Re: [TLS] Sending Custom DHE Parameters in TLS 1.3

"Blumenthal, Uri - 0553 - MITLL" <> Mon, 12 October 2020 17:36 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 7B44F3A15CC for <>; Mon, 12 Oct 2020 10:36:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.895
X-Spam-Status: No, score=-1.895 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_QP_LONG_LINE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id LX1G8D1jxglc for <>; Mon, 12 Oct 2020 10:36:07 -0700 (PDT)
Received: from (LLMX3.LL.MIT.EDU []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id C5E603A15C6 for <>; Mon, 12 Oct 2020 10:36:07 -0700 (PDT)
Received: from ( by (unknown) with ESMTPS id 09CHa6m7026400; Mon, 12 Oct 2020 13:36:06 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401;; cv=none; b=jZTt0zHgwc1U8V/s5cwYRmAFLewNB01u1miSPNjmxk3wjVcHWlFCrP+qYBSZT/SeZvTLwp4tSgF0rLOs8tnGDZDA0fqDWrz7x0DQWKlKEVOQS0X/L5LL3qHo0Q15IZ+VOIRsSkzV9qwmvttXguYRn5vFOsBFwEx/zuQbBkcQ/Gpx+4uCvU8cpvDOX7frfbF+BUXR2iqQsl7lwoK6iWw2MCtOzqvUbOXROr22qflWuRfDcrpHwDQe3hvAltiwv/2Tjn7FistEmJlFeoJF4CgoFFP/CF5iZGf6dHIkfgRCzkk5C0Tl8605yOkBp7xuA7pFwxDFYWfN55z9WhcBZKNQeg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=7KOSNwLNq17gGup+/+cyRjR4ZCPdDoPkmji4ejSjIqs=; b=SSsqmpmXLLaRKO6h1LxL/0RScO9MHEw59DlX0+T6EmhPr87IMrzFiTlqHpaL+ePKF5RkYgQDgIDJPKHs69i8ykE0DbqpTVmbVgsO80ToZJqrjbnnwHFjg0ilPv49zrGoO4te+0M9UIum2QE8IBhN3eKN8x89/qRYRSotM7X7rqDg/j/7R3gTd46q5+zKGtS3/T41Fhl1JVgjDqt+L3LwPH3FO9VcRhEw1DUcdbOudi8KkVsv3/+BrrGwj5MNGusZQ3VlfI78T7FthI+TgVo/WmF0TLPvMllP9g7kIUTXBNc/AR/sf9GqV1AjijNSJCe9SP9SHm4LNN0PIv7grO1AnA==
ARC-Authentication-Results: i=1; 1; spf=pass; dmarc=pass action=none; dkim=pass; arc=none
From: "Blumenthal, Uri - 0553 - MITLL" <>
To: Ilari Liusvaara <>, Michael D'Errico <>
CC: TLS List <>
Thread-Topic: [TLS] Sending Custom DHE Parameters in TLS 1.3
Thread-Index: AQHWoLYGtcjhKiOao06UF4I+ILR3K6mUOOIA//++vgA=
Date: Mon, 12 Oct 2020 17:35:21 +0000
Message-ID: <>
References: <> <20201012172852.GA2560734@LK-Perkele-VII>
In-Reply-To: <20201012172852.GA2560734@LK-Perkele-VII>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
user-agent: Microsoft-MacOutlook/16.41.20091302
authentication-results:; dkim=none (message not signed) header.d=none;; dmarc=none action=none;
x-originating-ip: []
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: a7b61c32-5bda-4400-bd91-08d86ed53221
x-ms-traffictypediagnostic: BN3P110MB0258:
x-microsoft-antispam-prvs: <BN3P110MB02584AA728AF57ACA4C55AC090070@BN3P110MB0258.NAMP110.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-forefront-antispam-report: CIP:; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN3P110MB0241.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(4636009)(366004)(26005)(6512007)(71200400001)(6486002)(86362001)(8676002)(83380400001)(66446008)(64756008)(99936003)(66616009)(66556008)(66476007)(33656002)(2616005)(4326008)(110136005)(75432002)(6506007)(2906002)(186003)(5660300002)(966005)(66946007)(76116006)(498600001)(956004)(8936002); DIR:OUT; SFP:1102;
x-ms-exchange-transport-forked: True
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha256"; boundary="B_3685354518_2031205771"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN3P110MB0241.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: a7b61c32-5bda-4400-bd91-08d86ed53221
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Oct 2020 17:35:22.0037 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 83d1efe3-698e-4819-911b-0a8fbe79d01c
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN3P110MB0258
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.235, 18.0.687 definitions=2020-10-12_14:2020-10-12, 2020-10-12 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-2009150000 definitions=main-2010120135
Archived-At: <>
Subject: Re: [TLS] Sending Custom DHE Parameters in TLS 1.3
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 12 Oct 2020 17:36:09 -0000

I suggest that custom parameters should be allowed, and documented as completely under user/administrator responsibility.

Ensuring that a custom modulus is not "too small" or "too large" (etc.) in that case is not your problem or your business.

On 10/12/20, 13:32, "TLS on behalf of Ilari Liusvaara" < on behalf of> wrote:

    On Mon, Oct 12, 2020 at 12:36:06PM -0400, Michael D'Errico wrote:
    > It appears that there may be a need to revert to the
    > old way of sending Diffie-Hellman parameters that
    > the server generates.  I see that TLS 1.3 removed
    > this capability*; is there any way to add it back?

    The Diffie-Hellman support in TLS 1.2 is severly broken. There is no
    way to use it safely on client side. This has lead to e.g., all the web
    browers to remove support for it.

    There is no way to ensure that the parameters sent are not totally
    broken, e.g.:

    - Modulus too small.
    - Modulus too large.
    - Modulus not prime (has been used as a backdoor!).
    - Modulus is weak (possibly backdoored).
    - Subgroup order does not have large prime factor.

    Even checking the third would require primality test, and primality
    tests at relevant sizes are slow. And the fourth and fifth can not be
    checked at all in general case.

    For ECDHE, TLS 1.2 allowed server to specify custom curve to do the
    key exchange with. Rightfully pretty much nobody implemented that.

    I think TLS WG should withdraw recommendation (as flawed) on all
    TLS_DHE_* ciphersuites.


    TLS mailing list