IETF Logo Mail Archive

Re: [TLS] Input on ECH specification

Elardus Erasmus <Elardus.Erasmus@Sophos.com> Thu, 15 February 2024 14:09 UTC

Return-Path: <elardus.erasmus@sophos.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EABBDC14F6F7 for <tls@ietfa.amsl.com>; Thu, 15 Feb 2024 06:09:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.801
X-Spam-Level:
X-Spam-Status: No, score=-2.801 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sophos.com header.b="b3opxGqx"; dkim=pass (2048-bit key) header.d=mail-dkim-eu-west-1.prod.hydra.sophos.com header.b="7ljfJIBi"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Bi5TupbI4bf4 for <tls@ietfa.amsl.com>; Thu, 15 Feb 2024 06:09:30 -0800 (PST)
Received: from id-euw1.prod.hydra.sophos.com (id-euw1.prod.hydra.sophos.com [198.154.180.7]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AED58C14F693 for <tls@ietf.org>; Thu, 15 Feb 2024 06:09:29 -0800 (PST)
Received: from ip-172-19-0-243.eu-west-1.compute.internal (ip-172-19-0-243.eu-west-1.compute.internal [127.0.0.1]) by id-euw1.prod.hydra.sophos.com (Postfix) with ESMTP id 4TbH4S1L8GzCqkP for <tls@ietf.org>; Thu, 15 Feb 2024 14:09:28 +0000 (UTC)
X-Sophos-Product-Type: Gateway
X-Sophos-Email-ID: 3431b247eb6c4e8eba663061aef39101
Received: from GBR01-LO4-obe.outbound.protection.outlook.com (mail-lo4gbr01lp2105.outbound.protection.outlook.com [104.47.85.105]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by relay-eu-west-1.prod.hydra.sophos.com (Postfix) with ESMTPS id 4TbH4Q3Q2MzsR4g; Thu, 15 Feb 2024 14:09:26 +0000 (UTC)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=g1Rbj8PZw1Y9rI5vwUu9X7lbGooQh30FMUzKlc/H1JsJLCKFOuFGWZhYZ1dr1lmrJZZfy9aNF4zksOuRFUaU+EaIAaomsIKmqJ6eM/LBwzI8aui+UTV8utnu3ykD/tsjqMibBXQZoVmCyHWzLOuU4VwmtnRj9m7O8cvlhtdGz+htecpRnwC/AzyKQiRaXc8cOdg82Aa5+PZm4TDVxBqIiPjN7q80xIibFYII6xhXr4EtFqFfD9TtR5xgkLQfvKagJ3grChX+uJx76NxxL+NkmH8HTl2LPKbobwoy0f4+IVWKAgTHfmRsUAoqCWKd4ZzqapzehSuc/nXjhfaTwkACTA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=+9Jb/diPgTL5IRjXjHCk/KwvkGdqDPG9ftzJAAiGxSc=; b=aGqhvYhzfBfscmigvQbbJo2V9TahA9IWNqtkIB3n1RavEP8qkwobEXs1svRHU0fMVYhGhsot071AR1xIJvienFojTrpRBHn1wMz13lnfrPtfMAPGttZUHzygBVuMqTKI7aUIcEBjhVE2cZllO1a54DnGcPMRX94OQLThedmTnj/5bUv6as0XNgbg/soifNIV7oTwe370B2ELUSmHcvnxubod142xUA+eQneH1kAUSyGOtIAR0FX3viL9AJm9NvugNGQTvJDQmCxUN66nSBHFsmSnylMUKlB5Z+q76crILiSQR7qAZdoakhesRWsbEiTeRQMOx7TZOkpVMdqzYf9eRQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=sophos.com; dmarc=pass action=none header.from=sophos.com; dkim=pass header.d=sophos.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1708006164; s=sophosf69f0521910d49beb03f4ce823e25fdd; d=sophos.com; h=Content-Type:Date:Subject:To:From; bh=9mV3YCbwi7UNyccmCl9z8fnWmMK+KnfNBnxNjIYmCrM=; b=b3opxGqx9N8Jpb4yOLJMBemiSJpIDFpsqlp/ZQM2EUcMr2AofJg3pwrE1LGh2Ck7 scV8b6e8f/x4BSBGeq1zne6+YX7ts/XgbNTXC2D8FbLlM/Ap5Ocm9/TDT4W/6bYlHiS PC60MI9FODEmx4d+igr+pM0/saBbY47eKKA7/yFrT6fJNRR7u1o+lc2NSZld1Upb5k/ L1eUFMqSfmz097Akov2fdKJOm3An/S22VAvxmnRw2HyGa4rvKd1tXn3ShcQj+CykIjb OG78DFh1JkmXk9kmzCGdsvGwLgGRi1GVuY8+a2hISsZxt6qVoHG6MnP6k3oMaabnBJi EoVK0SBlPA==
