Re: [TLS] TLSv1.3 Cookies
Matt Caswell <frodo@baggins.org> Wed, 13 September 2017 16:19 UTC
Return-Path: <frodo@baggins.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1E9391321AC for <tls@ietfa.amsl.com>; Wed, 13 Sep 2017 09:19:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_SORBS_SPAM=0.5, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k4LQoLbLJysW for <tls@ietfa.amsl.com>; Wed, 13 Sep 2017 09:19:51 -0700 (PDT)
Received: from mx496502.smtp-engine.com (mx496502.smtp-engine.com [IPv6:2001:8d8:968:7d00::19:7e53]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 85D361252BA for <tls@ietf.org>; Wed, 13 Sep 2017 09:19:51 -0700 (PDT)
Received: from mail-it0-f53.google.com (mail-it0-f53.google.com [209.85.214.53]) by mx496502.smtp-engine.com (Postfix) with ESMTPSA id B84CC1AC for <tls@ietf.org>; Wed, 13 Sep 2017 17:19:49 +0100 (BST)
Received: by mail-it0-f53.google.com with SMTP id 6so3741299itl.1 for <tls@ietf.org>; Wed, 13 Sep 2017 09:19:49 -0700 (PDT)
X-Gm-Message-State: AHPjjUhi1vnPx14qUZDceFLK8Ovcu/2+tIYvyVqPsugJvkChCQzqoGYa VmdN/kiblBl9jkslxaxtcPTITuf8FUdWlj1YZ2E=
X-Google-Smtp-Source: AOwi7QDr/VCNSdNY8Ri0NOpoYQ86p096kixJYhaVYmPbUtDrT2l+EsO0Tkf3z7yXcuf3FS1tqDlZBZVvlXhFGwZKKhw=
X-Received: by 10.36.61.15 with SMTP id n15mr4993926itn.117.1505319586919; Wed, 13 Sep 2017 09:19:46 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.79.165.25 with HTTP; Wed, 13 Sep 2017 09:19:45 -0700 (PDT)
In-Reply-To: <20170913160845.khjf5odas3ns5u5z@LK-Perkele-VII>
References: <CAMoSCWYXWJMkFAdrcy033_bjMZjRUiU-V5f8MkoTXyvDfw+z6A@mail.gmail.com> <20170913150929.nupe6fq5rqtroflp@LK-Perkele-VII> <CAMoSCWapcL_xPLvkm6ey+Go1U+4Z_y2bZbKqCRPSHntFj3G41w@mail.gmail.com> <20170913160845.khjf5odas3ns5u5z@LK-Perkele-VII>
From: Matt Caswell <frodo@baggins.org>
Date: Wed, 13 Sep 2017 17:19:45 +0100
X-Gmail-Original-Message-ID: <CAMoSCWY8_=iQhXr_JScKLbTErMELoqxcVxQ8eLe4yKr_S8TPxw@mail.gmail.com>
Message-ID: <CAMoSCWY8_=iQhXr_JScKLbTErMELoqxcVxQ8eLe4yKr_S8TPxw@mail.gmail.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Cc: "tls@ietf.org" <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/dVX_HEPOw8yfAZ387nnMvl2IusY>
Subject: Re: [TLS] TLSv1.3 Cookies
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Sep 2017 16:19:54 -0000
On 13 September 2017 at 17:08, Ilari Liusvaara <ilariliusvaara@welho.com> wrote: >> > Yes, if one receives a ClientHello with both Cookie and EarlyData, one >> > can reply with a fatal alert, because that is not supposed to happen. >> >> That isn't quite the scenario I was talking about. Rather your case >> (2) above in a server which is operating statelessly, i.e. the client >> has attempted to send early_data but has not provided a valid cookie >> yet. The early_data when it arrives will look like bad packets, even >> though (from the client perspective) it was valid to send them. > > If you really got some transport that uses TLS on something where > stateless operation makes sense (so not TCP) that transports the 0-RTT > TLS data in-band (so not QUIC), just throw any initial records starting > with 0x17 into trash. > > AFAIK, QUIC does not use TLS 0-RTT data, it uses 0-RTT exporters to > derive encryption keys for data, that is sent outside TLS. So in > that case, TLS would see two consequtive ClientHello messages if the > first gets rejected. Ah! Right - yes that is a good point. I was looking at this from the perspective of the need to support QUIC. I had missed that subtlety - thanks. There is still a theoretical issue if something other than TLS/TCP or TLS/QUIC wants to do this. But given there is no actual known use case for that then I guess we can cross that bridge when we come to it. Matt
- [TLS] TLSv1.3 Cookies Matt Caswell
- Re: [TLS] TLSv1.3 Cookies Ilari Liusvaara
- Re: [TLS] TLSv1.3 Cookies Short, Todd
- Re: [TLS] TLSv1.3 Cookies Eric Rescorla
- Re: [TLS] TLSv1.3 Cookies Matt Caswell
- Re: [TLS] TLSv1.3 Cookies Matt Caswell
- Re: [TLS] TLSv1.3 Cookies Matt Caswell
- Re: [TLS] TLSv1.3 Cookies Eric Rescorla
- Re: [TLS] TLSv1.3 Cookies Ilari Liusvaara
- Re: [TLS] TLSv1.3 Cookies Matt Caswell