offers everything it accepts and allows for
resumption to miss. Resumption may miss for reasons other than key
rotation. Suppose the server changed its version or cipher suite
preferences. That would impact which tickets it accepts. Plus RFC8446
requires that the client resume with the same SNI value, and we have
draft-ietf-tls-cross-sni-resumption as a WG item. Making SNI implicit from
resumption would require revisiting all of that.

I don't follow the concern about clients that can't do fresh DNS queries.
There are two possibilities for any given layer of the system that sets up

1. Either this layer knows how to set up TLS, but doesn't know how to
establish connections. Low-level TLS APIs look like this. This layer must
take both the transport connection and ECHConfigList as an external
parameter. Resumption works orthogonally: the layers above run through the
same connection establishment procedure independent of resumption, so you
won't have any more stale of ECHConfigList for resumption as full
handshake. If this layer doesn't know how to establish connections for full
handshakes, it doesn't know how to do it for resumption handshakes either.

2. Or this layer knows how to establish a connection *and* set up TLS.
Maybe this is a higher-level TLS API. Maybe this is the
MakeHTTPSConnection() portion of your HTTP stack. In this case, the layer
is responsible for DNS lookup, evaluating HTTPS/SVCB queries, and using the
ECHConfigList. Resumption is equally orthogonal: whenever you make a
connection, you do the DNS lookup, possibly using a cached record. Then you
check your session cache. Use ECH if you have an ECHConfigList. Offer
resumption if you have a session. Do both if you have both.

In both cases, resumption doesn't affect ECHConfigList availability.

On Fri, Jun 25, 2021 at 10:39 AM Eric Rescorla <> wrote:

> On Fri, Jun 25, 2021 at 7:21 AM Stephen Farrell <>
> wrote:
>> Hiya,
>> If a client established a session to
>> using ECH with a public_name of, what ought
>> the client put in the SNI when resuming?
>> Ignoring ECH, 8446 seems to imply one ought put in
>> [1] but that'd defeat the purpose of
>> ECH.
>> If one omits SNI, that would likely be hard to handle
>> for a client-facing server when it tries to route
>> to a good split-mode backend. The same could be true
>> even if is included as the SNI.
>> I guess the client could do ECH again, but that'd also
>> be odd, as it'd require asymmetric crypto when resuming
>> (which I guess is a lot of the point of tickets), and
>> depending on ticket ages vs. ECHConfig key rotation
>> times, might cause interesting failures for a library
>> client that can't do fresh DNS queries from within the
>> library (and might never see the TTL of the HTTPS/SVCB
>> RR in any case).
> TLS session resumption is soft state, so I believe the correct response
> here is to send ECH. Otherwise, the server cannot properly respond
> if it is not willing to accept the ticket.
> The only real alternative here is to have some way for the server
> to indicate that it has forgotten the ticket and the client needs to
> do a full handshake and *now* do ECH. But of course, that's
> not something that's currently specified and isn't really a great
> fit for anything in the protocol, though I guess HRR is closest.
> -Ekr
>> Am I missing something obvious? If not, what's best here?
>> (And we should probably have some text in the draft on
>> this too.)
>> Cheers,
>> S.
>> PS: I guess if the inner and outer ALPNs differed in
>> the original CH, similar issues might arise for a
>> client-facing server, in terms of figuring out the
>> right backend to which the resumed session should be
>> routed, if routing were based on e.g. the inner ALPN.
>> [1]
>> _______________________________________________
>> TLS mailing list
> _______________________________________________
> TLS mailing list