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1708006164; s=v1; d=mail-dkim-eu-west-1.prod.hydra.sophos.com; h=Content-Type:Date:Subject:To:From; bh=9mV3YCbwi7UNyccmCl9z8fnWmMK+KnfNBnxNjIYmCrM=; b=7ljfJIBivqEQg3B8TKWgEotnkpWk81IrJnW0kNtF+Do6FQrzFGaasYs2wxCnTc2k S22RaY7bUm7HcH46VL9BcMRE3vRYdi8mrzpH3aRcwBuPKnZeJRgf2osdbEtqn/CUvxq JbgEYd2CdvX+mxRM17UeFFHAjffWFwSPDK5uFoSq7zKwbj8n1h/F6l/a2wQNB5WH/TH nsAHA/BO4TLx8LmLoDnAr0dS3GmwLql8c0mdegUwh6hTHMyQAVt8Bq7/mYMUdac+iHP bTnZQvEdFL6ndEtP4JpaWEbLo9QoSnjX4J7MnWapuGERe+AqwhrkNTOUgdvOoW6q977 TFhN8hkcxw==
Received: from CWXP265MB4681.GBRP265.PROD.OUTLOOK.COM (2603:10a6:400:150::9) by LO4P265MB6823.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:349::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7292.29; Thu, 15 Feb 2024 14:09:25 +0000
Received: from CWXP265MB4681.GBRP265.PROD.OUTLOOK.COM ([fe80::cb5:fdae:5bb1:fa46]) by CWXP265MB4681.GBRP265.PROD.OUTLOOK.COM ([fe80::cb5:fdae:5bb1:fa46%4]) with mapi id 15.20.7292.029; Thu, 15 Feb 2024 14:09:25 +0000
From: Elardus Erasmus <Elardus.Erasmus@Sophos.com>
To: Elardus Erasmus <Elardus.Erasmus=40Sophos.com@dmarc.ietf.org>, Stephen Farrell <stephen.farrell@cs.tcd.ie>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Input on ECH specification
Thread-Index: AdpaEZ4w95BWOi+/Q+GJzQV0Cra2GAAApGyAAAvRsoABdTtswA==
Date: Thu, 15 Feb 2024 14:09:24 +0000
Message-ID: <CWXP265MB4681DAA9364F113EDF2C9009954D2@CWXP265MB4681.GBRP265.PROD.OUTLOOK.COM>
References: <CWXP265MB46815100B9E7A58D77168E9595452@CWXP265MB4681.GBRP265.PROD.OUTLOOK.COM> <3696a10b-aa56-421a-8648-822787d47666@cs.tcd.ie> <CWXP265MB46813BF8AFD06DA60A0F72F895442@CWXP265MB4681.GBRP265.PROD.OUTLOOK.COM>
In-Reply-To: <CWXP265MB46813BF8AFD06DA60A0F72F895442@CWXP265MB4681.GBRP265.PROD.OUTLOOK.COM>
Accept-Language: en-US, en-GB
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=Sophos.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: CWXP265MB4681:EE_|LO4P265MB6823:EE_
x-ms-office365-filtering-correlation-id: 14d123d3-a032-49e3-801a-08dc2e2fb720
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: +7uxjMTj1wDwbbHmBY5+XN9Y4Ame0b6FAHUAoIfhtVlvVuDuAdC6GO6wyKPErKQ6cZa4f+uRW4jTBFSeTt9uFxjyHG1Ra8+TwL/VAJZkd3JikbluORDFUdT6KeTDbFW6QQL2hO3GK8cxN6IQvlkk3Kt2S8khjtWnS7A/b+Oj1WcuBNttg+w1KWT7y4Ns04aigzYiglfGRTb8AWVc/pzFojBwXZQakvpyNYqdJYWi2o6RzQO4FG6nJhuYvyJEtgjek5e/5y340ekbCeJrLLUN7IMy47czvEQfWTl2AAZES8yBc8hR+wM4FZHZ6ODt5XG/BgJt4Ay9XkLv8qQZyNT+Ogp/Iyq/tr1NG40QGUKFTqJ72w044oFFYZvVujqXWMO8l7YSnifuNRHueJhx0s0efiJPzoQcSpCGQic/28UogV251P1z8nqRk1fv/XJhRkme4QZB/Q8eyziSym3If+DRtTRVYtIe5uLG0CanKNn+iEeKlACmnULSG1I0GQU0aWefYpGAquuIntah19NmJ72g170tGQdldwnqcBhGG3pa/vA7nkUluER7XXbmfwC7pqbup4VzOqsSylH39DU3NoO0ajlkRR+W0BMOu+fEA6FAFp2JlsxWA+iKFsSpwwMJXhb9
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CWXP265MB4681.GBRP265.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230031)(396003)(136003)(346002)(376002)(39860400002)(366004)(230273577357003)(230922051799003)(451199024)(64100799003)(1800799012)(186009)(2906002)(52536014)(8936002)(5660300002)(8676002)(83380400001)(26005)(33656002)(38100700002)(122000001)(38070700009)(86362001)(66476007)(76116006)(316002)(66446008)(53546011)(64756008)(66556008)(110136005)(6506007)(7696005)(66946007)(9686003)(478600001)(71200400001)(55016003)(41300700001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: