Re: [TLS] Sending Custom DHE Parameters in TLS 1.3
Ilari Liusvaara <ilariliusvaara@welho.com> Mon, 12 October 2020 17:29 UTC
Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 45F943A15C2 for <tls@ietfa.amsl.com>; Mon, 12 Oct 2020 10:29:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.624
X-Spam-Level:
X-Spam-Status: No, score=-1.624 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, KHOP_HELO_FCRDNS=0.274, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nu1WG7Q6yUPW for <tls@ietfa.amsl.com>; Mon, 12 Oct 2020 10:28:58 -0700 (PDT)
Received: from welho-filter1.welho.com (welho-filter1b.welho.com [83.102.41.27]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 546E43A1374 for <tls@ietf.org>; Mon, 12 Oct 2020 10:28:57 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter1.welho.com (Postfix) with ESMTP id 7ADAE222C3; Mon, 12 Oct 2020 20:28:55 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp1.welho.com ([IPv6:::ffff:83.102.41.84]) by localhost (welho-filter1.welho.com [::ffff:83.102.41.23]) (amavisd-new, port 10024) with ESMTP id pyWmJqScRo5t; Mon, 12 Oct 2020 20:28:55 +0300 (EEST)
Received: from LK-Perkele-VII (87-92-140-94.rev.dnainternet.fi [87.92.140.94]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp1.welho.com (Postfix) with ESMTPSA id 0F7D22A0; Mon, 12 Oct 2020 20:28:52 +0300 (EEST)
Date: Mon, 12 Oct 2020 20:28:52 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: Michael D'Errico <mike-list@pobox.com>
Cc: TLS List <tls@ietf.org>
Message-ID: <20201012172852.GA2560734@LK-Perkele-VII>
References: <8f57527d-efba-4d03-a3e5-f0ee33463d56@www.fastmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <8f57527d-efba-4d03-a3e5-f0ee33463d56@www.fastmail.com>
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/acjtJNXcKLVyqDxzqKXyskiGPPc>
Subject: Re: [TLS] Sending Custom DHE Parameters in TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Oct 2020 17:29:00 -0000
On Mon, Oct 12, 2020 at 12:36:06PM -0400, Michael D'Errico wrote: > > It appears that there may be a need to revert to the > old way of sending Diffie-Hellman parameters that > the server generates. I see that TLS 1.3 removed > this capability*; is there any way to add it back? The Diffie-Hellman support in TLS 1.2 is severly broken. There is no way to use it safely on client side. This has lead to e.g., all the web browers to remove support for it. There is no way to ensure that the parameters sent are not totally broken, e.g.: - Modulus too small. - Modulus too large. - Modulus not prime (has been used as a backdoor!). - Modulus is weak (possibly backdoored). - Subgroup order does not have large prime factor. Even checking the third would require primality test, and primality tests at relevant sizes are slow. And the fourth and fifth can not be checked at all in general case. For ECDHE, TLS 1.2 allowed server to specify custom curve to do the key exchange with. Rightfully pretty much nobody implemented that. I think TLS WG should withdraw recommendation (as flawed) on all TLS_DHE_* ciphersuites. -Ilari
- [TLS] Sending Custom DHE Parameters in TLS 1.3 Michael D'Errico
- Re: [TLS] Sending Custom DHE Parameters in TLS 1.3 Ilari Liusvaara
- Re: [TLS] Sending Custom DHE Parameters in TLS 1.3 Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] Sending Custom DHE Parameters in TLS 1.3 Michael D'Errico
- Re: [TLS] Sending Custom DHE Parameters in TLS 1.3 Salz, Rich
- Re: [TLS] Sending Custom DHE Parameters in TLS 1.3 Peter Gutmann
- Re: [TLS] Sending Custom DHE Parameters in TLS 1.3 Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] Sending Custom DHE Parameters in TLS 1.3 Henrick Hellström
- Re: [TLS] Sending Custom DHE Parameters in TLS 1.3 Hanno Böck
- Re: [TLS] Sending Custom DHE Parameters in TLS 1.3 Peter Gutmann