ZbYpC7FJZhJgKBE/5LMhFB+PX/r06FML/WRzfXDJcymKXf+lX4eI0pHKa+YteaGJeIBm+OJi9pb4tFPduszov0O2nnsa0PwqubmZ7oLnfc9n/5DReupghHQpmQDW7aD/8OzumcydDGiYXEMYG5B9IjVePPhBZU2p7fvP/S3AQp9fF79lg9pqqHSSmn4JH+c/mMBdYAQ3fL1eX68W99Ey7qVwYhoHc6y9iE3Fevt2wvbkW36F8AvI6p4btt4TI7wxhzyd/njF0MVQLx/Ln7FTEPJF3yLHlZoJA3HwQGJkilDPO0smiVNfvUFkNjbOKdOXHN/KmPSw1B/4VybxogzxO/ko6bysnsVJyK4dx99R9x8wYQHLl3/0BifEOM3UETa7Veu5vzerslmsfKI4GAqe85K9BNoa6+gDlMu1VwOGN93T0F2a9g0FtZe7Hg4bwIp1lo1t/yHX+IaLswoPfxygqsQL/0RtOfWobe+JZABQkNFpOPBvWgxm+XWWwX2fzll29w8s3cUc06qBiouZSaCCYqLljeNWwCvCO8VZu1aYwOIcvKXeJYZhp3kFyvbhFk33fc29coxmb1s/2xe9kaKc+WlDpywcTi0RwSfFXSHinz0rnPydUQ8dv3Er1SaoY/5sQmsQhOQStJTVLrXdaKas5iYFt58sX2s1W42tIJMBLtfelR+WYf41a67gqG48+yHcTwi8NGiaIo5I4ZLka+8V1NzluB5UxUaUKz8RGdA6QFCK3Yuo/Xhc8H7gaX6HcLM0i49ZwsN/g0LijQkL4UV7hDFibDoqWqgMvNfw9wW3W+Gvcp8AiQw31Sh+xmg9pF7U3xzX1bjKjCTSjvoIFfiynacfGFZBtc4uDMlMU197Fb0+CQDu8XCPSi6hBh3thju9tOu3DgOHTI9FKduLs15+tHY/f0bHv9Vg462ZE5LIWuoSitbVpbdR2+4haNWfaIZIG44O9LCWTc3fuE5deI9LM6W/FE3RcYsPqlqOTW5R7sP5VtuSG4YFV1acRpv3z6LGjDvIXGsm/1GmTKdNkIAaeYVTCVo9T61sp9ems3EXdF2Ms1oU85IFu8wsdBm5C0KP7DV2ShZkceOBtMVKC67aCOa6js4LqETvF3Tn33JtPh05tTzXbHILxMx3Qus29Im2Nt/IGU6xEIBmdIT+wEdF/KPa4pDHAgJoI0DectkiX+8BiUWwmUImE8OYJbvnil3l4reKnA3H3CzfT5OCNwBmKTsTxgmF8b0RfCLWemlMrMLdir5TH6kwOIhNKEFWEhRzYmE7YhhXTJn3iUNlsYL/6fKxTg/yRz8j+nXggess8/wXFYOPXCw0FHV+Z1nZQui77uoRQB7lQGLdQgysDKJ1ySjKgCE40er2p7wc8JjxVdMVgHC2l909TxGhjkVMlCahcmTly1+S5mR0gqANO2RI8tskiZUIRnyIQtDkrriojsgx5/tjdDx5hQK/r4w38aAM5Slmp4tWRkfPPsmroIoDSB0WNwNwQnJfmvrsUyuUVC4kN87H5D4f7ctuZIMBSanAtJ6zg010vTQwhf+U653f4z+tl4bycKPX1+eFuFDa25QYxxMtlM3RTjHX92TuSATd
Content-Type: multipart/alternative; boundary="_000_CWXP265MB4681DAA9364F113EDF2C9009954D2CWXP265MB4681GBRP_"
MIME-Version: 1.0
X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: 2w8vmorPsmj+yPH+uFV9Nj4JwUeQY8zl0tAf/Ix8oayAlEijMddtIb0rB5QnSAZPfJGRjUvHksnAHhQnS9zedbq4nR5dKDNzSqfKwri0ohFrSkx69z6QNaTaw+sr5nmOhQBCa7E0oBpiEp48z3b/bps7yYrBL+8BsWVEp8qsFa1VPiEsoeAC42FFaoVG2uQhxMu/u1FtkcBZ9gKV/B6Ol/gRrbkTfJWhK1dxbXfXtSwkhJnZXMdj0M1aK77dYbx7wH3HPG5FkmFdohXmKkNy7nwdMaLTECS0nZbvThiCL8VUZSmJf2E0iVxYixA/8nUgK+QxZcUtJOcKXg/yOp0u2trWE6zrDGTJoJx3fuQDQsgSKeQFt4LFZu1KzsMX6j9hbK4yajLSnwq3NELD0jIeYyB5RL0kWvIG2vTAqlR8wOda3DhSnqtlc/RbuMdjlTuInpWcuGTK95rYKQmydIsHrrwU4s3fhaolXrFGjI+1oLzUkF6MU4M0CqtCzV7/vdJzx4McbZHLHco5RUfiRB9201jiz5qqlAO2KsoStn0aSlmCYvxqlCpKc7J3gJivr/GrSLtLHL0t0rPDnVYf3w4SGzHgy32Y0CVth4wLRxJO0TnBSIOjI31sGuPul/T/9auY76NJ4XnUFiD52lmxrjfkM/9KbFf88oz8VfYZpVSZYmXESPJ+/P5/aflwj5GOx0rl
X-OriginatorOrg: sophos.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CWXP265MB4681.GBRP265.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 14d123d3-a032-49e3-801a-08dc2e2fb720
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Feb 2024 14:09:25.0156 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 358a41ff-46d9-49d3-a297-370d894eae6a
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 4tMh6/VAu1uMEP3kFgubKHoC09CSuvtPF2e1shZ31G+lA0Ny+y+yXAkAZZadfmabfqj4fwBy8wGS4jRD3wz9sksOgobi8pfGm5DDKRiL+Jg=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: LO4P265MB6823
X_Sophos_TLS_Connection: OPP_TLS_1_3
X_Sophos_TLS_Delivery: true
X-Sophos-MH-Mail-Info-Key: NFRiSDRTMUw4R3pDcWtQLTE3Mi4xOS4wLjI0Mw==
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/bvvWbtxJAiMfilfy32EvdaCszQ4>
Subject: Re: [TLS] Input on ECH specification
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Feb 2024 14:09:34 -0000

Hi Stephen (and others),

Any thoughts on the items below? If not, I could create PR for further consideration.

Thanks and regards,
Elardus

From: TLS <tls-bounces@ietf.org> On Behalf Of Elardus Erasmus
Sent: Thursday, February 8, 2024 9:44 AM
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>; tls@ietf.org
Subject: Re: [TLS] Input on ECH specification

Hi Stephen,   Thanks for pointing this out. In describing the suggestion, I incorrectly used "server_hello", but in the actual suggested text, the correct "EncryptedExtensions mess

Hi Stephen,

Thanks for pointing this out. In describing the suggestion, I incorrectly used "server_hello", but in the actual suggested text, the correct "EncryptedExtensions message" is used.

Let me update the email accordingly, below, and maybe more in the light of general ECH rejection, as opposed to rejection for an absent ECH extension from EE specifically.

Suggestion 1
If I understand correctly, the intention is that a new transport connection should be made, with ECH disabled, for all ECH rejection scenarios - provided "both authentication and the handshake complete successfully", of course. If that is correct, then maybe this (or something else along these lines) could make it clearer:

Section 6.1.6 states:
If none of the values provided in "retry_configs" contains a supported version,
or an earlier TLS version was negotiated, the client can regard ECH as securely
disabled by the server, and it SHOULD retry the handshake with a new transport
connection and ECH disabled.
Maybe change to:
If none of the values provided in "retry_configs" contains a supported version,
or ECH was rejected for any of the reasons in Section 6.1.4,
the client can regard ECH as securely disabled by the server. It SHOULD retry
the handshake with a new transport connection and ECH disabled. If the client
does not retry, it MUST report an error to the calling application.

Suggestion 2
Section 6.1.6 also mentions that:
Clients SHOULD implement a limit on retries caused by receipt of "retry_configs"
or servers which do not acknowledge the "encrypted_client_hello" extension.

The text does not differentiate between retry types for the purpose of limiting the connections. I.e., if the ECH config was replaced, then it is an ECH-enabled retry (with new keys). But if ECH was rejected, then it is an ECH-disabled retry. Limiting the connections may make sense for ECH-enabled retries due to config replacement. But limiting it for ECH-disabled connection retries could mean that connections may start failing abruptly, depending on the aggressiveness of the limit on the client. As long as ECH-disabled connection retries succeed, they should possibly not be limited so that connectivity does not suffer unnecessarily.

It would probably even be good/necessary to implement a holdoff on ECH-enabled connections after ECH has been rejected. I.e., not making an ECH-enabled connection to an SNI that resulted in ECH disabling for some duration of time. Some scenarios where this would be desirable:

  *   The ECH version steps. This will lead to ECH-disabled retries. During DNS propagation time, the number of connections to client-facing servers of ECH enabled sites will double (say a large CDN activates a version step of all its sites all at once). Clients that limit retries could experience connectivity issues, but clients that implement a holdoff would mitigate the connection doubling problem in such a scenario.
  *   A server disables ECH temporarily or serves TLS 1.2. Again, ECH will be rejected/securely disabled, and a connectivity loss may occur (retry limit). A doubling in connections will be experienced until DNS propagation is finished - or indefinitely in case of a config issue (e.g. server administrator does not remove ECH config from DNS).
  *   Section 8.2 talks about middleboxes acting as TLS-terminating proxies. All connections going through such proxies will result in ECH being disabled (due to the ECH extension not being forwarded to the server). Also leading to a possible connectivity loss, or at the very least a permanent doubling in connections.

The "connection doubling" in the scenarios above increases connection establishment latency and adds load to the client, server, and other stateful network devices, and can be mitigated by a temporary holdoff on ECH-enabled connections on the client.

The proposal is therefore to change Section 6.1.6 from:
If none of the values provided in "retry_configs" contains a supported version,
or an earlier TLS version was negotiated, the client can regard ECH as securely
disabled by the server, and it SHOULD retry the handshake with a new transport
connection and ECH disabled.

Clients SHOULD implement a limit on retries caused by receipt of "retry_configs"
or servers which do not acknowledge the "encrypted_client_hello" extension. If
the client does not retry in either scenario, it MUST report an error to the
calling application.

To something like:
Clients SHOULD implement a limit on retries caused by receipt of "retry_configs".
If the client does not retry, it MUST report an error to the calling application.

If none of the values provided in "retry_configs" contains a supported version,
or ECH was rejected for any of the reasons in Section 6.1.4,
the client can regard ECH as securely disabled by the server. It SHOULD retry
the handshake with a new transport connection and ECH disabled. If the client
does not retry, it MUST report an error to the calling application.

Clients SHOULD implement a holdoff on ECH-enabled connections to an SNI for
which ECH has been securely disabled. I.e., those connections made after the
ECH-disabled retry. Clients SHOULD still send a GREASE ECH extension (see
{{grease-ech}}) for ECH-disabled connections made during the holdoff period.

Thanks,
Elardus


-----Original Message-----
From: Stephen Farrell <stephen.farrell@cs.tcd.ie<mailto:stephen.farrell@cs.tcd.ie>>
Sent: Wednesday, February 7, 2024 5:23 PM
To: Elardus Erasmus <Elardus.Erasmus@Sophos.com<mailto:Elardus.Erasmus@Sophos.com>>; tls@ietf.org<mailto:tls@ietf.org>
Subject: Re: [TLS] Input on ECH specification

Caution! This message was sent from outside your organization.


Hiya,

Would have to read the other bits but this jumped out...

On 07/02/2024 22:06, Elardus Erasmus wrote:
> Make it clear that if an ECH extension is absent from the
> server_hello, it qualifies as an ECH disabling signal.
When ECH is in real use, most SH messages won't contain an ECH extension as the acceptance signal is encoded in bits of the SH.random. You only see an ECH extension in a SH when we hit HRR. (IIRC.)

Apologies if I'm misinterpreting you in the quote above.
Just sending now in case correcting this changes other bits of your mail (or how I should read it:-)

Cheers,
S.

v2.43.4 | Report a Bug | By Email | System Status